The OpenClaw Security Checklist for 2026: 15 Items, 20 Minutes, Zero Excuses
In January 2026, a single unpatched OpenClaw instance gave attackers root access to a fintech startup's production servers. The breach cost $2.3M. The fix would have taken 4 minutes.
This is not a theory post. Every item on this checklist maps to a real incident. A real CVE. A real company that wished they'd spent 20 minutes on security before it was too late.
15 items. 20 minutes. Let's go.
Before You Start
Two things. Do them now.
Check your version:
openclaw --version
Write it down. You'll need it in 30 seconds.
Back up your config:
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak
Good. Now you have a safety net. Let's harden this thing.
The Checklist
1. Update to the Latest Version
What: Run the update command.
openclaw update
Why: CVE-2026-25253 dropped in February. One-click remote code execution. No auth needed. The attacker sends a crafted request. Your machine runs their code. Game over.
The patch landed in version 2026.2.25. If you're running anything older, you're a sitting duck. (Full CVE breakdown in our OpenClaw security risks report.)
Verify:
openclaw --version
# Should be >= 2026.2.25
2. Enable Authentication (32+ Character Token)
What: Set an auth token in your config.
{
"auth": {
"token": "your-token-here-at-least-32-characters-long"
}
}
Generate a strong one:
openssl rand -hex 32
Why: Researchers scanned the internet in March 2026. They found that 93.4% of exposed OpenClaw instances run with zero authentication. No password. No token. Nothing.
That means anyone who finds your instance owns it. Full agent access. Full tool access. Full read/write to your filesystem.
3. Bind to Localhost or VPN Only
What: Edit your config to restrict network binding.
{
"server": {
"host": "127.0.0.1",
"port": 3100
}
}
If you need remote access, put it behind a VPN. Tailscale takes 5 minutes to set up.
Why: Over 40,000 OpenClaw instances are sitting on the public internet right now. Shodan finds them. Script kiddies find them. Nation-state actors find them.
Binding to localhost means only your machine can talk to it. That's the default that should have shipped. It didn't.
4. Run in a Docker Container
What: Use the official image with security flags.
docker run -d \
--name openclaw \
--user 1000:1000 \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--security-opt no-new-privileges:true \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
-v openclaw-data:/data \
-p 127.0.0.1:3100:3100 \
openclaw/openclaw:latest
Why: Running OpenClaw directly on your host means a sandbox escape = full system access. A container with dropped capabilities limits the blast radius.
The --cap-drop ALL flag removes every Linux capability. --read-only prevents writes to the container filesystem. no-new-privileges blocks privilege escalation.
5. Audit Installed Skills
What: List all skills and scan them.
openclaw skills list
openclaw skills scan --scanner clawdex
Why: In February 2026, researchers found 824 malicious skills on public registries. The campaign was called ClawHavoc. The skills looked normal — "markdown formatter," "code reviewer," "git helper." They exfiltrated API keys, environment variables, and SSH keys on install.
The Clawdex scanner checks skills against a known-malicious database. Run it. Trust nothing you didn't write yourself.
6. Enable Egress Control
What: Set a deny-all outbound policy and allowlist domains.
{
"network": {
"egress": {
"policy": "deny-all",
"allowlist": [
"api.anthropic.com",
"api.openai.com",
"api.github.com"
]
}
}
}
Why: If an attacker gets code execution inside your OpenClaw sandbox, the first thing they do is phone home. They download payloads. They exfiltrate data. Egress control cuts that lifeline.
Deny everything outbound. Then add only the domains you actually need. Your LLM provider. Your git host. Nothing else. (Deep dive: AI Agent Network Security: Egress Controls.)
7. Move Secrets to Environment Variables
What: Remove API keys from your config file.
Before (bad):
{
"providers": {
"anthropic": {
"api_key": "sk-ant-api03-XXXXXXXX"
}
}
}
After (good):
export OPENCLAW_ANTHROPIC_API_KEY="sk-ant-api03-XXXXXXXX"
export OPENCLAW_OPENAI_API_KEY="sk-XXXXXXXX"
Then reference them:
{
"providers": {
"anthropic": {
"api_key": "${OPENCLAW_ANTHROPIC_API_KEY}"
}
}
}
Why: In Q1 2026, an infostealer malware campaign targeted ~/.openclaw/openclaw.json files. The malware knew the exact path. It grabbed the file, parsed the API keys, and sold them on dark web marketplaces within hours.
