OpenClaw is a local-first platform for AI agents. Its core security capabilities include authentication and authorization, fine-grained tool permissions, sandbox isolation, and audit tracing. Together, they address the risks of overreach, data leakage, and loss of control during autonomous agent execution. Keywords: OpenClaw, security configuration, permission management.
The technical specification snapshot provides a quick overview
| Parameter | Description |
|---|---|
| Primary languages | JSON5 for configuration, Bash for CLI commands |
| Core protocols | Gateway Token, API Key, OAuth 2.0 |
| Star count | Not provided in the source material |
| Core dependencies | Docker sandbox, OpenClaw CLI, TLA+/TLC |
| Key capabilities | Tool allow/deny, execution approval, privilege escalation allowlist, log redaction |
OpenClaw’s security model must start with default deny
The real risk of an AI agent is not whether it can act, but whether it can act incorrectly. OpenClaw breaks that risk into four layers: authentication, authorization, isolation, and auditing. It constrains each layer with the principle of least privilege.
Unlike traditional applications, agents can interpret natural language, call tools, read and write files, and access the network. If boundaries are unclear, prompt injection, supply chain contamination, sensitive data exposure, and host command abuse become much more likely.
Security risks can be reduced through configuration
- Authentication failure: unauthorized access to the Gateway
- Privilege overreach: an overly broad toolset
- Data leakage: excessive workspace or network access
- Missing audit trail: execution paths cannot be traced
{
gateway: {
host: "127.0.0.1", // Bind only to the local loopback interface to block direct external access
port: 18789,
auth: {
token: "${OPENCLAW_GATEWAY_TOKEN}" // Store sensitive credentials in environment variables
}
}
}This configuration protects the entry point first and minimizes the Gateway’s exposed surface area.
Authentication and authorization must be layered rather than mixed
Gateway Token controls access to the gateway, API Key identifies the model provider, and OAuth fits scenarios that require user consent or enterprise SSO. These three mechanisms serve different purposes and should not replace one another.
The recommended order is: environment variables first, then .env, and only then an authentication profile file. This approach avoids hardcoded secrets and works well with daemons and multi-environment deployments.
API keys and authentication profiles should support multiple profiles
export OPENCLAW_GATEWAY_TOKEN="change-me"
export ANTHROPIC_API_KEY="sk-ant-xxx"
# Validate gateway and model authentication status
openclaw doctor
openclaw models statusThese commands inject only the minimum required credentials and quickly verify the current authentication state.
{
"profiles": {
"anthropic:default": {
"provider": "anthropic",
"mode": "api_key"
},
"anthropic:work": {
"provider": "anthropic",
"mode": "oauth",
"email": "[email protected]"
}
}
}This authentication profile defines multiple identities under the same provider, making it easier to separate personal and enterprise usage.
Tool permission control defines the agent’s real capability boundary
The core of OpenClaw is not how many tools you expose, but whether you expose only the tools required for the current task. deny takes precedence over allow, which makes policy enforcement better suited for production-grade hard restrictions.
If you want an agent to only review materials, removing write is not enough. You should also explicitly block high-risk capabilities such as exec, process, browser, and nodes to prevent indirect escape paths.
Multi-agent isolation is safer than giving one agent broad privileges
{
tools: {
allow: ["read", "write", "exec", "browser"],
deny: ["nodes", "cron"] // Directly block high-risk tools
},
agents: {
list: [
{
id: "family",
sandbox: { mode: "all", scope: "agent", workspaceAccess: "ro" },
tools: { allow: ["read"], deny: ["write", "exec", "browser"] }
},
{
id: "public",
sandbox: { mode: "all", scope: "agent", workspaceAccess: "none" },
tools: { allow: ["sessions_list"], deny: ["read", "write", "exec"] }
}
]
}
}This configuration uses different tool matrices and workspace permissions for different agents, creating capability partitioning instead of using one key for every door.
