OpenClaw Best Practices for Setup, Security, and Agent Management
Security researchers found over 42,000 OpenClaw Gateway instances exposed on the public internet in early 2026, most running without authentication. This guide covers 12 practices for secure Gateway setup, inbound access control, tool restrictions, multi-agent isolation, and ongoing monitoring. Each one comes from the official OpenClaw documentation and can be applied to any deployment in an afternoon.
Why OpenClaw Deployments Get Compromised
Security researchers at Hunt.io identified over 17,500 vulnerable OpenClaw deployments across 52 countries in mid-2026, with 98.6% hosted on commercial cloud providers like DigitalOcean and Alibaba Cloud. Broader Shodan and Censys scans put the total number of exposed instances above 42,000, most running no authentication at all. OpenClaw ships with loopback-only binding and requires authentication for any non-loopback access by default. The gap between those safe defaults and tens of thousands of exposed instances is pure configuration drift, and it is entirely preventable.
CVE-2026-25253, disclosed in January 2026 with a CVSS score of 8.8, showed how quickly things escalate when a Gateway sits on the open internet. The vulnerability let a remote attacker fully compromise an operator's machine through a single malicious webpage visit. The Control UI blindly trusted a URL parameter in the request, leaking the operator's auth token to anyone who could craft a malicious link. Every exposed, unauthenticated instance was already at risk before the CVE was even published.
OpenClaw's security model assumes a single trusted operator per Gateway. The official documentation is direct about this: if you need mixed-trust or adversarial-user operation, run separate Gateways with separate credentials on separate hosts. One Gateway, one operator. Every configuration decision flows from that principle.
The 12 practices below come from the official OpenClaw security and configuration documentation. They cover four areas: network setup, inbound access control, multi-agent isolation, and operational hygiene. Each practice includes specific configuration guidance and commands you can apply immediately, whether you are running OpenClaw on a personal laptop or a dedicated VPS.
How to Secure Your Gateway Network
The first three practices address the most common deployment mistake: binding the Gateway to a public address without proper authentication. The Hunt.io data showed that nearly all compromised instances were exposed to the internet with default or missing credentials. Fixing this requires no architectural changes. It is a matter of using the configuration options that already ship with OpenClaw. The official security documentation covers each option in detail.
Document access rules, audit trails, and retention policies before rollout so staging results are repeatable in production. This avoids late surprises and helps teams debug issues with confidence.
Teams should validate this approach in a small test path first, then standardize it across environments once metrics and outcomes are stable.
1. Bind the Gateway to Loopback
The Gateway defaults to binding on loopback only, meaning only local processes can reach it. Keep this default unless you have a specific reason to change it. The configuration reference provides five bind modes: loopback (default), LAN, Tailscale network, auto-detect, and custom address.
For remote access, Tailscale Serve is the recommended path. It keeps the Gateway bound to loopback while routing traffic through an encrypted tunnel on your private network, so you never expose the port directly. If you must bind to a LAN address, firewall the Gateway port to a strict IP allowlist and pair it with token authentication.
Docker deployments are the one exception. Since loopback inside a container is container-internal, you need bind: "lan" or a custom bind. Compensate with a strong auth token and container-level network policies that restrict which hosts can reach the exposed port. Never run a Docker-bound Gateway without authentication, even on a private network.
2. Enforce a Strong Auth Token
Generate a strong random token using OpenClaw's built-in token generator and store it in an environment variable rather than in the configuration file directly. Tokens placed in config files tend to end up in version control. Environment variables or the SecretRef system (which supports env, file, and exec sources) keep credentials out of config files entirely.
Token authentication is required by default when the Gateway binds beyond loopback. Do not disable this requirement. If your configuration shows the authentication mode set to "none," you have an unauthenticated Gateway. That single misconfiguration was the most common finding across exposed instances.
For automation hooks endpoints, use a dedicated hooks.token instead of reusing your Gateway auth secret. Hook authentication is header-only (Authorization: Bearer ... or x-openclaw-token). Query-string tokens are rejected by design, which limits exposure if a URL gets logged or shared accidentally.
3. Add Channels One at a Time
The official first-run FAQ recommends starting with a single channel and verifying it works before adding more. Run openclaw onboard for the guided setup wizard, which walks through model selection, workspace creation, Gateway settings, and your first channel integration. The hackable git install (--install-method git) gives you full source access for debugging if anything goes wrong during setup.
