OpenClaw Security Best Practices: Complete Guide
OpenClaw Security Best Practices: Complete Guide
As you integrate OpenClaw deeper into your workflow, security becomes paramount. This comprehensive guide covers essential practices to keep your data, API keys, and system secure.
Understanding OpenClaw Security Model
OpenClaw is designed with a local-first architecture, meaning:
- Your data stays on your Mac by default
- AI providers only receive necessary context
- You control what information is shared
- Skills run with your user permissions
However, this does not mean you can ignore security. Let us explore best practices.
1. API Key Security
1.1 Store Keys Securely
Do not: Hardcode API keys in configuration files
Do: Use environment variables or secure key storage
# Set in your shell profile (~/.zshrc or ~/.bash_profile)
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-..."
Then reference in config:
{
"ai": {
"provider": "openai",
"apiKey": "${OPENAI_API_KEY}"
}
}
1.2 Use Separate Keys for Different Purposes
Create separate API keys for:
- Development/testing
- Production use
- Different projects
This limits exposure if one key is compromised.
1.3 Regularly Rotate Keys
Set a reminder to rotate API keys every 3-6 months:
- Generate new key
- Update configuration
- Test functionality
- Revoke old key
1.4 Monitor API Usage
Regularly check your AI provider dashboard for:
- Unexpected usage spikes
- Unusual access patterns
- Unrecognized IP addresses
2. Configuration Security
2.1 Secure Configuration Files
Set restrictive permissions:
chmod 600 ~/.openclaw/config.json
This ensures only you can read the file.
2.2 Backup Configuration Securely
When backing up:
- Encrypt the backup
- Store in a secure location
- Do not include in public repositories
2.3 Use Version Control Wisely
If using Git:
# Add to .gitignore
echo ".openclaw/" >> .gitignore
echo "config.json" >> .gitignore
Never commit API keys or sensitive configuration.
3. Skill Security
3.1 Vet Skills Before Installing
Before installing a skill:
- Check the source code if available
- Review permissions it requests
- Check community reviews
- Verify the author
3.2 Run Skills in Sandbox (When Available)
Some skills support sandboxed execution:
{
"skills": {
"sandbox": true,
"installed": ["safe-skill"]
}
}
3.3 Monitor Skill Activity
Regularly review:
- Which skills are installed
- What data they access
- Network connections they make
3.4 Remove Unused Skills
Unused skills are unnecessary attack surfaces:
openclaw skills list
openclaw skills remove unused-skill
4. Integration Security
4.1 Telegram Bot Security
When using Telegram integration:
{
"telegram": {
"enabled": true,
"botToken": "${TELEGRAM_BOT_TOKEN}",
"allowedUsers": [
"your_telegram_username"
],
"webhook": {
"secret": "strong-random-secret"
}
}
}
Best practices:
- Only allow specific users
- Use webhook secrets
- Monitor bot activity
- Do not share bot links publicly
4.2 Discord Integration
{
"discord": {
"enabled": true,
"botToken": "${DISCORD_BOT_TOKEN}",
"allowedGuilds": ["your-server-id"],
"allowedChannels": ["specific-channel-id"]
}
}
Restrict to specific servers and channels.
4.3 Webhook Security
If using webhooks:
- Use HTTPS only
- Implement signature verification
- Use strong secrets
- Validate payload format
- Log all webhook calls
5. Network Security
5.1 Use a Firewall
Configure your Mac firewall:
# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
# Check status
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
5.2 VPN for Remote Access
When accessing OpenClaw remotely:
- Use a VPN
- Enable SSH key authentication
- Disable password authentication
- Use fail2ban or similar
5.3 Secure Network Configuration
{
"network": {
"bind": "127.0.0.1",
"port": 18789,
"ssl": true,
"cert": "/path/to/cert.pem",
"key": "/path/to/key.pem"
}
}
Bind to localhost unless remote access is needed.
