โ† Back to Articles
Security6 min read

Securing Your OpenClaw Deployment

ClawMakers Teamยท

Your OpenClaw agent runs on your machine with real access to real things โ€” your filesystem, your messages, your shell. That's what makes it powerful. It's also what makes security non-negotiable.

OpenClaw's own Threat Model maps out every attack surface using the MITRE ATLAS framework. You don't need to read the whole thing. This article distills the practical steps you should take right now.

The Threat Landscape in 30 Seconds

The biggest risks to an OpenClaw deployment fall into a few categories:

  • Prompt injection โ€” someone tricks your agent into running commands or leaking data through crafted messages or poisoned web content
  • Unauthorized access โ€” someone messages your agent pretending to be you
  • Supply chain โ€” a malicious skill from ClawHub runs code with your agent's privileges
  • Data exfiltration โ€” your agent gets manipulated into sending sensitive data to an external URL

Every mitigation below addresses one or more of these. Let's go.

1. Lock Down Who Can Talk to Your Agent

By default, OpenClaw accepts messages from anyone on a connected channel. Fix that immediately.

AllowFrom Restrictions

In your openclaw.json, set allowFrom on each channel to restrict which senders can interact with your agent:

{
  "channels": {
    "whatsapp": {
      "allowFrom": ["+1234567890"]
    },
    "telegram": {
      "allowFrom": ["your_telegram_id"]
    }
  }
}

This is your first line of defense. If someone can't message your agent, they can't inject prompts, enumerate tools, or probe for data. Simple.

Device Pairing

OpenClaw uses pairing codes with a 30-second expiry for new device connections. That window is short by design โ€” don't extend it. When you see a pairing request you didn't initiate, reject it immediately.

2. Use Tailscale for Network Access

If your gateway is exposed to the network (not just localhost), wrap it in Tailscale. OpenClaw has native Tailscale auth support โ€” enable it and your gateway becomes invisible to the public internet while remaining accessible from your devices.

This eliminates an entire class of attacks: endpoint discovery, scanning, and direct API access from unknown sources.

{
  "gateway": {
    "auth": "tailscale"
  }
}

If Tailscale isn't an option, at minimum bind your gateway to 127.0.0.1 and use a reverse proxy with authentication.

3. Enable Exec Approvals

This is critical. Without exec approvals, a successful prompt injection can escalate to arbitrary command execution on your machine. That's game over.

OpenClaw supports three exec security modes:

  • deny โ€” no shell commands at all (safest, but limits functionality)
  • allowlist โ€” only pre-approved commands run without asking (recommended)
  • full โ€” anything goes (dangerous in production)

The allowlist mode is the sweet spot. Define safe commands explicitly and require approval for everything else:

{
  "tools": {
    "exec": {
      "security": "allowlist",
      "allowlist": ["ls", "cat", "git status", "git log"]
    }
  }
}

When your agent tries to run something not on the list, you get a prompt to approve or deny. This catches the exact scenario where a prompt injection tries to curl data to an attacker's server or rm -rf your files.

4. Run in a Docker Sandbox

For maximum isolation, run OpenClaw's execution environment inside Docker. This means even if something gets past exec approvals, the blast radius is contained to a disposable container โ€” not your host system.

OpenClaw supports sandbox mode natively. Your agent can still do useful work inside the container while your host filesystem, credentials, and network remain protected.

This is especially important if you:

  • Install skills from ClawHub (third-party code)
  • Let your agent fetch and process external URLs
  • Run OpenClaw on a machine with sensitive data

5. Be Careful with Skills

Skills are powerful โ€” they extend what your agent can do. They also run with your agent's full privileges. A malicious skill can read your environment variables, access your files, and exfiltrate data.

Before installing any skill:

  • Check the publisher's GitHub account age and history
  • Read the SKILL.md and any referenced scripts
  • Prefer skills with the official or highlighted badge on ClawHub
  • Pin versions instead of auto-updating โ€” a compromised update to a legitimate skill is a real attack vector

ClawHub has moderation and is adding VirusTotal scanning, but no marketplace is bulletproof. Trust, but verify.

6. Protect Against Prompt Injection

This is the hardest one because there's no silver bullet. OpenClaw wraps external content in XML tags with security notices, but a sophisticated attack can attempt to escape that context.

Practical defenses:

  • AllowFrom (covered above) โ€” reduces who can attempt injection
  • Exec approvals โ€” limits what a successful injection can do
  • Docker sandbox โ€” contains the damage if injection leads to execution
  • Don't auto-process untrusted content โ€” be cautious with agents that automatically fetch URLs or process incoming emails without human review

Defense in depth is the strategy here. No single layer is sufficient, but stacking them makes exploitation significantly harder.

7. Monitor and Audit

OpenClaw logs session transcripts. Review them periodically, especially if your agent interacts with multiple people or processes external content. Look for:

  • Unexpected tool calls
  • Commands you didn't authorize
  • Messages sent to recipients you don't recognize
  • Unusual patterns in web_fetch URLs

If something looks wrong, it probably is.

The Security Checklist

Here's everything in one place:

  • [ ] Set allowFrom on every channel
  • [ ] Enable Tailscale or bind gateway to localhost
  • [ ] Set exec security to allowlist mode
  • [ ] Define your command allowlist explicitly
  • [ ] Consider Docker sandbox for execution
  • [ ] Audit installed skills and pin versions
  • [ ] Review session transcripts regularly
  • [ ] Keep OpenClaw updated (openclaw update)

Final Thought

Security isn't a feature you enable once. It's a posture. OpenClaw gives you the tools โ€” Tailscale auth, exec approvals, sandboxing, allowlists โ€” but you have to actually use them.

Your agent is powerful because you gave it access. Make sure you're the only one who controls what it does with that access.

Have questions about securing your setup? Join the OpenClaw Discord โ€” the #security channel is a good place to start.

Enjoyed this article?

Join the ClawMakers community to discuss this and more with fellow builders.

Join on Skool โ€” It's Free โ†’