This checklist exists because the defaults will get you pwned. The quick-start guides optimize for “it works!” - not “it works without leaking your Anthropic API key to Shodan.” Every section below addresses a real vulnerability found in production OpenClaw instances. Run through it. Fix what applies. Run it again next month.

Note: If you want the full article, check out just how insecure Openclaw is here.

Network Exposure

Never bind to public interfaces. The localhost trust assumption will collapse the moment you put a reverse proxy in front of your instance. OpenClaw auto-approves connections from 127.0.0.1. Nginx forwards requests. The gateway sees localhost. Game over.

# gateway.yaml - the config that matters
gateway:
  trustedProxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
  controlUi:
    dangerouslyDisableDeviceAuth: false  # Never set true

Use Tailscale or a proper VPN. If you must expose the control interface, put it behind WireGuard or Tailscale’s MagicDNS. Zero-trust networking isn’t optional when your agent has shell access.

Disable mDNS broadcasting. By default, OpenClaw announces your install path, SSH availability, and hostname to anyone on the local network. Enable minimal mode or strip the mDNS config entirely.

# What mDNS broadcasts by default (bad)
cliPath: /home/yourusername/.openclaw/cli
sshPort: 22
displayName: yourhostname

# Disable in config
mdns:
  enabled: false

Close port 18789. The installation scripts open it to the public internet. Firewall it unless you enjoy strangers browsing your WebSocket config.

Container Isolation

Run in Docker with --network none by default. The agent doesn’t need outbound network access for most tasks. Grant it explicitly when required.

docker run \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid,size=100m \
  --network none \
  --memory 2g \
  --cpus 2 \
  --pids-limit 100 \
  --user 1000:1000 \
  -v /path/to/workspace:/workspace:ro \
  openclaw-image

Use explicit bind mounts. Don’t mount your entire home directory. Mount only the directories the agent needs, and mount them read-only when possible.

Drop all capabilities. --cap-drop ALL removes every Linux capability. Add back only what you absolutely need (probably nothing).

Apply seccomp and AppArmor profiles. Default Docker seccomp blocks ~44 syscalls. Custom profiles can block more. AppArmor adds another layer of file and network restrictions.

Never run as root. The agent should run as an unprivileged user. If the container image requires root, find a different image or build your own.

Tool Permissions

Whitelist commands instead of blacklisting. Denylists are incomplete by design. There’s always another way to spawn a shell.

# Tool policy with actual restrictions
tools:
  shell:
    enabled: true
    allowlist:
      - "ls"
      - "cat"
      - "grep"
      - "head"
      - "tail"
    # No denylist - allowlist is exhaustive

Scope API tokens to minimum access. Gmail read-only if you don’t need write. GitHub with public_repo instead of repo. Never full OAuth scopes.

# Overprivileged (bad)
gmail:
  scope: full  # Read, write, delete

# Minimal (good)
gmail:
  scope: readonly

Separate agents by risk profile. The agent that manages your calendar shouldn’t have shell access. The agent with shell access shouldn’t read your email. Create separate instances with separate credential sets.

Disable tools you don’t use. Every enabled integration is attack surface. If you’re not using the WhatsApp integration, turn it off.

Credential Management

Don’t store credentials in ~/.openclaw/credentials/ unencrypted. The default plaintext storage is asking for trouble. Use a secrets manager or encrypted vault.

Use short-lived tokens. OAuth refresh tokens with automatic rotation. API keys with expiration dates. Dynamic credentials from HashiCorp Vault or AWS Secrets Manager.

# Bad: static API key in environment
export ANTHROPIC_API_KEY="sk-ant-..."

# Better: fetch from secrets manager at runtime
export ANTHROPIC_API_KEY=$(vault kv get -field=key secret/anthropic)

Implement brokered credentials. The LLM should never see your actual API keys. Run a proxy that injects authentication on behalf of the agent. The agent decides what to do; the broker handles how to authenticate.