Environment variables aren't bulletproof. But they don't sit in a predictable file path that malware is already hunting.
8. Restrict Tool Permissions
What: Disable dangerous tools and lock down permissions.
{
"tools": {
"disabled": [
"session_spawn",
"shell_exec",
"file_write_root"
],
"permissions": {
"file_read": ["./workspace/**"],
"file_write": ["./workspace/**"],
"shell": {
"allowed_commands": ["git", "npm", "node", "python3"]
}
}
}
}
Why: CVE-2026-32048 was a sandbox escape via the session_spawn tool. An attacker could craft a prompt that made the agent spawn a new session outside the sandbox. From there — full host access.
Disable every tool you don't need. Restrict the ones you keep to specific directories and commands.
9. Disable Unauthenticated VNC
What: Turn off VNC or require authentication.
{
"vnc": {
"enabled": false
}
}
If you need VNC, set a password:
{
"vnc": {
"enabled": true,
"require_auth": true,
"password": "your-strong-vnc-password"
}
}
Why: CVE-2026-32064. Unauthenticated VNC access. Anyone on your network can watch — and interact with — the agent's desktop. They see your screen. They type commands. They own your session.
Most people don't even know VNC is on. Check yours now.
10. Enable Audit Logging
What: Turn on full audit logging.
{
"logging": {
"audit": {
"enabled": true,
"path": "/var/log/openclaw/audit.json",
"level": "all",
"include_tool_calls": true,
"include_prompts": true
}
}
}
Why: After a breach, the first question is always: "What did the attacker do?" Without audit logs, the answer is: "We don't know."
Logging every agent action — tool calls, file reads, file writes, network requests — gives you the forensic trail to understand what happened and how far the attacker got. (Full guide: AI Agent Audit Logging.)
11. Set Up Rate Limiting
What: Configure request limits.
{
"rate_limiting": {
"enabled": true,
"requests_per_minute": 30,
"requests_per_hour": 500,
"max_concurrent_sessions": 3
}
}
Why: Prompt injection attacks work by volume. The attacker floods your agent with crafted inputs. Some get through. Rate limiting slows the attack and gives your monitoring time to catch it.
30 requests per minute is plenty for normal use. If something hits 500 per hour, you want to know about it.
12. Rotate API Keys Quarterly
What: Replace all LLM provider keys every 90 days.
# Generate reminders
echo "0 9 1 */3 * /usr/local/bin/openclaw-rotate-keys.sh" | crontab -
Build a rotation script:
#!/bin/bash
# openclaw-rotate-keys.sh
echo "[$(date)] API key rotation reminder" >> /var/log/openclaw/rotation.log
echo "1. Generate new keys at provider dashboards"
echo "2. Update environment variables"
echo "3. Restart OpenClaw"
echo "4. Verify connections"
echo "5. Revoke old keys"
Why: Compromised API keys generated thousands of dollars in fraudulent charges across multiple incidents in early 2026. One victim reported a $14,000 bill from a single weekend. Their key had been leaked in a public repo 6 months earlier. (More: Key Rotation for AI Agents.)
Rotation limits the window. If a key leaks, it's dead in 90 days max.
13. Review Permissions Monthly
What: Audit who and what has access.
# List all configured users
openclaw users list
# Check tool permissions
openclaw config get tools.permissions
# Review active sessions
openclaw sessions list --all
Why: Permissions drift. Someone adds a tool for a quick test. They forget to remove it. Someone shares a token for a demo. It never gets revoked.
Monthly reviews catch the drift before it becomes a gap. Keep a checklist. Mark the date. Make it a calendar event.
14. Run openclaw security audit Weekly
What: Use the built-in audit command.
openclaw security audit
Set it on a cron:
# Every Sunday at 2 AM
0 2 * * 0 openclaw security audit --output /var/log/openclaw/audit-$(date +\%Y-\%m-\%d).json
Why: The audit command checks for outdated versions, weak auth, exposed ports, known-vulnerable skills, and missing security settings. It does in 30 seconds what takes you 20 minutes manually.
Run it weekly. Read the output. Fix what it flags. This single command catches most of the items on this list.
15. Subscribe to Security Advisories
What: Set up alerts from two sources.
