OpenClaw Security Best Practices

Running an AI agent with access to your tools and data requires thoughtful security practices. Here are the essential measures for a secure OpenClaw deployment.

Server hardening: - Create a dedicated non-root user for OpenClaw - Use SSH key authentication, disable password login - Keep the OS and Node.js updated - Enable a firewall (ufw) — allow only SSH and Gateway port - Use Nginx/Caddy with HTTPS for any exposed endpoints

OpenClaw-specific: - Set a strong Gateway token (auto-generated during onboarding) - Restrict skill permissions — don't install skills you don't need - Review skill source code before installing (especially community skills) - Enable skill sandboxing (limits filesystem and network access per skill) - Set token budgets to prevent runaway API costs

API key management: - Store keys in environment variables, not config files in repos - Use provider spending limits as a safety net - Rotate keys monthly for production deployments - Use separate keys for dev and production

Network: - Never expose the Dashboard directly — use SSH tunnel or VPN - Use Cloudflare Tunnel for public access with authentication - Enable rate limiting on the Gateway

Monitoring: - Review Gateway logs regularly for unusual activity - Set up alerts for failed authentication attempts - Monitor token usage for unexpected spikes

# Create dedicated user
sudo adduser --disabled-password openclaw

# Set up firewall
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 18789
sudo ufw enable