Sandbox and network policies must narrow data egress together
File permissions and network permissions are the two most common paths for data exfiltration. OpenClaw separates and controls these risks through workspaceAccess, bind mounts, and Docker network modes.
For high-security scenarios, use workspaceAccess: "none" and network: "none" by default. Switch to ro only when the agent truly needs to read code, and switch to bridge only when network access is required. Do not use host by default.
A secure sandbox should prefer a read-only root filesystem
{
agents: {
defaults: {
sandbox: {
mode: "all",
scope: "session",
workspaceAccess: "none", // Deny filesystem access by default
docker: {
network: "none", // Disable networking by default to block outbound connections
readOnlyRoot: true,
securityOpt: ["no-new-privileges"],
capDrop: ["ALL"]
}
}
}
}
}This configuration tightens sessions, filesystem access, networking, and kernel capabilities at the same time, making it a strong production baseline.
Execution approval and privilege escalation are the final gate for high-risk actions
When an agent needs to execute commands on the host, the approval mechanism becomes a critical line of defense. A best practice is to set tools.exec.security to allowlist or deny, then use askFallback: "deny" so the system still fails safely if the UI is unavailable.
Privilege escalation mode should not be available to all message sources. A sender should receive elevated permissions only if it matches both the global allowlist and the agent-level allowlist.
Approval policy should rely on allowlists instead of human memory
{
tools: {
exec: {
host: "sandbox",
security: "allowlist", // Allow only commands in the allowlist
ask: "on-miss",
askFallback: "deny"
},
elevated: {
enabled: true,
allowFrom: {
discord: ["1234567890"],
telegram: ["tg:123456789"]
}
}
}
}This configuration turns both host execution and privilege escalation into explicit authorization events and avoids implicit trust.
Log redaction and formal verification improve observability and trust
If logs are not redacted, the security system itself can become a source of leakage. OpenClaw supports pattern-based replacement for tokens, API keys, passwords, and similar fields, which makes it suitable for a centralized logging strategy.
OpenClaw also introduces TLA+/TLC for formal verification. Compared with testing alone, this approach is better at finding edge cases, race conditions, and policy-combination flaws.
Validation and auditing should be part of routine inspection workflows
# Validate and interpret configuration
openclaw doctor
openclaw config get
openclaw sandbox explain
# Audit security logs and approval events
openclaw logs --grep "approval|elevated|denied"
cat ~/.openclaw/exec-approvals.json | jq '.agents.main.allowlist'These commands help verify configuration validity, explain the current sandbox state, and trace key security events.
A production baseline should begin with strict constraints and relax only as needed
At the beginning of deployment, start with the strictest template possible: full-session sandboxing, no network access, no workspace access, privilege escalation disabled, and read-only tools only. After you confirm real business requirements, selectively enable read/write access, networking, or approval-based execution.
You should also enforce file permission controls. For example, set ~/.openclaw/.env, openclaw.json, and exec-approvals.json to 600, and set the credential directory to 700 to prevent unintended local access.
FAQ provides structured answers to common security questions
1. What is the single most important first security setting for OpenClaw in production?
Bind the Gateway to 127.0.0.1 first and enable OPENCLAW_GATEWAY_TOKEN. That is the fastest and most effective way to reduce the attack surface.
2. Why is a deny policy more reliable than maintaining only an allow list?
Because high-risk tools continue to expand over time, deny acts as a hard gate that prevents accidental exposure, especially for capabilities such as nodes, cron, and exec.
3. How can I verify that the current agent is actually running inside a secure sandbox?
Run openclaw sandbox explain directly. It shows the mode, scope, workspace access, tool policy, and privilege escalation state, making it the first place to look for troubleshooting and auditing.
Core summary captures the production hardening approach
This article systematically reconstructs OpenClaw’s security architecture. It covers Gateway Token, API Key, OAuth, tool permissions, file and network isolation, execution approval, privilege escalation allowlists, log redaction, and formal verification to help developers deploy production-grade AI agents under the principle of least privilege.