6. Data Privacy
6.1 Control Data Retention
Configure memory and logging:
{
"memory": {
"enabled": true,
"retention": "30d",
"encrypt": true
},
"logging": {
"level": "info",
"retention": "7d",
"sensitive": false
}
}
6.2 Minimize Data Sharing
Be selective about what you share:
- Disable features you do not need
- Review skill data access
- Clear memory regularly
- Audit conversation history
6.3 Encrypt Sensitive Data
For sensitive information:
# Use macOS keychain
security add-generic-password -s "openclaw" -a "user" -w "secret"
# Retrieve in scripts
security find-generic-password -s "openclaw" -w
7. Physical Security
7.1 Lock Your Mac
Always lock when away:
# Set screensaver to require password immediately
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
7.2 Disable Automatic Login
System Preferences → Users & Groups → Login Options → Automatic login: Off
7.3 FileVault Encryption
Enable full disk encryption:
# Check status
fdesetup status
# Enable if not active
sudo fdesetup enable
8. Regular Security Audits
8.1 Monthly Checklist
- [ ] Review installed skills
- [ ] Check API key usage
- [ ] Audit configuration files
- [ ] Review access logs
- [ ] Update to latest version
- [ ] Rotate API keys (quarterly)
- [ ] Backup configuration
- [ ] Test restore process
8.2 Automated Security Checks
Create a script for regular checks:
#!/bin/bash
# security-check.sh
echo "Checking OpenClaw security..."
# Check file permissions
ls -la ~/.openclaw/config.json
# Check for API keys in logs
grep -r "sk-" ~/.openclaw/logs/ || echo "No API keys found in logs"
# List installed skills
openclaw skills list
# Check for updates
openclaw --version
echo "Security check complete"
9. Incident Response
9.1 If You Suspect a Breach
-
Immediately:
- Disconnect from internet
- Revoke all API keys
- Change passwords
-
Investigate:
- Check logs
- Review recent activity
- Identify what was accessed
-
Recover:
- Restore from clean backup
- Reinstall OpenClaw
- Generate new keys
- Reconfigure integrations
9.2 Reporting Security Issues
If you find a vulnerability:
- Do not disclose publicly
- Contact security@openclaw.dev
- Provide detailed information
- Allow time for fixes
10. Staying Updated
10.1 Subscribe to Security Advisories
Follow for updates:
- OpenClaw GitHub releases
- Security mailing list
- Official Twitter/X account
10.2 Update Promptly
When updates are available:
# Check for updates
npm outdated -g openclaw
# Update
npm update -g openclaw
# Verify
openclaw --version
10.3 Read Changelogs
Always review what changed:
# View changelog
openclaw changelog
Security Checklist
Use this checklist regularly:
□ API keys stored in environment variables
□ Configuration files have restrictive permissions (600)
□ Skills are from trusted sources
□ Only necessary users can access integrations
□ Firewall is enabled
□ FileVault is enabled
□ Auto-lock is configured
□ Regular backups are encrypted
□ Logs do not contain sensitive data
□ Software is up to date
□ Security audits are performed monthly
□ Incident response plan is documented
Conclusion
Security is an ongoing process, not a one-time setup. By following these best practices, you can enjoy the power of OpenClaw while keeping your data and system secure.
Remember:
- Security is a trade-off with convenience
- Regular audits catch issues early
- Stay informed about new threats
- When in doubt, be more restrictive
Stay safe!
Related Articles
FAQ
Q: Is OpenClaw secure by default?
A: OpenClaw has reasonable defaults, but security depends on your configuration and usage patterns.
Q: Can OpenClaw access my files?
A: Only if you grant permission through skills or explicit commands. Review skill permissions carefully.
Q: Are my conversations private?
A: Conversations are stored locally by default. Check your configuration to understand what is shared with AI providers.
Q: What if a skill is malicious?
A: Remove it immediately, review what it accessed, rotate any potentially exposed credentials, and report it to the community.