Let's Secure Me

Best practices and tips to secure your infrastructure.

OpenClaw Security Hardening Guide (2026): Safe-by-Default Setup for Personal AI Agents

Threat model, host baseline, secrets hygiene, and automation boundaries — a production checklist for running OpenClaw without regret.

OpenClaw gives an AI agent direct access to your shell, filesystem, and network. That is precisely what makes it productive — and precisely what makes it dangerous if the host underneath is soft. An earlier article on this site covered whether to run OpenClaw locally; this guide assumes you have already decided to do so and focuses on how to lock the environment down before the agent ever sees a prompt. If you prefer to skip local hardening entirely, platforms such as Clawly run OpenClaw in disposable remote sandboxes so none of the risks below apply to your workstation.

Every recommendation below follows a single principle: reduce blast radius. The agent will eventually do something unexpected — a hallucinated command, a prompt-injection payload buried in a dependency, a network request you did not anticipate. Hardening ensures that the damage stays contained, observable, and reversible.

1. Threat model for a local AI agent

Before you touch a config file, define what you are defending against. OpenClaw's threat model has four primary adversary actions:

ThreatVectorImpact
Accidental destructive commandModel hallucinationData loss, broken git history, service outage
Prompt injectionMalicious content in repos, issues, docsArbitrary command execution under your user
Secret exfiltrationAgent reads dotfiles, env vars, keychainsCredential leak to API provider or attacker
Lateral movementNetwork access from agent hostPivot to internal services, cloud metadata

Every control in this guide maps to at least one of these threats. If a hardening step does not reduce exposure to any of the four, skip it — unnecessary complexity is its own risk.

2. Host hardening baseline

Start with the machine itself. These steps are not OpenClaw-specific — they are standard server hygiene that becomes critical when an autonomous agent shares the host.

Dedicated user account

Create a non-root user exclusively for OpenClaw sessions. This user should own only the project directories the agent needs and nothing else.

sudo useradd -m -s /bin/bash openclaw-runner
sudo mkdir -p /home/openclaw-runner/projects
sudo chown openclaw-runner:openclaw-runner /home/openclaw-runner/projects

Minimal sudo access

The agent user should have zero sudo privileges. If you need elevated operations, run them in a separate session under your own account. Verify with:

sudo -l -U openclaw-runner
# Expected: "User openclaw-runner is not allowed to run sudo"

Filesystem permissions

Restrict the agent user's read access. Sensitive paths should be unreadable:

chmod 700 /home/your-main-user
chmod 700 /root
# Ensure /etc/shadow, /etc/sudoers are already mode 0640/0440

Keep the OS patched

Enable unattended security updates. On Ubuntu/Debian:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

3. SSH and firewall lockdown

If OpenClaw runs on a remote VM (cloud instance, homelab server), SSH is your entry point and the firewall is your perimeter. Get both right before enabling the agent.

SSH hardening essentials

Add or verify these lines in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers your-admin-user
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

Reload with sudo systemctl reload sshd. Test access in a separate terminal before closing your current session.

UFW firewall rules

Default-deny inbound, allow only what you need:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from YOUR_IP to any port 22 proto tcp
sudo ufw enable
sudo ufw status verbose

Egress filtering (advanced)

Most setups allow all outbound traffic. For higher-security environments, restrict egress to known destinations. At minimum, block access to the cloud metadata endpoint:

# Block cloud instance metadata (AWS, GCP, Azure)
sudo iptables -A OUTPUT -d 169.254.169.254 -j DROP
sudo iptables -A OUTPUT -d metadata.google.internal -j DROP

4. Secrets handling

The agent user's environment should contain the absolute minimum number of secrets needed for the current task. Everything else stays out of reach.

Never store secrets in dotfiles

Avoid .bashrc exports, .env files committed to repos, or plain-text credential files. The agent reads all of these.

Use a secrets manager

Inject secrets at runtime from an external store. Options ranked by complexity:

  • direnv with .envrc files (gitignored) — simple, per-project scoping
  • 1Password CLI / Bitwarden CLI — fetch secrets on demand, no plain-text storage
  • HashiCorp Vault / AWS Secrets Manager — full audit trail, dynamic credentials, lease-based rotation

Scope API tokens narrowly

If the agent needs a GitHub token, create a fine-grained personal access token scoped to a single repository with only the permissions required (e.g., contents: read). Never hand the agent a classic token with full repo scope.

Rotate after exposure

If you suspect the agent sent a secret to an external API (check logs), rotate the credential immediately. Treat every secret the agent touches as potentially compromised.

5. Logging and monitoring

You cannot secure what you cannot observe. Every command the agent runs should be logged, and anomalies should trigger alerts.

Shell history and auditd

Enable auditd to capture all command executions by the agent user:

sudo apt install auditd
# Log all commands run by openclaw-runner (replace 1001 with actual UID)
sudo auditctl -a always,exit -F arch=b64 -F euid=1001 -S execve -k openclaw-cmds
# Verify
sudo ausearch -k openclaw-cmds --start recent

Network connection logging

Log outbound connections with conntrack or iptables LOG target:

sudo iptables -A OUTPUT -m owner --uid-owner 1001 -m state --state NEW \
  -j LOG --log-prefix "OPENCLAW-NET: " --log-level 4

Forward these logs to a SIEM or at minimum to a dedicated log file you review after each session.

File integrity monitoring

Use inotifywait or AIDE to watch for unexpected file changes outside the project directory:

# Quick watch for changes outside the project tree
inotifywait -m -r --exclude '/home/openclaw-runner/projects' \
  /home/openclaw-runner/ -e modify -e create -e delete

Session recording

For full forensic capability, wrap agent sessions in script or use asciinema to record terminal output. This gives you a replayable timeline of everything the agent did.