Each channel (WhatsApp, Telegram, Discord, Slack, Signal, Matrix) has its own authentication requirements and access control surface. Adding them individually lets you verify DM policies, mention gating, and session isolation per channel before moving to the next. If something breaks, you know exactly which channel caused it instead of debugging a multi-channel configuration all at once.
After each addition, run openclaw doctor to validate the configuration and flag permission or connectivity issues before they become production problems. The doctor command catches common misconfigurations like missing tokens, incorrect file permissions, and unreachable endpoints.
How to Control Inbound Access and Restrict Agent Tools
Network security keeps unauthorized traffic from reaching the Gateway. These four practices control what happens once legitimate messages arrive: who can send them, which messages the agent processes, what tools the agent can invoke, and how much damage a compromised session can cause. Together they define the blast radius of any single security incident.
Document access rules, audit trails, and retention policies before rollout so staging results are repeatable in production. This avoids late surprises and helps teams debug issues with confidence.
Teams should validate this approach in a small test path first, then standardize it across environments once metrics and outcomes are stable.
4. Set DM Policy to Pairing Mode
The default DM policy, pairing mode, requires unknown senders to present a time-limited code before they can interact with your agent. Codes expire after one hour, and pending requests are capped at three per channel. Approve codes through the CLI's pairing approval command.
For stricter control, switch to allowlist mode, which blocks all unknown senders entirely. Disabling DMs altogether is useful for agents that only operate in group chats. Choose the mode that matches your agent's exposure: pairing for personal assistants, allowlist for bots that serve a fixed set of users, disabled for group-only agents.
When multiple people can message the bot, enable per-sender session isolation so each person gets their own session context. This prevents one user's conversation history from leaking into another user's session on the same channel.
5. Require Mentions in Group Chats
An always-on bot that processes every group message is a prompt injection target. Anyone who can post in the group can feed the agent malicious instructions embedded in normal-looking text, and the agent will process them without any explicit trigger.
Enable mention gating with requireMention: true on your group configurations. The agent only processes messages that explicitly @-mention it, which dramatically reduces its attack surface in busy channels. You can set this per channel or apply it across all groups with a wildcard matcher.
For channels where the agent must respond to everything, restrict group membership aggressively and consider using contextVisibility: "allowlist" to filter what supplemental context (quoted replies, thread history) the agent can see. Limiting context visibility reduces the amount of potentially malicious content the agent ingests from the conversation.
6. Restrict Tools to the Minimum Needed
Start every agent with the messaging tool profile and explicitly deny high-risk tool groups. A solid restrictive baseline denies group:automation, group:runtime, and group:fs, plus control-plane tools like gateway, cron, sessions_spawn, and sessions_send. This prevents agents from modifying their own configuration, scheduling persistent tasks, or delegating to other agents.
For execution control, configure the security policy to deny all commands by default and require explicit operator approval for each one. This blocks command execution unless you actively allow it. Keep in mind that execution approvals are intent guardrails, not hard security boundaries. The official documentation notes that semantic coverage of approvals is best-effort only. For strong isolation, use sandboxing (the next practice) instead of relying on approvals alone.
For agents handling untrusted content, consider disabling web_search, web_fetch, and browser unless inputs are tightly controlled. Older or smaller language models are more vulnerable to prompt injection, so the weaker the model powering the agent, the tighter its tool policy should be.
7. Enable Sandbox Isolation
Docker-based sandboxing gives each agent a restricted execution environment. Set agents.defaults.sandbox.mode to all to enable it across the board, and use scope: "agent" for per-agent containers. Workspace access should default to none, with ro (read-only) granted only to agents that need to read workspace files without modifying them.
The elevated tools setting bypasses sandbox isolation entirely. Keep its allowed-sources list restricted to trusted operators only, and audit any per-agent overrides carefully. OpenClaw's built-in audit flags elevated tool usage as a critical override for good reason: it is the fast path from a compromised session to full host access.
For browser-enabled agents, configure SSRF policies with dangerouslyAllowPrivateNetwork: false (the default) and use hostname allowlists to control which sites the agent can visit. Always use a dedicated browser profile rather than your personal daily-driver profile. A compromised agent session with access to your logged-in browser profile could access your email, cloud accounts, and internal tools.
Store and audit your OpenClaw agent outputs in one workspace
50GB free storage with built-in audit trails, MCP access for your agent, and ownership transfer to hand work off to humans. No credit card required.
