Running an AI agent with shell access and network capabilities is powerful but requires vigilance. OpenClaw provides built-in tools to help you secure your instance.

The fastest way to check your security posture is the built-in audit tool.

1. Run Basic Audit Checks for common misconfigurations (open ports, weak policies).

   openclaw security audit

2. Deep Scan Probes the live gateway to verify reachability and auth.

   openclaw security audit --deep

3. Auto-Fix Applies recommended guardrails automatically.

   openclaw security audit --fix

   This will:

   • Restrict groupPolicy to allowlist.
   • Redact sensitive logs.
   • Tighten file permissions (chmod 700 on ~/.openclaw).

OpenClaw is designed with a “Defense in Depth” approach:

• Identity: Every connection is authenticated (Device Auth or Token).
• Policy: You explicitly define who can talk to the bot (dmPolicy, allowFrom).
• Capabilities: You explicitly define what the bot can do (Tools, Sandbox).

Sensitive data is stored in ~/.openclaw/:

Ensure these files are readable only by the user running the Gateway.

If running behind Nginx, Caddy, or Traefik:

1. Configure Trusted Proxies: Tell OpenClaw to trust headers from your proxy.
2. Pass Real IP: Ensure your proxy sends X-Forwarded-For.

gateway:
  trustedProxies:
    - "127.0.0.1"  # If proxy is local
  auth:
    mode: password
    password: ${OPENCLAW_GATEWAY_PASSWORD}