The Threat Landscape Is Not Theoretical
OpenClaw stores user credentials, processes sensitive prompts, and executes system-level commands. That combination makes every deployment a high-value target. The current exposure numbers make the urgency concrete:
- 135,000+ OpenClaw instances are discoverable on the public internet.
- 93.4% of those instances allow attackers to bypass authentication entirely.
- Security researchers have catalogued over 512 vulnerabilities in a single assessment cycle.
- Prompt injection attacks remain an unsolved, widespread attack vector.
- OpenClaw exploits are increasingly available on underground markets.
There is no dedicated security team behind the project. There is no bug bounty programme. The responsibility for securing a deployment falls entirely on the team running it.
1. Encryption & Key Management
Encryption protects data at rest and in transit. But encryption is only as strong as the key management discipline around it.
Rotate keys on a strict cadence. Enforce a maximum 90-day key lifetime. If a key is compromised, a shorter rotation window limits the volume of data an attacker can decrypt retroactively.
Eliminate hardcoded secrets. Keys must never appear in source code, configuration files committed to version control, or container images. Store them in environment variables at minimum β in a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager) by preference. Treat any key that has touched a repository as already compromised.
Use established algorithms. AES-256-GCM for symmetric encryption. ChaCha20-Poly1305 where hardware AES acceleration is unavailable. RSA-4096 or Ed25519 for asymmetric operations. Custom cryptography is an unnecessary risk with zero upside.
Encrypt data at rest, not just in transit. TLS secures the wire. It does nothing for data sitting on disk. Ensure conversation logs, credential stores, and plugin state are encrypted at the storage layer.
2. Session Isolation: One Breach Should Not Mean All Breaches
In multi-user environments, the most damaging failures are lateral β one compromised session leaking data into another. The governing principle: every session is its own trust boundary.
- Store session data in isolated namespaces with no cross-session read or write access.
- Assign each session a unique encryption key derived from the user's identity, so that even database-level access does not expose other users' data.
- Apply least-privilege permissions to every plugin and third-party integration. If a tool only needs read access to a single directory, do not grant it filesystem-wide permissions.
- In multi-tenant architectures, enforce tenant isolation at the database level β separate schemas or dedicated instances, not just application-layer filtering.
3. Access Auditing: Detect What You Cannot Prevent
No security architecture is breach-proof. Auditing is how you catch what slips through.
OpenClaw includes a built-in security scanner:
openclaw security audit
Run this in CI/CD on every deployment. But do not stop there β supplement it with continuous monitoring:
- Shell command logging. Flag unusual commands β
curlto unknown endpoints,chmod 777, Base64-encoded payloads β and alert immediately. - File access tracking. Monitor reads and writes to credential files, environment variables, and configuration directories.
- Login anomaly detection. Geolocation shifts, access outside business hours, and sudden spikes in session creation are early indicators of compromise.
- Automated alerting thresholds. Define what "normal" looks like for your deployment, then alert on any deviation. Manual log review does not scale.
4. Sandboxed Execution: Contain the Blast Radius
Running OpenClaw in a sandbox limits what an exploited vulnerability can reach:
- CPU and memory caps. Use cgroups or container resource quotas to prevent resource-exhaustion attacks from destabilising the host.
- Network egress restrictions. Allowlist only the external services OpenClaw needs. Block all other outbound traffic. An attacker who gains code execution inside the sandbox should not be able to exfiltrate data to an arbitrary endpoint.
- Filesystem isolation. Mount only the directories the agent requires, read-only where possible. Prevent writes to system directories entirely.
- Approval gates for sensitive operations. File writes outside the working directory, outbound API calls to new endpoints, and any credential access should require explicit approval β either human or policy-based.
5. Deployment Model: Choose Your Maintenance Burden
How you host OpenClaw determines who is responsible for the security posture.
| Local Install | VPS Self-Hosting | Managed Platform | |
|---|---|---|---|
| Availability | Only when device is on | 24/7 | 24/7 |
| Security patches | Manual | Manual | Automatic |
| Backups | Your responsibility | Your responsibility | Included |
| Scaling | Limited to local hardware | Manual resize | Automatic |
| Expertise required | Moderate | High (Linux, networking, security) | Minimal |
Local installation is viable for individual experimentation but impractical for any always-on workload.
VPS self-hosting provides full control and flexibility, but you inherit the complete operational burden: OS patching, dependency updates, backup schedules, intrusion detection, and uptime monitoring. This is a defensible choice for teams with dedicated DevOps capacity.
Managed platforms absorb the infrastructure and security operations, shipping patches automatically and handling backup, scaling, and monitoring. For teams without a security function β or teams that would rather allocate their security resources elsewhere β this is the lower-risk path.
The Uncomfortable Truth
OpenClaw is powerful, flexible, and β in its default configuration β dangerously exposed. The project's open-source nature means rapid innovation, but it also means no centralised security authority is watching your deployment for you.
Encryption, isolation, auditing, sandboxing, and deliberate hosting choices are not optional hardening steps. They are the minimum viable security posture for any OpenClaw instance that handles real data.
If your deployment is on the internet and you have not done the work described here, assume it is already compromised. Then start fixing it.