OpenClaw Security Checklist: 12 Checks Before You Connect Your Accounts

My opinion up front: most OpenClaw security advice online is either too technical or too theatrical. The official docs are actually pretty honest. They do not pretend prompt injection is solved, they explicitly warn that blast radius matters, and they tell you to be deliberate about who can talk to the bot, what it can touch, and where it is allowed to act.

That is the frame for this article. Not panic. Not cope. Just a practical operator guide for people who want to experiment without doing something reckless. If you are also working on your agent’s personality layer, see my companion piece on OpenClaw SOUL.md examples and personality templates. And if you are still deciding where OpenClaw fits in your stack, read my OpenClaw vs n8n review.

Short answer: is OpenClaw safe to use?

It can be run more safely, but it is not something I would casually connect to my primary email, GitHub, or work accounts on day one. The official docs make clear that OpenClaw can execute commands, read and write files, access networks, and send messages if you give it those tools. Microsoft’s security guidance goes even further and says it should be treated like untrusted code execution with persistent credentials, not something you casually run on a standard workstation.

The good news is that you do not need enterprise-grade security engineering to make smarter choices. You do need discipline. Most of the risk comes from bad defaults, oversized permissions, and people treating “local-first” as if it automatically means “safe.”

What the scary terms mean in plain English

OpenClaw security discussions can get jargon-heavy fast, so here is the plain-English version.

For non-engineers, the easiest way to think about it is this: OpenClaw is powerful because it can act. That same power is why the security boundary matters more than it does with a normal chatbot tab in your browser.

The 12-point OpenClaw security checklist

This is the core of the article. If you are evaluating OpenClaw and want a practical “before I connect this thing to my accounts” checklist, start here.

If you want the shortest possible checklist summary: isolate the machine, isolate the accounts, isolate the tools, isolate the network path, and assume you may need to rebuild.

Three realistic ways people accidentally make OpenClaw dangerous

The easiest way to understand the security risk is not through theory. It is through realistic operator mistakes.

What ties all three together is the same operator error: connecting authority before creating boundaries.

Flowchart: should I connect this account to OpenClaw?

Before you hand any account or credential to your agent, run it through this decision tree. If you hit a red stop, fix that layer first.

Chart: what actually increases your OpenClaw blast radius

Not all risks are equal. Here is the practical ranking I would use for non-engineers deciding what to worry about first.

This is why I do not think the right beginner advice is “learn Docker first” or “become a security engineer.” The right beginner advice is “do not connect the dangerous stuff until your containment is real.”

What “run OpenClaw safely” should mean for a normal person

If you are not a security engineer, “safe enough to evaluate” should mean something like this:

If you set it up this way, you are no longer treating OpenClaw like a toy. You are treating it like a runtime with authority, which is the mature posture.

Sandboxing: the single best control most beginners skip

The official sandboxing docs say something I like because it is refreshingly honest: sandboxing is not a perfect security boundary, but it materially limits filesystem and process access when the model does something dumb. That is exactly the right way to think about it.

Non-engineer translation: a sandbox is not magic, but it is still the difference between “the agent messed up in a smaller room” and “the agent messed up in your whole house.”

Real config snippets: what the hardened settings actually look like

This is the part most guides skip. Here are actual OpenClaw configuration examples from the official docs that map directly to the checklist above. All settings go in ~/.openclaw/openclaw.json using JSON5 format.

{
  gateway: {
    auth: {
      token: "${OPENCLAW_GATEWAY_TOKEN}"
    },
    port: 18789
  }
}

{
  agents: {
    defaults: {
      sandbox: {
        mode: "non-main",    // off | non-main | all
        scope: "agent"       // session | agent | shared
      }
    }
  }
}

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "123456:ABCDEF",
      dmPolicy: "pairing",
      allowFrom: ["tg:YOUR_USER_ID"],
      groups: {
        "*": { requireMention: true }
      }
    }
  }
}

{
  agents: {
    defaults: {
      skills: ["weather"]
    },
    list: [
      { id: "researcher" },                    // inherits defaults
      { id: "locked-down", skills: [] }         // no skills at all
    ]
  }
}

{
  models: {
    providers: {
      openai: { apiKey: "${OPENAI_API_KEY}" },
      anthropic: { apiKey: "${ANTHROPIC_API_KEY}" }
    }
  }
}

Before and after: risky defaults versus hardened config

Here is what the same setup looks like with weak defaults versus intentional security. This is the difference between “I installed it” and “I secured it.”

{
  gateway: {
    // no auth token set
    port: 18789
  },
  agents: {
    defaults: {
      sandbox: { mode: "off" }
    }
  },
  channels: {
    telegram: {
      dmPolicy: "open",
      allowFrom: ["*"]
    },
    whatsapp: {
      dmPolicy: "open",
      allowFrom: ["*"]
    }
  }
}

{
  gateway: {
    auth: {
      token: "${OPENCLAW_GATEWAY_TOKEN}"
    },
    port: 18789
  },
  agents: {
    defaults: {
      sandbox: {
        mode: "all",
        scope: "session"
      },
      skills: []
    }
  },
  channels: {
    telegram: {
      dmPolicy: "pairing",
      allowFrom: ["tg:YOUR_ID"],
      groups: {
        "*": { requireMention: true }
      }
    }
  }
}

Why the external warnings matter: Bitsight and Microsoft changed the conversation

The reason this topic has real search demand is that the risk story stopped being theoretical. Bitsight reported observing more than 30,000 exposed instances during one analysis window and called out attackers going after both prompt-level manipulation and direct gateway-level abuse. Microsoft’s security research framed self-hosted agent runtimes as a convergence of untrusted code, untrusted instructions, and durable credentials.

Those are not the same voice, and that is exactly why they matter together. The official docs tell you what to do. Bitsight shows what people get wrong in the wild. Microsoft explains why the trust boundary itself is unusual.

The minimum safe setup I would actually recommend

If a friend asked me how to evaluate OpenClaw this weekend without being careless, this is the setup I would suggest.

# On your VM or spare box — install OpenClaw
npm install -g openclaw@latest

# Run the onboarding wizard (installs the background daemon)
openclaw onboard --install-daemon

# Generate a strong token
export OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)
echo "Save this token somewhere safe: $OPENCLAW_GATEWAY_TOKEN"

# Add to your shell profile so it persists
echo 'export OPENCLAW_GATEWAY_TOKEN="'$OPENCLAW_GATEWAY_TOKEN'"' >> ~/.bashrc

# Create a scoped API key (example: Anthropic)
# Go to console.anthropic.com → API Keys → Create Key
# Name it "openclaw-eval" and set usage limits

# Export it
export ANTHROPIC_API_KEY="sk-ant-your-new-key-here"

{
  agents: {
    defaults: {
      sandbox: { mode: "all", scope: "session" },
      skills: []
    }
  },
  channels: {
    telegram: {
      dmPolicy: "pairing",
      allowFrom: ["tg:YOUR_USER_ID"]
    }
  }
}

# Monitor gateway logs
openclaw gateway --verbose

# Run the built-in security audit
openclaw audit

That setup will not make OpenClaw perfectly safe, because there is no such thing. It will make you dramatically less likely to hand a powerful runtime the keys to your actual life before you understand how it behaves.

A useful video if you want to see the “secure setup” mindset in practice

For readers who want a visual walkthrough, this secure-setup video is a useful companion because it emphasizes isolation, least privilege, and firewall thinking instead of just speed-running the install.

External security resources worth bookmarking

This article is an operator-level overview. If you want to go deeper, these are the most useful external sources I have found, each covering a different angle of the risk.

Field notes: what most people still get wrong

After reading the official guidance and the surrounding security reporting, I think there are four mistakes that keep repeating.

If you want my blunt recommendation: treat OpenClaw like an experiment you earn the right to trust, not like a life operating system you wire into everything on day one.

Rate your setup: OpenClaw security score

Answer these 12 questions honestly. Your score tells you whether your current setup is ready for serious use or still in “tinkering with risk” territory.

One area that intersects directly with security is memory. MEMORY.md and daily notes accumulate everything the agent has been told to remember — including preferences, tool configs, account references, and anything you have explicitly asked it to retain. That file lives on disk in plain text, and if you are using a cloud embedding provider, its contents leave your machine to generate search indexes. Before configuring your memory backend, it is worth understanding exactly what gets written and where it goes. My guide on how OpenClaw memory actually works covers the privacy trade-offs and what a clean, minimal MEMORY.md setup looks like.

FAQs