← Back to cheatsheet

🔐 Security & DM Policies

OpenClaw isn't a chatbot in a browser tab — it's a persistent agent with access to your filesystem, shell, and credentials. This guide walks you through every layer of security: who can talk to it, what it's allowed to do, and how to limit the blast radius if something goes wrong.

Critical — read before connecting channels~30 min to hardenUpdated for v2026.3.23

On this page

  1. The threat model — why this matters
  2. DM policies: pairing, allowlist, open
  3. Pairing flow — how it works in practice
  4. Group chat security
  5. Sandboxing — limit the blast radius
  6. Exec & tool policies
  7. File permissions & credential hygiene
  8. Network exposure & Control UI
  9. Skill vetting — what to check before installing
  10. Security audit & doctor
  11. Incident response — if something goes wrong
  12. The hardening checklist

🚨 The core principle: You cannot fully secure the reasoning layer — models can be tricked by clever prompts. Your defense must come from sandboxing the execution layer. Assume the model will eventually be manipulated. Design your setup so that manipulation has limited impact.

1 The threat model

OpenClaw has access to things a regular chatbot doesn't:

  • Your filesystem — it can read, write, and delete files
  • Shell commands — it can execute arbitrary terminal commands
  • Messaging channels — it can send messages to real people on your behalf
  • API keys & credentials — stored in ~/.openclaw/
  • Browser control — if enabled, it can navigate, click, and fill forms

The security framework follows three priorities, in this exact order:

  1. Identity first — decide who can talk to the agent (DM policies, allowlists, pairing)
  2. Scope next — decide what the agent can do (tools, sandboxing, permissions)
  3. Model last — assume the model can be manipulated; design so manipulation has limited blast radius

⚠️ Real-world context: In early 2026, security researchers found that a large majority of OpenClaw instances were running with default (permissive) settings. The ClawHub community also saw hundreds of malicious skills uploaded before vetting was improved. Don't be the default config.

2 DM policies

The DM policy is your first line of defense. It controls who can send direct messages to your agent on each channel.

PolicyBehaviorWhen to use
pairingUnknown senders get a 6-digit code. You approve via CLI. Code expires after 1 hour.Default — use this for most setups
allowlistOnly users in allowFrom can message. Everyone else is silently ignored.When you know exactly who needs access
openAnyone can message your agent immediately.Almost never. Only for public bots with zero tool access.
disabledNo DMs accepted at all.Channels used for groups only

Configure per channel

{
  "channels": {
    "telegram": {
      "enabled": true,
      "botToken": "...",
      "dmPolicy": "pairing",
      "allowFrom": ["your_telegram_id"]
    },
    "discord": {
      "enabled": true,
      "token": "...",
      "dmPolicy": "allowlist",
      "allowFrom": ["123456789012345678"]
    }
  }
}

🚨 Never set dmPolicy: "open" on a personal channel. If your agent has shell access and an open DM policy, anyone who discovers your bot can potentially execute commands on your machine. This is the single most common and dangerous misconfiguration.

💡 DM vs group policies are independent. A user who can talk to your bot in a group does NOT automatically get DM access, and vice versa. Each session type has its own policy — configure them separately.

3 Pairing flow

Pairing is like Bluetooth pairing — both sides must agree before communication starts. Here's how it works:

  1. Someone sends your agent a DM
  2. The agent responds with a 6-digit pairing code (expires in 1 hour)
  3. The sender tells you the code (or you see it in logs)
  4. You approve it from your terminal

Approve a pairing request

# Approve a specific code
openclaw pairing approve telegram 482910

# List pending pairing requests
openclaw pairing list

# Revoke a previously approved user
openclaw pairing revoke telegram <user_id>

Once approved, that user is added to a local pairing store and can message freely in future sessions.

Where are approved IDs stored?

Pairing approvals are stored locally in the OpenClaw state directory. They persist across restarts. You can audit and revoke them at any time with the pairing CLI commands.

✅ Best practice: Start with pairing on all channels. Once you've approved the people who need access, you can optionally switch to allowlist with their IDs for a stricter lockdown.

4 Group chat security

Groups introduce a unique risk: multiple people can send messages, and any message can contain a prompt injection attempt. The agent processes everything it sees in the group.

Group policies

{
  "groupPolicy": "allowlist",
  "groups": {
    "allowFrom": ["group_id_1", "group_id_2"]
  }
}

Mention gating

In groups, require the bot to be explicitly @mentioned before it responds:

{
  "channels": {
    "discord": {
      "requireMention": true
    }
  }
}

Without mention gating, your bot is "always-on" in the group — reading and potentially acting on every message. With mention gating, it only activates when directly addressed.

