
Safe is a configuration, not a feeling
Our security briefing covered what goes wrong with OpenClaw deployments: exposed gateways, stolen credentials, malicious skills, prompt injection. This article is the other half, a practical picture of what a safe deployment actually looks like.
Everything below maps to the official security guidance at docs.openclaw.ai and to hardening guides published by major security vendors through 2026. None of it is exotic. All of it takes discipline, and in documented incidents, skipping any single layer has been enough to hand an attacker the keys.
Start with the network
The single most important rule: your gateway should never be reachable from the public internet.
- Keep the gateway bound to loopback, the current documented default (gateway.bind set to "loopback"). Never bind to 0.0.0.0, which is how roughly 135,000 instances reportedly ended up exposed.
- For remote access, use a private overlay network such as Tailscale rather than opening a public port or trusting your office LAN.
- Enable token authentication (gateway.auth.mode set to "token") with a long random secret, and rotate it at any hint of trouble.
If you do only this section, you have already avoided the largest documented category of OpenClaw incidents.
Control who can talk to it, and what it can do
Prompt injection means every inbound message is potentially a hostile instruction. Two settings blunt the easiest attacks: keep DM pairing on (dmPolicy set to "pairing") so strangers cannot message your agent, and require an @-mention in group chats (requireMention set to true) so it does not react to everything it sees.
Then constrain what the agent can do even on the day it gets fooled:
- Set shell execution to deny by default with explicit human approval (exec.security set to "deny", ask set to "always") instead of the full-access operator mode.
- Deny high-risk tool groups, such as automation, runtime, and filesystem, unless a workflow genuinely needs them.
- Run non-main sessions in sandboxes, using Docker or SSH backends, and isolate anything that touches untrusted input or public traffic.
Approval prompts feel like friction until the day the agent asks to run a command you never requested. That prompt is the whole defense working as intended.
Credentials and skills: the two soft targets
Attackers who compromise an OpenClaw install go straight for keys and configs, so make those boring to steal:
- Use scoped, single-purpose API keys with spend caps, never a master account key.
- Keep secrets in a protected store or environment variables, lock the OpenClaw home directory down to permissions 700, and keep provider credentials out of workspace .env files.
- Rotate keys on a schedule, not only after incidents.
For skills and plugins, the ClawHavoc supply-chain campaign settled the argument: treat the marketplace as untrusted by default. Install only skills you have vetted, read the SKILL.md before enabling anything, pin versions, watch for typosquats, and load plugins from an explicit allowlist. Use a current flagship model too; the official guidance is blunt that older and smaller models resist prompt injection markedly worse.
Monitor, patch, and have a plan
Hardening is not a weekend project that ends. Three habits keep a deployment safe over time:
- Review session transcripts regularly. The agent's own logs are where over-autonomous behavior shows up first.
- Patch on a cadence. With well over a hundred CVEs disclosed by spring 2026 and new releases shipping frequently, install-and-forget is the riskiest posture available.
- Write down your incident plan before you need it: set the gateway to loopback, rotate the auth token, disable risky channels, and audit recent sessions.
Now read back through this list and count the moving parts: network isolation, token auth, pairing policies, exec approvals, sandboxes, key management, skill vetting, transcript review, patch tracking. This is real systems administration, and it is exactly the work most small teams underestimate. Plenty of Mauritian businesses will run this themselves, and this checklist is a solid start. For teams who would rather delegate, a hardened and maintained setup from Nexus (nexus.mu) delivers the same posture without the learning curve. Either way, the order matters: configure first, connect your real data second.
Powerful agents deserve professional setup, not blind cloning. Explore the wider Nexus health ecosystem.



