πŸ”’ Security Best Practices

OpenClaw is powerful. Here's how to run it safely.

⚠️

Do Not Install on Your Personal Computer

OpenClaw is an autonomous AI agent with access to your files, shell, and network. Never run it on a machine containing sensitive personal data, credentials, or work systems.

βœ… Recommended Setup

πŸ–₯️

Dedicated Machine

A separate computer (Mac Mini, old laptop, Raspberry Pi) that exists solely for OpenClaw. No personal files, no saved passwords, no sensitive data.

  • Physical isolation from your main systems
  • Easy to wipe and rebuild if needed
  • Can be on your local network or remote
☁️

Locked-Down VPS

A virtual private server with minimal permissions and no access to your personal infrastructure. Cloud providers like DigitalOcean, Linode, or Hetzner work well.

  • Completely isolated from your network
  • Snapshots for easy recovery
  • Firewall rules limit exposure

πŸ€” Why This Matters

OpenClaw is designed to be autonomous and capable. That power requires responsibility.

πŸ—‚οΈ File Access

OpenClaw can read, write, and delete files. On your personal machine, that includes documents, photos, credentials, and browser data.

πŸ’» Shell Access

It can execute any command your user can run. That includes installing software, accessing networks, and modifying system settings.

🌐 Network Access

OpenClaw can make HTTP requests, browse the web, and communicate with external services. It could inadvertently expose data.

πŸ”‘ Credential Exposure

API keys, tokens, and passwords stored on the machine are accessible. A misconfigured prompt could lead to unintended disclosure.

πŸ“‹ Security Checklist

☐
Use a dedicated machine or VPS

Never your daily driver. Isolation is your first line of defense.

☐
Don't store sensitive credentials

Avoid saving passwords, SSH keys to production systems, or API keys with broad permissions on the OpenClaw machine.

☐
Use scoped API keys

When OpenClaw needs API access (Shopify, Google, etc.), create keys with minimal required permissions.

☐
Review AGENTS.md boundaries

Clearly define what the agent should and shouldn't do. Set explicit boundaries in your prompt files.

☐
Enable channel allowlists

Restrict which users can interact with your agent via Telegram, Discord, etc.

☐
Monitor activity logs

Regularly review what your agent is doing. Check memory files and command history.

☐
Keep backups

Snapshot your VPS or backup your dedicated machine. If something goes wrong, you can recover.

🌐 Network Security

Firewall Configuration

If running on a VPS, configure your firewall to only allow necessary ports:

# Allow SSH (change port if needed) ufw allow 22/tcp # Allow OpenClaw gateway (if remote access needed) ufw allow 18789/tcp # Enable firewall ufw enable

VPN / Tailscale

Consider putting your OpenClaw machine on a private network using Tailscale or WireGuard. This keeps it off the public internet while still accessible to you.

No Port Forwarding

Avoid exposing OpenClaw directly to the internet. Use reverse proxies with authentication if external access is required.

✨ Built-In Safety Features

OpenClaw includes several security-conscious features:

🚫
Trash over Delete

By default, file deletions go to trash, not permanent removal.

πŸ‘€
Channel Allowlists

Restrict who can message your agent on each platform.

πŸ“
Memory Files

All agent activity is logged to readable files you can audit.

⏸️
Confirmation Prompts

Agents are instructed to ask before taking destructive or external actions.

πŸ›‘οΈ Security Updates in 2026.6.x

The current OpenClaw line focuses on practical operator safety: scoped credentials, safer browser surfaces, approval metadata, plugin manifest boundaries, and update paths that avoid mixed-version installs.

🧠

Owner and Approval Boundaries

Owner-enforced commands, structured approval metadata, and stricter channel route matching reduce the chance that privileged actions execute from the wrong identity or room.

2026.6.x
πŸ“

Safer File and Media Boundaries

Path validation, media staging, attachment handling, and sandbox-aware file access keep tool inputs explicit instead of silently trusting arbitrary paths or dropped files.

2026.6.x
πŸ’»

Exec and Tool Policy Hardening

Exec approvals, tool allow/deny lists, protected gateway config paths, and fail-closed empty allowlists make powerful tools easier to govern and audit.

2026.6.x
πŸ”

SecretRef and Token Hygiene

Onboarding and update flows increasingly prefer SecretRef-backed credentials, avoid leaking service tokens into world-readable supervisor metadata, and redact diagnostics by default.

2026.6.x
🌐

Browser and SSRF Guardrails

Browser snapshot/screenshot routes, managed profiles, permission handling, and proxy boundaries are being tightened so automation stays inside the intended browser lane.

2026.6.x
⏱️

Update and Plugin Safety

Staged package updates, plugin manifest contracts, startup activation metadata, and dependency staging reduce mixed-version installs and surprise plugin imports.

2026.6.x

Stay Protected: Run openclaw update status and openclaw update regularly to get the latest security fixes.

πŸ”§ Tool Policy Configuration

OpenClaw lets you control which tools your agent can use and how they behave.

Exec Security Modes

Control shell command execution with three modes:

  • deny: Block all shell commands
  • allowlist: Only permit pre-approved commands
  • full: Allow all commands (use with caution)

Exec Ask Mode

Require confirmation before running commands:

  • off: Execute without asking
  • on-miss: Ask only for non-allowlisted commands
  • always: Always ask before executing

Tool Allowlists

Define exactly which tools are available to your agent. Restrict access to sensitive tools like browser control, message sending, or file operations based on your security requirements.

# Check the active config file and validate changes openclaw config file openclaw config validate # Use exec policy controls/approvals for host commands openclaw exec-policy show

Ready to Set Up Securely?

Follow our setup guide with security best practices in mind.