Session isolation

By default, OpenClaw uses dmScope to isolate sessions per user. Each person gets their own conversation context — they can't see each other's messages, memories, or tool outputs. This applies to both DMs and group interactions.

⚠️ Key rule: Never combine open group policy + broad tool access. If strangers can message your bot in a group AND it has shell/file access, a single malicious message could trigger unwanted actions on your system.

5 Sandboxing

Sandboxing is your safety net — if the agent goes off the rails (tricked by a prompt injection, buggy skill, or hallucinated command), the damage is contained to a disposable environment.

Option A: Tool sandboxing (recommended)

Gateway runs on your host, but tools execute inside Docker containers:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "session",
        "workspaceAccess": "none"
      }
    }
  }
}
  • "non-main" — sandboxes all sessions except your main DM (where you're the trusted operator)
  • "session" — each session gets its own isolated sandbox
  • "workspaceAccess": "none" — sandboxed sessions can't read your workspace files

Option B: Full gateway in Docker

Run the entire gateway inside a container for maximum isolation:

docker run -d --name openclaw \
  -v ~/.openclaw:/root/.openclaw \
  -p 18789:18789 \
  ghcr.io/openclaw/openclaw:latest

What sandboxing protects against

AttackWithout sandboxWith sandbox
Prompt injection → rm -rfDeletes your filesDeletes sandbox files only
Skill exfiltrates ~/.sshKeys exposedNo access to host filesystem
Malicious skill runs crypto minerRuns on your CPUContained, easy to kill
Group user triggers shell commandRuns as your userRuns in isolated container

✅ Minimum viable sandboxing: Even if you don't fully sandbox everything, set "mode": "non-main". This keeps your personal trusted DM session running natively (fast, full access) while isolating group chats and other users' sessions.

6 Exec & tool policies

Control what your agent can execute and whether it needs your approval first.

Consent mode (ask before executing)

{
  "exec": {
    "ask": "on"
  }
}

With ask: "on", the agent sends you a confirmation prompt before running any shell command or writing any file. You approve or reject. This is the safest mode for getting started.

Tool profiles

Control which categories of tools are available:

{
  "tools": {
    "profile": "minimal"
  }
}
ProfileWhat's enabled
minimalChat only — no shell, no file access, no browser
standardShell + file read/write (default)
fullEverything including browser control

Per-agent overrides

Different agents can have different tool access levels. Your personal assistant might get full access while a group-facing bot gets minimal:

{
  "agents": {
    "personal": { "tools": { "profile": "standard" } },
    "group-bot": { "tools": { "profile": "minimal" } }
  }
}

💡 Model choice matters here. Larger, instruction-hardened models (Claude Opus, Claude Sonnet) are much better at resisting prompt injection than smaller/older models. If you must use a budget model, reduce the tool profile to minimal and enable strict sandboxing.

7 File permissions & credential hygiene

Lock down the OpenClaw directory

# Restrict the entire OpenClaw directory
chmod 700 ~/.openclaw

# Lock the config file (contains API keys)
chmod 600 ~/.openclaw/openclaw.json

# Lock credentials directory
chmod 700 ~/.openclaw/credentials

Where your secrets live

SecretLocation
AI API keysopenclaw.json → model section
Telegram bot tokenopenclaw.json → channels.telegram
WhatsApp credentialscredentials/whatsapp/
Discord bot tokenopenclaw.json → channels.discord
Gateway auth tokenopenclaw.json → gateway.auth

Rules

  • Never commit ~/.openclaw/ to version control. Add it to your global .gitignore.
  • Never put API keys in workspace files. SOUL.md, AGENTS.md, etc. are loaded into AI context — keys there could be leaked through prompt injection.
  • Use environment variables when possible instead of hardcoding keys in config.
  • Rotate keys periodically — especially if you suspect exposure.

🚨 Real incident: In early 2026, roughly 1,800 OpenClaw instances had their API keys exposed because the Control UI was accessible from the public internet. Don't let this be you — see the next section.

8 Network exposure & Control UI

The Control UI (WebChat at :18789) is an admin interface with full access to your agent and configuration. It is not designed for public exposure.

Keep it local

{
  "gateway": {
    "bind": "loopback",
    "controlUi": {
      "allowInsecureAuth": false
    }
  }
}
  • "bind": "loopback" — only accessible from localhost (127.0.0.1)
  • "allowInsecureAuth": false — never disable auth on the Control UI

Remote access (if you need it)

If you run OpenClaw on a VPS and need remote access:

  • SSH tunnel (simplest): ssh -L 18789:localhost:18789 user@your-vps — then open localhost:18789 in your browser
  • Tailscale (recommended for persistent access): bind to your Tailscale IP (100.x.x.x) instead of 0.0.0.0
  • Never use Cloudflare Tunnel, ngrok, or port forwarding to expose :18789 to the public internet

⚠️ Exposing the Control UI publicly is the #1 security mistake. Attackers actively scan for OpenClaw gateways on Shodan. If yours is exposed, they can steal your API keys, read your conversations, and execute commands on your machine.