Rotate keys after any incident. Assume every exposed credential is compromised. Rotate immediately. Don’t wait to confirm exploitation.

Prompt Injection Defense

Never pass untrusted input directly to the agent. Email bodies, webhook payloads, document contents — all untrusted. Sanitize or isolate before processing.

# Bad: raw email body as prompt
agent.process(email.body)

# Better: structured extraction first
safe_content = extract_and_sanitize(email.body)
agent.process(f"User email summary: {safe_content}")

Use Claude Opus 4.5’s resistance as one layer, not the only layer. Anthropic claims ~99% prompt injection resistance in controlled conditions. Indirect injection via external content is a different game. Defense in depth means you can’t rely on model robustness alone.

Implement human-in-the-loop for sensitive actions. File deletion, credential access, external API calls — require explicit approval. Don’t let the agent auto-approve based on prompt content.

Monitor for injection patterns. Log prompts and responses. Alert on suspicious patterns: IGNORE PREVIOUS INSTRUCTIONS, system:, unexpected tool invocations.

MCP Server Hardening

Only enable MCP servers you trust. Every MCP server is code running with your agent’s permissions. Review the source. Check for known vulnerabilities.

// Bad: enable everything
{ "enableAllProjectMcpServers": true }

// Good: explicit allowlist
{ "enabledMcpjsonServers": ["github", "memory"] }

// Better: proactively block risky ones
{ "disabledMcpjsonServers": ["filesystem", "shell"] }

Version-pin approved servers. MCP servers can change behavior after installation (rug pull attacks). Pin to specific versions and review before updating.

Run MCP servers in separate containers. Hypervisor-grade isolation between MCP servers prevents lateral movement if one is compromised.

Audit MCP server network access. Which external endpoints does each server contact? Restrict outbound connections to documented dependencies.

Monitoring and Audit

Log everything. Every tool invocation, every API call, every prompt and response. You can’t investigate what you didn’t record.

Run the built-in security audit.

openclaw security audit --deep
# Flags exposed ports, auth issues, permission problems

Set up anomaly detection. Alert on unusual patterns: sudden spike in API calls, new external domains contacted, tool invocations outside normal hours.

Track credential usage. Which credentials were accessed, when, by which agent. This is mandatory for incident response.

Review monthly. Configuration drift happens. Permissions creep. Schedule recurring audits.

Node.js Patching

Update to Node 22.12.0 or later. CVE-2026-21636 is a permission model bypass. If you’re using Node’s experimental sandboxing features, older versions let attackers escape.

node --version
# Must be v22.12.0 or later

Keep dependencies updated. Run npm audit regularly. Pin versions in production.

The Big Picture

The architecture concentrates power by design. AI agents need to read messages, store secrets, and execute actions to be useful. When misconfigured, all those capabilities collapse into a single point of failure.

The project FAQ is honest about this: “Running an AI agent with shell access on your machine is... spicy. There is no ‘perfectly secure’ setup.”

They’re right. But there’s a massive gap between “perfectly secure” and “leaking credentials on Shodan.” This checklist closes that gap.

Run through it. Fix what’s broken. Then run it again next month. Because the defaults ship insecure, and nobody’s going to harden your deployment except you.

Quick Reference Checklist:

• [ ] Gateway not exposed to public internet

• [ ] trustedProxies configured correctly

• [ ] mDNS broadcasting disabled

• [ ] Running in Docker with --network none

• [ ] All capabilities dropped

• [ ] Running as non-root user

• [ ] Tool commands allowlisted (not denylisted)

• [ ] OAuth tokens scoped to minimum access

• [ ] Separate agents for different risk profiles

• [ ] Credentials encrypted or in secrets manager

• [ ] Human approval required for sensitive actions

• [ ] MCP servers explicitly allowlisted

• [ ] MCP servers version-pinned

• [ ] Audit logging enabled

• [ ] Node.js updated to 22.12.0+

• [ ] Monthly security review scheduled