OpenClaw Security Configuration Guide

Introduction

OpenClaw is powerful but security is critical. This guide covers how to harden your deployment.

Quick Security Check

openclaw security audit
openclaw security audit --deep
openclaw security audit --fix

Recommended Security Config

{ "gateway": { "mode": "local", "bind": "loopback", "auth": { "mode": "token", "token": "YOUR_STRONG_TOKEN" } }, "session": { "dmScope": "per-channel-peer" }, "tools": { "profile": "messaging", "deny": ["group:automation", "group:runtime", "group:fs"], "fs": { "workspaceOnly": true }, "exec": { "security": "deny", "ask": "always" }, "elevated": { "enabled": false } } }

Key Security Settings

1. Gateway Access Control

Set bind: "loopback" for local-only access
Enable auth.token with strong random token
Never expose Gateway publicly without auth

2. Tool Permissions

Use tools.profile: "messaging"
Disable elevated tools
Set exec.security: "deny" and ask: "always"

3. Filesystem Isolation

"fs": { "workspaceOnly": true }

Ensure Agent can only access workspace directory.

4. Session Isolation

"session": { "dmScope": "per-channel-peer" }

Isolate sessions per user for privacy.

Known Vulnerabilities

CVE-2026-25253 (CVSS 8.8)

Type: Cross-site WebSocket hijacking
Impact: Remote code execution
Fix: Upgrade to v2026.1.29+

Best Practices

Always update OpenClaw to latest version
Use strong random Token for auth
Run security audit regularly
Follow least privilege principle
Do not use broad tool access in shared environments

OpenClaw Security Configuration Guide

Introduction

Quick Security Check

Recommended Security Config

Key Security Settings

1. Gateway Access Control

2. Tool Permissions

3. Filesystem Isolation

4. Session Isolation

Known Vulnerabilities

CVE-2026-25253 (CVSS 8.8)

Best Practices

Resources

Leave a Reply Cancel reply