Is OpenClaw safe to use?

The software is safe; operational setup is where risks live. Don't run as root, don't expose the gateway publicly, and vet skills before installing. The day-1 hardening checklist eliminates realistic attack surface.

Should I run OpenClaw as root?

No, never run OpenClaw as root. Create a dedicated 'openclaw' user with no shell login. Running as root would hand a compromised skill the keys to your entire VPS.

Can I expose OpenClaw to the internet?

Not directly — the gateway has no built-in authentication. Bind to 127.0.0.1 and reach it via SSH tunnel, Tailscale, or a reverse proxy with auth. Tailscale is easiest.

Are ClawHub skills safe to install?

Most are fine; some are not. Read SKILL.md, check publisher age, glance at source. Pin versions in production. The awesome-openclaw-skills curated list is a safer starting point.

What if my OpenClaw gets compromised — how do I stop it fast?

Revoke the LLM API key. The agent stops mid-turn. Bookmark your provider's API keys page (console.anthropic.com → Settings → API keys) so you can find it instantly under stress.

Operate guide12 minUpdated 2026-05-06

Hardening OpenClaw — the day-1 checklist.

Q: Is OpenClaw safe to expose to the internet?

No, not directly. The gateway has no built-in authentication, so a public port is an open invitation. Always bind to 127.0.0.1 and reach it via SSH tunnel, Tailscale, or a reverse proxy with strong auth.

Q: What's the worst-case scenario if my OpenClaw gets compromised?

An attacker gets your LLM API keys (rotateable), access to whatever channels the agent is connected to, and the ability to run arbitrary shell commands as the OpenClaw user. They cannot escape the user without a separate kernel exploit. Sandbox mode further limits damage.

Q: Should I use sandbox mode in production?

Yes, always. Set sandbox.mode to `all` for any production deployment. The cost is a small per-call latency increase; the benefit is that skills can't write to arbitrary paths, can't read files outside the workspace, and can't escape into your shell history.

Q: How do I audit which skills are installed?

`openclaw skills list` shows everything. For each, the manifest, version, and SHA are visible. ClawHub records the publisher account and a security scan score, but you should still read the SKILL.md before installing anything from a non-vetted publisher.

Q: What if a skill turns malicious after I've installed it?

Skills update only when you `openclaw skills update`. Pin versions in production. If a publisher's account gets compromised, the worst case is that you fail to update — which is fine. The bad version never reaches you unless you ask for it.

The default OpenClaw install is convenient, not secure. It binds to localhost, runs as your user, and trusts every skill you install. That's fine for a laptop. The moment you put it on a VPS, expose a webhook, or onboard a teammate, you need the hardening checklist.

Quick answers

Is OpenClaw safe to use?
The software is safe; the operational setup is where risks live. Don't run as root, don't expose the gateway publicly, and vet skills before installing. Following the day-1 hardening checklist eliminates the realistic attack surface.
Should I run OpenClaw as root?
No, never. Create a dedicated openclaw user with no shell login. The installer warns you. Running as root hands a compromised skill the keys to your VPS.
Can I expose OpenClaw to the internet?
Not directly — the gateway has no built-in authentication. Bind to 127.0.0.1 and reach it via SSH tunnel, Tailscale, or a reverse proxy with strong auth. Tailscale is the easiest secure path.
Are ClawHub skills safe to install?
Most are fine; some are not. Read the SKILL.md before installing, check the publisher account age, glance at the source. Pin versions in production. The awesome-openclaw-skills curated list is a safer starting point.
What if my OpenClaw gets compromised — how do I stop it fast?
Revoke the LLM API key. The agent stops mid-turn. Bookmark your provider's API keys page (console.anthropic.com → Settings → API keys) so you can find it instantly under stress.

Start here

The threat model

OpenClaw is a process that runs arbitrary code (your skills), drives a real browser (which can be tricked), and holds API keys for downstream services. Treat it like you'd treat a service account that has all of your team's credentials — because that's what it is.

The realistic threats, in rough order of likelihood:

You install a malicious skill from a random ClawHub publisher and it exfiltrates your tokens.
You expose the gateway to the internet without auth and someone discovers it.
The agent gets prompt-injected via a web page or email and is convinced to do something it shouldn't.
Your laptop is stolen while OpenClaw is running and the disk isn't encrypted.
An LLM provider key leaks and someone runs up a $5,000 bill.

The day-1 hardening below addresses all five.

#1 mistake

Don't run as root

The single most common OpenClaw security mistake is running the gateway as root. The installer warns you. The docs warn you. People still do it. Don't.

# As root, on a fresh VPS:
adduser openclaw
usermod -aG sudo openclaw
mkdir -p /home/openclaw/.openclaw
chown -R openclaw:openclaw /home/openclaw/.openclaw
chmod 700 /home/openclaw/.openclaw

# Switch users and install
su - openclaw
curl -fsSL https://openclaw.ai/install-cli.sh | bash

If it's already running as root

Stop the gateway, copy the state directory to your new non-root user's home, fix ownership, and reinstall as that user. Don't try to "fix it later" — leave it as root and you've handed any compromised skill the keys to your VPS.

#2 mistake

Bind to localhost

The gateway listens on port 18789 by default. There is no built-in authentication. If that port is reachable from the internet, your agent can be controlled by anyone.