Multi-Agent Isolation and Message Routing
A single Gateway can host multiple independent agents, each with its own workspace, session history, and tool policies. This makes multi-agent setups cost-effective (one server instead of one per agent) but introduces isolation requirements. The wrong configuration can leak context between agents, route messages to the wrong persona, or give one agent access to another agent's credentials and session data.
Define clear tool contracts and fallback behavior so agents fail safely when dependencies are unavailable. This improves reliability in production workflows.
Teams should validate this approach in a small test path first, then standardize it across environments once metrics and outcomes are stable.
8. Isolate Agent Workspaces and State Directories
Each agent maintains a separate state directory at ~/.openclaw/agents/<agentId>/, containing workspace files, authentication profiles, and session transcripts. The official documentation warns explicitly: never reuse agentDir across agents. Sharing state directories causes auth collisions and session data leakage between agents that were meant to be completely isolated.
Isolation extends beyond file paths. Give each agent its own tool allow/deny lists, its own sandbox configuration, and (where appropriate) its own model selection. Skills load from each agent's workspace plus shared roots like ~/.openclaw/skills, but they are filtered by per-agent allowlists. Cross-agent memory search is available through memorySearch.qmd.extraCollections, but enable it intentionally for specific agents rather than leaving it open by default.
For agents at different trust levels, match sandbox configuration to the agent's role. A read-only research agent might run with sandbox.mode: "all" and workspaceAccess: "ro". A trusted automation agent might run with fewer restrictions. Security posture should vary by agent, not be uniform across all of them.
9. Route Messages Through Explicit Bindings
OpenClaw routes inbound messages using a specificity hierarchy: peer match first, then parent peer, guild ID with roles, guild ID alone, team ID, account ID, channel-level wildcard, and finally the default agent. When multiple bindings match at the same tier, the first one in config order wins. This deterministic ordering means you can predict exactly where any message will land.
Explicit bindings prevent two problems. First, they stop messages from falling through to the wrong agent because of a missing routing rule. Second, they let you split traffic deliberately: WhatsApp to a fast Sonnet-based agent for quick replies, Telegram to a more capable Opus model for complex analysis, or specific group IDs to agents with specialized skills and tool access.
A binding that omits accountId matches only the default account for that channel. Use accountId: "*" for channel-wide fallbacks across all accounts. For DM splitting on WhatsApp, route different sender IDs (E.164 format) to different agents so multiple users can share one WhatsApp account without their conversations or session contexts crossing.
10. Enforce Per-Agent Tool Policies
Multi-agent setups amplify the importance of granular tool restrictions. A compromised agent with access to sessions_spawn or sessions_send could delegate tasks to other agents on the same Gateway, turning a single-agent breach into a Gateway-wide compromise.
Deny delegation tools and control-plane access on every agent that does not explicitly need them. Set these in agents.list[].tools.deny rather than relying on the default profile alone. Default policies apply broadly, but agent-specific deny lists catch cases where the default is too permissive for a particular agent's role or exposure level.
For company-shared agents, the documentation recommends running on a dedicated machine or VM with a dedicated OS user and browser profile. Do not mix personal and company identities on the same runtime. When one agent needs elevated access temporarily, use per-agent tools.elevated overrides with tight allowFrom restrictions rather than loosening the default policy for every agent on the Gateway.
How to Monitor, Patch, and Persist Agent Outputs
Configuration hardens the system at deploy time. These final two practices address what happens afterward: keeping the deployment secure as threats evolve and making sure agent work products survive beyond the current session. Both are operational habits rather than one-time settings, and both become critical the moment your agent handles real work.
Define clear tool contracts and fallback behavior so agents fail safely when dependencies are unavailable. This improves reliability in production workflows.
Teams should validate this approach in a small test path first, then standardize it across environments once metrics and outcomes are stable.
Document decisions, ownership, and rollback steps so implementation remains repeatable as the workflow scales.
11. Run Security Audits and Rotate Credentials
OpenClaw includes a built-in auditing capability that evaluates inbound access policies, tool blast radius, execution guardrails, network exposure, browser settings, file permissions, plugin allowlists, and policy drift (where effective tool policy differs from what you intended). Run it after every configuration change. The deep mode covers all severity classes, including filesystem permissions, Gateway exposure, execution guardrails, browser control, and supply chain. The auto-fix mode remediates common issues like loose file permissions and disabled log redaction.
Enable log redaction to keep sensitive data out of log files. The default setting redacts tool output, and you can add custom patterns for environment-specific tokens or URLs that the default rules do not cover. OpenClaw's status command can generate shareable diagnostics with secrets automatically removed.
CVE-2026-25253 proved that unpatched instances get compromised quickly. Subscribe to a release channel and apply security patches promptly. The update system supports stable, beta, and dev channels, with optional auto-updates via update.auto.enabled. For credential rotation, assume that any API key stored in a previously exposed instance is compromised. Sensitive data lives in specific locations: WhatsApp credentials at ~/.openclaw/credentials/whatsapp/, channel tokens in environment variables, and session transcripts in JSONL files readable by any process with filesystem access. Rotate provider API keys on a regular schedule and immediately after any security incident.
12. Store Agent Outputs in Persistent External Storage
Agent workspaces live on disk at ~/.openclaw/agents/<agentId>/. If the host is compromised, rebuilt, or decommissioned, everything in that directory goes with it. Session transcripts, generated files, and workspace contents are all local to the machine running the Gateway.
For work products that need to outlast the current deployment, move them to external persistent storage. Local options include syncing to S3 or a network share. Cloud services like Google Drive or Dropbox handle basic file storage but lack agent-native APIs for programmatic file management, version tracking, and handoff workflows.
Fast.io provides workspaces built for agent workflows. Your OpenClaw agent can use the Fast.io MCP server to upload outputs, organize files in shared workspaces, and transfer ownership to a human when the work is done. Intelligence Mode auto-indexes uploaded files for semantic search and AI-powered queries with citations, so your stored outputs become instantly searchable. The free tier includes 50GB of storage and 5,000 monthly credits with no credit card required, enough to handle outputs from a personal or small-team OpenClaw deployment. See storage for OpenClaw agents for setup details.
Frequently Asked Questions
What are the best practices for OpenClaw?
The core best practices are: bind the Gateway to loopback, enforce token authentication, set DM policy to pairing mode, require mentions in group chats, restrict tools to the minimum needed, enable sandbox isolation, isolate agent workspaces, route messages through explicit bindings, enforce per-agent tool policies, run security audits after config changes, keep patches current, and store outputs in persistent external storage. Start with one channel and expand gradually.
How do I secure my OpenClaw Gateway?
Start with the defaults, which are already secure: loopback binding and required authentication for remote access. Generate a strong auth token and store it in an environment variable rather than in your config file. Set DM policy to pairing to control who can message your agent. Restrict tool access with the messaging profile and deny high-risk groups. Enable Docker-based sandboxing for execution isolation. Run the built-in configuration audit regularly to catch misconfigurations.
What is the recommended OpenClaw setup?
Run openclaw onboard for the guided setup, which configures model selection, workspace, Gateway settings, and your first channel. Keep the default loopback binding and add a strong auth token. Start with a single channel and verify DM policies and mention gating before adding more. The hackable git install (--install-method git) gives full source access for debugging. Minimum hardware is 512MB RAM and 1 CPU core for personal use, though 1GB or more is recommended.
How many agents can one OpenClaw Gateway run?
There is no hard-coded agent limit. A single Gateway can host multiple agents, each with isolated workspaces, session histories, and tool policies. Resource consumption scales with model API calls and concurrent sessions rather than agent count itself. Each agent needs its own state directory and should have its own tool allow/deny lists and sandbox configuration for proper isolation.
What does the OpenClaw configuration audit check?
The built-in auditing tool evaluates inbound access (DM policies, group allowlists, mention gating), tool blast radius (elevated tools in open rooms), execution guardrails (approval drift, interpreter allowlists), network exposure (bind mode, auth, Tailscale settings), browser exposure (remote nodes, relay ports), disk hygiene (file permissions, symlinks), plugin supply chain validation, and policy drift where effective tool policy differs from your intended configuration. Deep mode runs comprehensive checks, and the auto-fix option remediates common issues.
Should I use Docker sandbox mode with OpenClaw?
Yes, for any agent that handles untrusted content or has execution capabilities. Set agents.defaults.sandbox.mode to all to enable Docker-based isolation by default. Use workspaceAccess set to none to block filesystem access, or ro for read-only. Sandboxing provides stronger isolation than exec approvals, which the official documentation describes as intent guardrails rather than hard security boundaries.
Related Resources
Store and audit your OpenClaw agent outputs in one workspace
50GB free storage with built-in audit trails, MCP access for your agent, and ownership transfer to hand work off to humans. No credit card required.