6. Backup and recovery

Assume the agent will break something. The question is whether you can recover in minutes or hours.

Git as your first safety net

Always commit (or stash) your work before starting an agent session. If the agent makes unwanted changes, git diff shows exactly what changed and git checkout reverts it.

# Pre-session snapshot
cd /home/openclaw-runner/projects/myapp
git stash push -m "pre-openclaw-session-$(date +%Y%m%d-%H%M)"

Filesystem snapshots

If your host uses ZFS or Btrfs, take a snapshot before each session. On cloud VMs, create a disk snapshot. These let you roll back the entire filesystem state in seconds.

Automated daily backups

For the project directory, a simple rsync cron job provides off-host copies:

# /etc/cron.d/openclaw-backup
0 2 * * * root rsync -a --delete /home/openclaw-runner/projects/ /mnt/backup/openclaw/

Recovery testing

Backups you have never restored are not backups. Periodically restore a snapshot to a scratch environment and verify that the project builds and tests pass.

7. Safe automation boundaries

OpenClaw is most dangerous when it operates without human checkpoints. Define explicit boundaries for what the agent may do autonomously versus what requires confirmation.

Permission tiers

Categorize operations into tiers and configure OpenClaw's permission mode accordingly:

  • Auto-allow: read files, run linters, run tests, git status/diff/log
  • Prompt-required: write/delete files, git commit, install packages, network requests
  • Never-allow: git push --force, rm -rf outside project dir, sudo, credential access

Container isolation for untrusted repos

When working with code you did not write, run OpenClaw inside a container with only the project mounted:

docker run --rm -it \
  -v /home/openclaw-runner/projects/untrusted-repo:/workspace:rw \
  --network=host \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  openclaw-image:latest

The --read-only root filesystem plus a noexec tmpfs prevents the agent from persisting changes outside the mounted workspace.

Time-boxing sessions

Set a session timeout. If the agent has been running for 30 minutes without human review, stop and inspect what it has done. Long unattended sessions increase the chance that a subtle mistake compounds into a larger problem.

Managed sandboxes as an alternative

If enforcing these boundaries manually feels brittle, consider a managed platform like Clawly that enforces isolation at the infrastructure level — disposable VMs, no access to your local filesystem, and automatic session teardown. This removes the need to trust your own configuration and gives you the same agent capabilities with a fraction of the operational overhead.

Production deployment checklist

Use this checklist before your first hardened OpenClaw session and revisit it quarterly.

  • Dedicated non-root user created for agent sessions
  • Agent user has zero sudo privileges (verified with sudo -l)
  • Home directories of other users are mode 700
  • SSH: root login disabled, password auth off, key-only
  • Firewall: default-deny inbound, SSH restricted to known IPs
  • Cloud metadata endpoint blocked (169.254.169.254)
  • No secrets in dotfiles or environment variables — using a secrets manager
  • API tokens scoped to minimum required permissions
  • auditd logging enabled for agent user commands
  • Outbound network connections logged per UID
  • File integrity monitoring active outside project directory
  • Pre-session git stash or commit in place
  • Filesystem snapshots or daily backups configured and tested
  • OpenClaw permission mode set (auto-allow, prompt, deny lists defined)
  • Unattended upgrades enabled for OS security patches
  • Recovery tested: restored a backup and verified build/tests pass

Frequently asked questions

Is Docker enough to make OpenClaw safe?

Docker provides meaningful process and filesystem isolation, but it is not a full security boundary. Misconfigured volume mounts, --privileged mode, or shared network namespaces can all defeat container isolation. Docker is a strong layer, not a complete solution — combine it with the user-level, network, and monitoring controls described above.

Can I let OpenClaw auto-approve all commands if the host is hardened?

No. Hardening reduces blast radius but does not prevent every harmful action. A git push --force to a remote repository, for instance, damages shared state that no amount of local hardening can undo. Keep the confirmation prompt for operations that have off-host effects.

How do I handle agent access to private package registries?

Create a read-only token scoped to the specific registry and feed it via environment variable only during the session. Never store registry tokens in .npmrc or pip.conf on the agent user's home directory — those persist across sessions and are readable by the agent at all times.

What should I do if the agent ran a command I did not expect?

Stop the session immediately. Review audit logs (ausearch -k openclaw-cmds) and network logs for the agent user. Check git diff and file integrity alerts. If any credential was accessed, rotate it. If a network request was made to an unknown host, treat the session as a potential compromise and investigate before resuming.

Do these steps apply if I use a managed platform instead of local execution?

Most of them become unnecessary. Managed platforms handle host isolation, ephemeral environments, and credential scoping at the infrastructure level. The sections on secrets hygiene and automation boundaries still apply — always scope tokens narrowly and review agent output — but the host hardening, SSH, firewall, and backup sections are handled by the platform.

How often should I review and update this hardening baseline?

Quarterly, or whenever OpenClaw releases a major version that changes its permission model or execution capabilities. Also re-audit after any security incident, even a minor one. The threat landscape for AI agents is evolving rapidly — a control that was sufficient six months ago may have known bypasses today.

Conclusion

Running OpenClaw locally is a deliberate trade-off: you gain maximum flexibility and zero-latency access to your environment, but you accept responsibility for every control that stands between the agent and your data. The steps in this guide — dedicated users, locked-down SSH, scoped secrets, comprehensive logging, tested backups, and clear automation boundaries — transform that trade-off from a gamble into a calculated risk.

Work through the checklist, verify each control, and revisit it regularly. If the operational overhead of self-hosting is higher than you want to carry, delegate it to a platform built for the job. Either way, the worst time to think about AI agent security is after the agent has already done something you cannot undo.