9 Skill vetting

Skills are code that your agent can execute. A malicious skill has the same access as your agent — filesystem, shell, network. Always vet before installing.

Red flags in SKILL.md files

  • curl | bash or wget | sh — remote code execution
  • Base64-encoded strings — obfuscated payloads
  • Zero-width Unicode characters — hidden instructions invisible to the eye
  • References to ~/.ssh, ~/.openclaw/credentials, or ~/.aws
  • Auto-update mechanisms that pull code from external URLs
  • Requests for permissions beyond what the skill description claims to need

Safe practices

  • Read the SKILL.md source before installing — always
  • Prefer bundled skills (maintained by @steipete) — they ship with OpenClaw and are vetted
  • Check our Skill Explorer for Pixeyo-curated skills that have been manually reviewed
  • Run community skills in sandboxed sessions
  • Use openclaw security audit which checks for known risky skill patterns

💡 Our approach: We built 8 Pixeyo-curated skills from scratch rather than using community marketplace skills. Every one is read-only where possible, confirms before writes, stores no credentials, and downloads nothing external. Browse them in the Skill Explorer.

10 Security audit & doctor

OpenClaw has built-in tools to check your security posture.

Quick check

# Basic health and security check
openclaw doctor

# Deep audit with auto-fix
openclaw doctor --deep --yes

# Dedicated security scan
openclaw security audit --deep

What the audit checks

  • DM policies — flags open policies or missing allowlists
  • Network exposure — warns if gateway is bound to 0.0.0.0
  • File permissions — checks ~/.openclaw/ directory permissions
  • Sandbox configuration — flags sandbox settings that are configured but not active
  • Plugin/skill allowlists — checks for extensions running without explicit approval
  • Credential exposure — warns about tokens in workspace files
  • Gateway auth — checks for weak or missing authentication; v2026.3.7+: when both gateway.auth.token and gateway.auth.password are set, you must set gateway.auth.mode to token or password

Third-party auditing

# ClawShield (independent security scanner)
clawshield audit
clawshield apply safe --write  # Auto-fix common issues

✅ Run openclaw doctor --deep --yes weekly. Add it as a cron job or habit. Security configs can drift — especially after updates or config changes.

11 Incident response

If you suspect your agent has been compromised, a skill acted unexpectedly, or a token was exposed:

Immediate steps (in this order)

  1. Stop the blast radius — disable elevated tools or stop the gateway entirely:
openclaw gateway stop

  1. Rotate all secrets — change your gateway.auth token, hooks.token, and all AI provider API keys

  2. Review logs — check for unexpected tool calls, file access, or outbound requests:

openclaw logs --json --limit 500 | grep -E "exec|write|fetch"
  1. Audit the environment:
openclaw security audit --deep
  1. Restart with tighter config — reduce tool profile, enable consent mode, re-evaluate allowlists

💡 Reporting a vulnerability: If you discover a security issue in OpenClaw itself (not just your config), report it privately via the GitHub Security page. Don't open a public issue.

12 The hardening checklist

Print this. Run through it after installation and after every major config change.

Identity (who can talk)

  • dmPolicy is "pairing" or "allowlist" on every channel
  • No channel has dmPolicy: "open" with tool access enabled
  • groupPolicy is "allowlist" — not open
  • requireMention: true on group channels
  • Pairing store reviewed — no unknown/stale approved users

Scope (what it can do)

  • exec.ask is "on" (consent mode) — at least during setup
  • Sandbox mode is "non-main" at minimum
  • Group-facing agents use tools.profile: "minimal"
  • /reasoning and /verbose disabled in public rooms
  • Only necessary skills installed — no "install everything" approach

Network (what's exposed)

  • gateway.bind is "loopback" — not 0.0.0.0
  • controlUi.allowInsecureAuth is false
  • Port 18789 is NOT exposed to the public internet
  • Remote access via SSH tunnel or Tailscale only

Credentials (what's protected)

  • chmod 700 ~/.openclaw and chmod 600 openclaw.json
  • No API keys in workspace files (SOUL.md, AGENTS.md, etc.)
  • ~/.openclaw/ excluded from git repos and public backups
  • Gateway auth token is strong (not default or short)
  • logging.redactSensitive is "tools" — keep it on

Ongoing

  • openclaw doctor --deep --yes run weekly
  • Skills reviewed before installation (check source code)
  • OpenClaw updated to latest version regularly
  • Node.js is 22.12.0+ (includes critical security CVE fixes)