MCP security for OpenClaw agents
A field checklist for connecting tools without handing every server, plugin, token, and file path the same level of trust.
Why MCP Security Matters
Tool reach is the real agent perimeter
MCP made it normal for agents to reach databases, files, browsers, SaaS APIs, private docs, calendars, and custom business systems through one protocol. That is useful. It also means the security boundary is no longer just the model prompt. It is the full tool graph around the agent.
OpenClaw's local-first shape helps because the operator controls the gateway, workspace, plugins, channels, and approval policy. The hard part is keeping that control explicit as more tools get connected.
Use three trust zones
Core tools
First-party or well-reviewed tools required for daily work: file reads, repo inspection, browser checks, search, and status commands.
Business tools
Tools that touch money, clients, private data, publishing, credentials, messaging, or production systems. These need narrower scopes and proof.
Experimental tools
New MCP servers, plugins, community skills, or local scripts. Keep them isolated until they have a reason, owner, config, and rollback path.
Inventory Every Tool
A tool without an owner becomes ambient authority
Before adding another MCP server or plugin, write down what it can read, what it can write, what credentials it uses, which channels can trigger it, and what evidence proves it ran safely.
Tool name:
Owner:
Purpose:
Read scope:
Write scope:
Secrets used:
Allowed channels:
Approval required for:
Logs/proof:
Rollback:
Last reviewed:
Prefer explicit allowlists
- Files: allow specific directories instead of whole home folders.
- Commands: allow command prefixes for repeatable work instead of shell-anything access.
- Nodes: separate read paths, write paths, remote exec, camera, location, and browser control.
- Channels: decide which chats can ask for which tools, especially in shared spaces.
Treat Plugins Like Code
Install trust, not just functionality
MCP servers, OpenClaw plugins, and skills can carry prompts, tool schemas, dependencies, auth flows, and local scripts. Review them like production code when they touch private systems.
Know where the plugin came from, who maintains it, and whether the repo has recent, coherent activity.
Look for broad filesystem, network, shell, browser, or credential access that does not match the job.
Do not let high-risk plugins silently change behavior without a changelog, diff, or operator review.
Run first against a scratch folder, test account, or dry-run mode before connecting real credentials.
Keep Secrets Out of Prompts
Agents should reference credentials, not carry them
Recent OpenClaw work around SecretRef-style boundaries points in the right direction: agents need enough authority to use a credential through the right tool, not enough visibility to repeat the raw token into logs, chats, screenshots, or memory.
- Never paste API keys into task prompts. Store them in the configured secret path or provider auth flow.
- Separate read and write tokens. A reporting task usually does not need publishing rights.
- Rotate after experiments. Temporary OAuth grants and test tokens should expire quickly.
- Redact proof. Logs should show which credential class was used, not the credential value.
Gate High-Impact Actions
Approval policy should map to consequence
The fastest practical rule: read actions can be broad, reversible writes can be scoped, and external or destructive actions need approval unless the workflow has already been deliberately delegated.
Usually safe
Search, read-only diagnostics, local inspection, draft creation, summaries, linting, and status reports.
Scoped automation
Writing approved files, updating internal docs, committing owned changes, running builds, and refreshing generated assets.
Human gate
Emails, public posts, client messages, spending, deletions, live deploys, credential changes, and production data mutation.
30-Minute MCP Audit
A monthly routine for OpenClaw operators
0-5 min: list enabled MCP servers, plugins, skills, channels, and nodes
5-10 min: mark each as core, business, or experimental
10-15 min: check secrets, OAuth grants, env files, and token scopes
15-20 min: review write access, command access, and channel triggers
20-25 min: inspect recent failures, approvals, and surprising tool calls
25-30 min: remove unused tools, tighten scopes, and write the review note
The review note is part of the control
Save the outcome in workspace memory or an operations log: what changed, what stayed risky, which tokens were rotated, which tools were disabled, and when the next review should happen. If future agents cannot find the decision, the decision effectively did not happen.
Source Notes
This guide reflects the July 2026 OpenClaw release state: v2026.6.11 remains the latest stable npm release, v2026.7.1-beta.2 remains the current public beta, and recent project activity has emphasized diagnostics, update dry-runs, plugin management, scoped exec, credential boundaries, and channel delivery proof.
It also follows the broader agent trend: MCP and tool gateways are becoming the practical security perimeter because agents increasingly operate through connected tools rather than isolated chat windows.
Sources: OpenClaw releases โข OpenClaw npm package โข Microsoft MCP security discussion โข Durable agent execution discussion