-
OpenClaw GitHub Security Advisories: Go to the OpenClaw repo. Click "Watch" > "Custom" > check "Security alerts."
-
NCIIPC Alerts: Subscribe at the NCIIPC vulnerability alerts page. Filter for "OpenClaw."
-
Mailing list:
openclaw security subscribe --email your@email.com
Why: CVE-2026-25253 was public for 11 days before most users patched. The advisory was posted on day one. If you were subscribed, you had an 11-day head start.
The next zero-day won't wait. You need to hear about it the same day it drops.
The Quick Version
For the speed-runners. Copy-paste this block:
# 1. Update
openclaw update
# 2. Generate auth token
TOKEN=$(openssl rand -hex 32)
echo "Auth token: $TOKEN"
# 3-4. Run in Docker with security flags, bound to localhost
docker run -d \
--name openclaw \
--user 1000:1000 \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--security-opt no-new-privileges:true \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
-e OPENCLAW_AUTH_TOKEN="$TOKEN" \
-e OPENCLAW_HOST="127.0.0.1" \
-e OPENCLAW_ANTHROPIC_API_KEY="${OPENCLAW_ANTHROPIC_API_KEY}" \
-v openclaw-data:/data \
-p 127.0.0.1:3100:3100 \
openclaw/openclaw:latest
# 5. Scan skills
docker exec openclaw openclaw skills scan --scanner clawdex
# 6-9. Apply security config
docker exec openclaw openclaw config set network.egress.policy deny-all
docker exec openclaw openclaw config set tools.disabled '["session_spawn","shell_exec"]'
docker exec openclaw openclaw config set vnc.enabled false
# 10. Enable audit logging
docker exec openclaw openclaw config set logging.audit.enabled true
# 11. Enable rate limiting
docker exec openclaw openclaw config set rate_limiting.enabled true
docker exec openclaw openclaw config set rate_limiting.requests_per_minute 30
# 14. Run audit
docker exec openclaw openclaw security audit
# Done. Restart to apply.
docker restart openclaw
Total time: about 5 minutes.
Ongoing Maintenance Schedule
Security is not a one-time event. Here's the cadence:
Daily:
- Check audit logs for anomalies
- Monitor API usage for unexpected spikes
Weekly:
- Run
openclaw security audit - Review active sessions
- Check for new version releases
Monthly:
- Review all user and tool permissions
- Audit installed skills against Clawdex
- Check egress allowlist — remove domains you no longer use
Quarterly:
- Rotate all API keys
- Review and update this checklist
- Run a full penetration test against your instance
FAQ
How long does it take to secure an OpenClaw instance?
About 20 minutes if you follow this checklist step by step. The speed-runner version takes about 5 minutes. The built-in openclaw security audit command checks most items automatically.
What is the biggest security risk with OpenClaw in 2026?
Running without authentication. 93.4% of internet-exposed OpenClaw instances have no auth token set. That means anyone who finds your instance gets full remote code execution on your machine. Item #2 on this list fixes it in 60 seconds.
How often should I run an OpenClaw security audit?
Weekly at minimum. Set openclaw security audit on a cron job every Sunday. Review the output Monday morning. If you're in a regulated industry (finance, healthcare, government), run it daily.
Does OpenClaw have a CVE database?
Yes. OpenClaw CVEs are tracked in the National CVE database (NVD) and on the OpenClaw GitHub security advisories page. Subscribe to both for real-time alerts. In 2026 alone, there have been 3 high-severity CVEs.
Can I automate this entire OpenClaw security checklist?
Yes. Two options. First, script each step yourself using the commands in this guide — the quick version section gives you a head start. Second, use a managed host that enforces every item by default, so you never think about it again.
Skip the Checklist Entirely
Look, you can do all 15 items yourself. Takes 20 minutes. Set your cron jobs. Remember to rotate keys. Check advisories every morning.
Or you can use a host that checks every box for you.
Clawctl ships with most items on this list baked in from day one. Auth enforced. Localhost binding. Docker isolation with per-tenant socket proxy. Squid proxy egress control with deny-all default. 50+ high-risk actions requiring human approval. Prompt injection defenses. Audit logging on every action. Encrypted API key storage.
You focus on building. We focus on making sure nobody breaks in.
Your instance is either hardened or it's a target. There is no middle ground.
Related reading: