P0 — CRITICAL (Do First)
- Gateway auth & loopback binding
- Docker containerization
- Sandbox configuration
- Credential protection
- Supply chain lockdown
P1 — HIGH
- Memory hardening
- Channel & DM security
- Tool permission boundaries
P2 — MEDIUM
- Resource limits
- Logging & audit
Gateway Authentication & Binding
Prevent unauthorized access to Control UI
Threat: 135,000+ exposed OpenClaw instances found. 93.4% had authentication bypasses. Gateway must bind to loopback only with mandatory auth.
~/.openclaw/config.yaml
gateway: # CRITICAL: Bind to loopback only bind: loopback auth: # Use environment variable token: "${OPENCLAW_GATEWAY_TOKEN}" password: "${OPENCLAW_GATEWAY_PASSWORD}" controlUi: allowInsecureAuth: false websocket: validateOrigin: true
✓ Verification
# Should show 127.0.0.1, NOT 0.0.0.0 ss -tlnp | grep 18789 # Should require auth (401 response) curl -s http://localhost:18789/health
Docker Containerization
Isolate agent execution from host system
Threat: CVE-2026-25253 enabled one-click RCE. Containerization limits blast radius. Use read-only filesystem, drop capabilities, run as non-root.
docker run command
docker run -d \ --name openclaw-secure \ --read-only \ --tmpfs /tmp:rw,noexec,nosuid,size=256M \ --security-opt=no-new-privileges:true \ --cap-drop=ALL \ --cpus="2.0" \ --memory="4g" \ -u 1000:1000 \ -p 127.0.0.1:18789:18789 \ -v ./openclaw-data:/home/node/.openclaw:rw \ -e OPENCLAW_GATEWAY_TOKEN="${OPENCLAW_GATEWAY_TOKEN}" \ openclaw/openclaw:2026.2.13
✓ Verification
# Should NOT be root (uid=1000) docker exec openclaw-secure id # Should fail (read-only filesystem) docker exec openclaw-secure touch /test-file
Sandbox Configuration
Isolate tool execution per agent
Threat: Tools execute with excessive privileges. Sandbox ensures exec runs in isolated container with no network access.
~/.openclaw/config.yaml
agents: defaults: sandbox: enabled: true scope: "agent" workspaceAccess: "ro" network: "none" resources: memory: "1g" cpus: "1.0" tools: exec: enabled: true host: "sandbox" # NOT "gateway" approvals: enabled: true
✓ Verification
# Check sandbox is active openclaw doctor | grep -i sandbox # Test network isolation (should fail) openclaw agent --message "Run: ping -c 1 8.8.8.8"
Credential Protection
Secure API keys and tokens
Threat: Infostealers now specifically target OpenClaw config files. API keys stored in plaintext are harvested.
File permissions
# Set restrictive permissions chmod 600 ~/.openclaw/config.yaml chmod 600 ~/.openclaw/auth.json chmod 700 ~/.openclaw/ # Use environment variables for secrets export OPENCLAW_GATEWAY_TOKEN="$(openssl rand -hex 32)" export ANTHROPIC_API_KEY="sk-ant-..."
~/.openclaw/config.yaml (use env vars)
providers: anthropic: apiKey: "${ANTHROPIC_API_KEY}" openai: apiKey: "${OPENAI_API_KEY}"
Supply Chain Protection
Block malicious skills from ClawHub
Threat: ClawHavoc campaign planted 335 malicious skills delivering AMOS infostealer. Disable registry and audit all installed skills.
~/.openclaw/config.yaml
skills: autoInstall: false sources: allowRegistry: false allowLocal: true allowGit: false
✓ Verification
# List installed skills openclaw skills list # Should be empty openclaw skills list --source registry
Memory Hardening
Prevent persistent memory poisoning
~/.openclaw/config.yaml
memory: autoCapture: enabled: true sources: - "user" exclude: - "web_search" - "web_fetch" - "browser" retention: maxAge: "30d" maxEntries: 1000 recall: markAsUntrusted: true
Channel & DM Security
Restrict who can message your agent
~/.openclaw/config.yaml
channels: defaults: dmPolicy: "pairing" telegram: enabled: true dmPolicy: "pairing" allowFrom: - "your_telegram_id" discord: enabled: true dmPolicy: "pairing" allowFrom: - "your_discord_user_id"