OpenClaw Security Best Practices: Hardening Your AI Agent Deployment

OpenClaw gives AI agents real capabilities: shell execution, file system access, web browsing, tool extensibility. That power is the point. But it also means the security considerations are real — these aren't chatbots constrained to answering questions, they're autonomous systems that can take actions.

We've operated production AI agents continuously for months. In the process, we've developed a layered security model that keeps deployments locked down without crippling agent effectiveness. This is what we've learned.

The model has three layers: built-in tool security (OpenClaw's policy system), hardened gateway configuration (how you expose and authenticate the gateway), and host-level hardening (the operating environment). All three matter. Weakness in any layer undermines the others.

Layer 1: Tool Security Policy

OpenClaw's tool policy system is your first line of defense. It controls what capabilities the agent has before any request is even processed. The fundamental principle: deny everything not explicitly needed.

Allowlisting vs. Denylist

The default tool policy in most configurations is permissive — the agent has access to everything available. In production, flip this to an explicit allowlist:

{
  "tools": {
    "policy": "allowlist",
    "allowed": ["Read", "Write", "Edit", "exec", "web_search"],
    "denied": ["browser", "message", "nodes"]
  }
}

If your agent's job is to process documents and search the web, it has no reason to control a browser or send messages autonomously. Every capability that isn't required is an attack surface that doesn't need to exist.

Exec Security Modes

Shell execution is the highest-risk capability. OpenClaw's exec tool has three security modes:

In allowlist mode, configure patterns that match only the commands your agent legitimately needs:

{
  "exec": {
    "security": "allowlist",
    "allowedPatterns": [
      "git *",
      "npm run *",
      "curl -s https://*",
      "bash skills/*"
    ]
  }
}

The Ask Mode: Your Oversight Valve

The ask parameter controls when the agent pauses for human confirmation before executing a command. In production we use on-miss: the agent runs freely within known-safe allowlist patterns, but anything that doesn't match triggers a confirmation prompt. This catches novel or unexpected commands before they run.

Layer 2: Hardened Gateway Configuration

The OpenClaw gateway is an HTTP server that accepts commands and returns results. How you configure it — where it listens, how it authenticates, what it exposes — is your second major defense layer.

Gateway Binding: The Most Important Decision

The bind setting controls which network interface the gateway listens on. Getting this wrong puts an unauthenticated (or weakly authenticated) AI agent control plane on a reachable network.

{
  "gateway": {
    "bind": "tailnet"   // or "loopback" — never expose publicly
  }
}

• loopback — Localhost only. No network access whatsoever. Use for purely local setups.
• tailnet — Tailscale interface only. Reachable within your private mesh VPN, not from the internet.
• Public interface / 0.0.0.0 — Do not use. A publicly reachable agent gateway with any weakness in auth becomes an immediate compromise target.

Authentication Token Hygiene

Treat your gateway auth token like a root credential. Two rules without exceptions:

1. Generate it randomly. Use your system's cryptographic random source — openssl rand -hex 24 or equivalent. Not a password. Not a memorable phrase. 48+ hex characters of entropy.
2. Store it in a secrets manager. Your config file should contain an environment variable reference, not the token itself. The actual token should live in an encrypted secrets store and be injected at runtime. If your config file ever appears in a log, a screenshot, or a git repo, you have not leaked your token.

Webhook Authentication

If you use OpenClaw's hook system for event-driven activation, each webhook endpoint needs its own bearer token, validated on every request. An unauthenticated webhook endpoint is an open prompt-injection surface — any attacker who knows the URL can send payloads that wake your agent with arbitrary instructions.

Auth Settings to Verify

{
  "allowInsecureAuth": false,
  "dangerouslyDisableDeviceAuth": false
}

Both default to false. Both should stay false. If you find yourself wanting to set either to true, the correct response is to fix the underlying configuration issue, not to disable authentication safeguards.

Session Isolation for Untrusted Content

This is the hardening decision with the most operational impact: never process untrusted external content in your main agent session.

When an agent fetches a web page, reads a user-submitted document, or processes a third-party API response, that content may contain prompt injection payloads — carefully crafted text designed to override the agent's instructions and redirect its behavior. A sub-agent spawned in isolation has no access to the main session's credentials, memory, or sensitive context. Even if a sub-agent is successfully compromised by an injected payload, the blast radius is contained to that isolated session.

Layer 3: Host-Level Hardening

The gateway configuration is only as secure as the host it runs on. Production deployments require host hardening as a baseline, not an optional extra.

Firewall Configuration

Apply a restrictive default-deny policy. The only inbound rule you need is SSH (ideally on a non-standard port). If you're using a mesh VPN for agent access, all agent traffic flows through that — no additional firewall rules needed for it.

