Setup OpenClaw for Production: Security Checklist (2026)
OpenClaw works great in demos. Production is different.
VentureBeat's January 2026 CISO guide was clear: "CISOs must treat agents as production infrastructure."
This checklist covers what production-ready OpenClaw deployment actually requires.
The Production Gap
Demo: OpenClaw runs locally, binds to 0.0.0.0, no auth, control UI enabled.
Production: 42,665 exposed instances found by security researcher Maor Dayan. 93.4% were vulnerable.
The gap between "it works" and "it's secure" is where breaches happen.
Production Security Checklist
1. Gateway Authentication ✓
Default: No authentication Production: 256-bit token authentication
OpenClaw's gateway accepts commands from anyone who can reach it. In production, every request must be authenticated.
With Clawctl: Automatic. 256-bit token generated and enforced.
Self-hosted:
{
"gateway": {
"auth": {
"mode": "token",
"token": "YOUR_64_CHAR_HEX_TOKEN"
}
}
}
Generate with: openssl rand -hex 32
2. Network Binding ✓
Default: 0.0.0.0 (all interfaces)
Production: 127.0.0.1 (localhost only)
Binding to all interfaces exposes the gateway directly to the internet.
With Clawctl: Automatic. Binds to localhost, Traefik handles external access.
Self-hosted:
{
"gateway": {
"bind": "lan"
}
}
Use a reverse proxy (nginx, Caddy) for external access.
3. Control UI Disabled ✓
Default: Enabled Production: Disabled
The control UI provides administrative access. Exposed control UIs were among the 1,800+ instances found with leaked API keys.
With Clawctl: Automatic. Control UI disabled.
Self-hosted:
{
"gateway": {
"controlUI": false
}
}
4. mDNS Discovery Disabled ✓
Default: Enabled Production: Disabled
mDNS broadcasts your agent's presence on the local network.
With Clawctl: Automatic. mDNS disabled.
Self-hosted:
{
"gateway": {
"discovery": {
"mdns": { "mode": "off" }
}
}
}
5. Sandbox Enabled ✓
Default: Disabled for main sessions Production: Enabled for all agents
Without sandboxing, agent processes can access the host system.
With Clawctl: Automatic. All agents sandboxed in separate containers.
Self-hosted:
{
"sandbox": {
"mode": "all",
"scope": "agent"
}
}
6. Egress Filtering ✓
Default: Unrestricted outbound traffic Production: Domain allowlist
Agents can make arbitrary HTTP requests. Egress filtering limits what domains agents can contact.
Simon Willison's "lethal trifecta" identifies external communication as one of the three capabilities that makes agents dangerous.
With Clawctl: Automatic. Squid proxy enforces domain allowlist.
Self-hosted: Configure Squid proxy with allowlist:
acl allowed_domains dstdomain .anthropic.com .openai.com .github.com
http_access allow allowed_domains
http_access deny all
7. Audit Logging ✓
Default: Minimal logging Production: Full audit trail
When something goes wrong, you need to know what the agent did.
Cisco research found 26% of agent skills contain vulnerabilities. Without audit logs, you can't investigate incidents.
With Clawctl: Automatic. 50+ event types, searchable, exportable.
Self-hosted: Configure comprehensive logging:
{
"logging": {
"level": "info",
"destination": "/var/log/openclaw/audit.log",
"format": "json",
"events": ["all"]
}
}
8. Human-in-the-Loop ✓
Default: Agent acts autonomously Production: High-risk actions require approval
Agents can delete files, send emails, execute shell commands. Human-in-the-loop gates these actions.
With Clawctl: Built-in. 70+ high-risk actions blocked by default. Configurable auto-approve rules.
Self-hosted: Build approval workflow from scratch. Estimated: 8-16 hours.
9. Prompt Injection Defense ✓
Default: No protection Production: Defense enabled
Prompt injection allows attackers to override agent instructions via user input.
With Clawctl: Automatic. Homoglyph normalization, Base64/ROT13 detection, attack pattern detection.
Self-hosted: Implement input preprocessing and detection. Estimated: 4-8 hours.
10. Encrypted Secrets ✓
Default: Plaintext in ~/.openclaw/credentials/
Production: Encrypted at rest, injected at runtime
Leaked API keys were visible in 1,800+ exposed instances.
With Clawctl: Automatic. Keys encrypted in PostgreSQL, injected at container runtime.
Self-hosted: Use environment variables or secrets manager. Never store in config files.
The Complete Checklist
| Security Control | Default | Production | Clawctl |
|---|---|---|---|
| Gateway auth | None | 256-bit token | ✓ Auto |
| Network binding | 0.0.0.0 | 127.0.0.1 | ✓ Auto |
| Control UI | Enabled | Disabled | ✓ Auto |
| mDNS | Enabled | Disabled | ✓ Auto |
| Sandbox | Disabled | Enabled | ✓ Auto |
| Egress filtering | None | Allowlist | ✓ Auto |
| Audit logging | Minimal | Full | ✓ Auto |
| Human-in-the-loop | None | Enabled | ✓ Auto |
| Prompt defense | None | Enabled | ✓ Auto |
| Encrypted secrets | Plaintext | Encrypted | ✓ Auto |
Time Estimate
Self-hosted production setup:
- Initial configuration: 8-12 hours
- Reverse proxy + SSL: 2-4 hours
- Egress filtering: 2-4 hours
- Audit logging: 4-8 hours
- Human-in-the-loop: 8-16 hours
- Prompt defense: 4-8 hours
- Testing and validation: 4-8 hours
- Total: 32-60 hours
Clawctl production setup:
- Sign up and pay: 30 seconds
- Dashboard setup wizard: 30 seconds
- Total: 60 seconds
Setup OpenClaw for Production Now
The 42,665 exposed instances weren't configured for production. Don't join them.
Sign up at clawctl.com/checkout, pick a plan, and your agent is provisioned with every security control on this checklist. 60 seconds. Done.
Deploy production-ready → | Security documentation → | Compare plans →