~/.openclaw/openclaw.jsonjson

{
  "gateway": {
    "host": "127.0.0.1",
    "port": 18789
  }
}

If you need remote access:

SSH tunneling. ssh -L 18789:localhost:18789 user@vps — simple, secure, requires nothing extra.
Tailscale. Installs in 60 seconds, WireGuard-based mesh, perfect for "my laptop and my VPS."
Reverse proxy with auth. Caddy + basic auth or OAuth2-proxy in front. More moving parts; only bother if you genuinely need a public URL.

Defense in depth

Enable the sandbox

Sandbox mode confines skill execution. With it on, a malicious or buggy skill can't read your SSH keys, can't write to /etc, can't escape into a shell session.

~/.openclaw/openclaw.jsonjson

{
  "sandbox": {
    "mode": "all",
    "tools": {
      "exec": { "allowedPaths": ["~/workspace"] },
      "browser": { "allowedDomains": "*" }
    }
  }
}

Three modes:

Mode	What's sandboxed	Use when
off	Nothing	Local dev only
non-main	Sub-agents only	Trusted main agent, untrusted sub-agents
all	Everything	Production, always

Limit blast radius

Scope your API keys

Anthropic and OpenAI both let you create per-key spending limits. Use them.

Separate key per environment. Production agent ≠ staging agent ≠ your personal experiments. If one leaks, only one set of work breaks.
Hard monthly cap. Set it 2x your expected spend. A runaway agent can burn through $5,000 in a day — the cap is the brake.
Restrict by IP if your provider supports it. Anthropic doesn't yet; OpenAI does. Use it on production keys.
Rotate quarterly. Anthropic's console takes 30 seconds. Keep the rotation in a recurring calendar event.

Supply chain

Vet every skill

ClawHub has 13,729 skills. Most are fine. A few are not. The install command runs the skill's setup phase; that setup phase can do anything the OpenClaw user can do.

Read the SKILL.md before installing. If it's vague, opaque, or asks for credentials in weird ways, skip it.
Check the publisher. ClawHub shows publisher account age and skill count. New accounts with one popular skill are the highest-risk pattern.
Glance at the source. Most skills are <200 lines. A skim catches "phone home to an attacker domain" 95% of the time.
Pin versions. An auto-updating skill is a backdoor waiting to happen.

Use the awesome list

The community-maintained awesome-openclaw-skills list is curated and reasonably reviewed. Start there.

Built-in

Run security audit

OpenClaw ships a security auditor that catches the obvious configuration mistakes: bound to 0.0.0.0, root user, sandbox off, world-readable state directory, known-bad skill versions.

openclaw security audit --deep

Run it after every install, after every config change, and once a month on a cron just to catch drift.

Be ready

Bookmark the kill switch

If something goes wrong — the agent gets prompt-injected, a skill turns out to be malicious, your laptop is stolen — you need a way to stop it instantly. The fastest kill switch is revoking the LLM API key.

Provider	Where to revoke	Effect
Anthropic	console.anthropic.com → Settings → API keys	Agent stops mid-turn
OpenAI	platform.openai.com → API keys	Agent stops mid-turn
OpenRouter	openrouter.ai → Keys	Agent stops mid-turn

Bookmark the keys page in your browser today. If it takes you 30 seconds to find when you need it, that's 30 seconds of ongoing damage.

Tick them off

Interactive checklist

Click each one as you complete it. Bookmark this page; the progress saves in your browser.

Day-1 hardening checklist

0/9 · 0%

FAQ

Is OpenClaw safe to expose to the internet?

No, not directly. The gateway has no built-in authentication, so a public port is an open invitation. Always bind to 127.0.0.1 and reach it via SSH tunnel, Tailscale, or a reverse proxy with strong auth.

What's the worst-case scenario if my OpenClaw gets compromised?

An attacker gets your LLM API keys (rotateable), access to whatever channels the agent is connected to, and the ability to run arbitrary shell commands as the OpenClaw user. They cannot escape the user without a separate kernel exploit. Sandbox mode further limits damage.

Should I use sandbox mode in production?

Yes, always. Set sandbox.mode to `all` for any production deployment. The cost is a small per-call latency increase; the benefit is that skills can't write to arbitrary paths, can't read files outside the workspace, and can't escape into your shell history.

How do I audit which skills are installed?

`openclaw skills list` shows everything. For each, the manifest, version, and SHA are visible. ClawHub records the publisher account and a security scan score, but you should still read the SKILL.md before installing anything from a non-vetted publisher.

What if a skill turns malicious after I've installed it?

Skills update only when you `openclaw skills update`. Pin versions in production. If a publisher's account gets compromised, the worst case is that you fail to update — which is fine. The bad version never reaches you unless you ask for it.

How does Provision's managed offering compare on security?

We run sandbox mode by default, isolate each tenant in its own runtime, rotate API keys, audit-log every tool call, and run the day-1 hardening checklist for you. The trade-off is you trust us with the agent's data; the upside is you don't have to remember any of this.

Keep going

Install OpenClaw VPS deploy Troubleshooting Skills explained

Want OpenClaw without the ops?

Provision is the managed OpenClaw cloud — agents, channels, browser, and skills, all running. $99/mo. 48-hour free trial.

Start 48h free trial All guides