Clawctl
Security Check

DM Access Policy: Who Can Talk to Your Agent?

OpenClaw channels (Telegram, Discord, Slack, WhatsApp) accept direct messages by default with a "pairing" policy — unknown senders must prove they're authorized. Changing this to "open" removes that gate.

Why It Matters

With an open DM policy, any user on the messaging platform can send commands to your agent. If your agent has tool access (shell, filesystem, browser), this means strangers can trigger those tools through your agent.

How to Fix

Keep the default dmPolicy: "pairing" for each channel. Use allowFrom lists to restrict which users can interact after pairing.

openclaw.json
{
  "channels": {
    "telegram": {
      "dmPolicy": "pairing"
    },
    "discord": {
      "dmPolicy": "pairing"
    }
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.