# Default deny all inbound
# Allow only: SSH on non-standard port
# All other agent traffic via VPN mesh — no public ports needed

SSH Hardening

# sshd_config essentials:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes

Key-only authentication. No root login. If you follow these two rules and nothing else, you've eliminated the vast majority of automated SSH compromise attempts.

Secrets Management

Every secret your agent needs — API keys, auth tokens, bot credentials — should live in an encrypted secrets store (gopass, pass, HashiCorp Vault, or equivalent). The rule is simple: secrets in files can leak. Files end up in git repos, backups, logs, screenshots. An encrypted secrets store with GPG-backed storage means that even a full filesystem read doesn't expose credentials.

Your config files should contain environment variable references, not secrets. Secrets get injected at runtime from the secrets store. If a config file leaks, you've leaked nothing sensitive.

Memory Safety

Agent sessions accumulate context — API responses, file contents, intermediate reasoning. Some of that content is sensitive. Use whatever mechanism your deployment offers to mark sensitive context as non-persistent: it should be available within the session for reasoning purposes, but not written to session logs or long-term memory.

SecureClaw & IronClaw: The Hardened Variants

OpenClaw ships as a flexible platform. SecureClaw and IronClaw are hardened configuration profiles — battle-tested setups that apply all the security principles above out of the box.

SecureClaw

SecureClaw is the security-focused OpenClaw variant maintained by the community at github.com/openclaw/openclaw. It ships with opinionated defaults: tool allowlisting enabled, exec security set to allowlist mode, and gateway binding restricted to loopback. Rather than configuring security from scratch, SecureClaw gives you a hardened baseline you can loosen — not a permissive baseline you have to remember to tighten.

Key SecureClaw defaults:

• Exec security: allowlist — no shell access without explicit patterns defined
• Gateway: loopback-only by default — must opt-in to network exposure
• Tool policy: minimal set — browser, nodes, and message tools require explicit enablement
• allowInsecureAuth forced to false — cannot be overridden via config
• Session isolation: sub-agent spawning encouraged via built-in helper patterns

IronClaw

IronClaw takes SecureClaw further — it's the maximally hardened profile for deployments where security is the primary concern over convenience. IronClaw is appropriate for:

• Agents processing high volumes of external/untrusted content
• Deployments in regulated environments (healthcare, finance, legal)
• Multi-tenant setups where one agent's compromise must not affect others
• Any setup where the agent has access to production credentials or sensitive data

Which Should You Use?

Use SecureClaw as your starting point for any production deployment. It applies sane defaults without eliminating flexibility. Use IronClaw when you need the maximum security posture — accepting the tradeoff that some capabilities require explicit opt-in configuration.

Vanilla OpenClaw is appropriate for local development and exploration where security is not a concern. It should never be the configuration for a deployment that has access to real credentials, production systems, or external network access.

Advanced: Reverse Tunnel Architecture

When running an agent on a device that lacks a stable public address — a mobile device on cellular, a machine behind NAT — a reverse SSH tunnel provides secure remote access without exposing anything directly.

The pattern: the agent device initiates an outbound SSH connection to a stable endpoint (a laptop or server on your VPN), and creates a port-forward that maps a port on that endpoint back to the agent's gateway. Access to the agent flows through the SSH tunnel, which authenticates via key pair and benefits from the endpoint's own firewall rules.

Key security properties of this pattern:

• The mobile gateway binds to loopback — zero direct network exposure
• The tunnel uses SSH key authentication — not password, not token
• The stable endpoint only accepts tunnel connections from known VPN peers
• A persistent tunnel manager handles automatic reconnection on network interruption
• All of this is invisible to the public internet

Monitoring for Anomalies

Security is not a one-time configuration. An agent operating in production needs ongoing monitoring:

• API cost anomalies. A sudden spike in token usage is often the first signal of a compromised agent, a runaway loop, or an injection attack that's generating unexpected work. Configure billing alerts at your AI provider.
• Unexpected exec patterns. Periodically review session transcripts. Exfiltration attempts often show up as anomalous network calls — requests to URLs outside normal working patterns, or commands that write to unexpected locations.
• Auth failures. Repeated authentication failures against your gateway webhook endpoint are a signal that the endpoint URL has leaked. Rotate tokens and audit how the URL was exposed.
• Tunnel health. If you use a reverse tunnel for remote access, monitor it. A silent tunnel failure means loss of access — and you may not notice for hours.

Security Checklist

AI agents with real capabilities require real security discipline. The good news is the threat model is well-understood: minimize exposed surface, authenticate everything, isolate untrusted inputs, monitor for anomalies. These are the same principles that govern any privileged system — applied to a new category of software.

We've operated this setup in production for months with no security incidents. The investment in correct configuration is modest compared to the cost of a compromise.

Building production AI agent infrastructure? Get in touch — we specialize in secure, production-grade agentic AI deployments.