(Jointly released by CNCERT and the Cyber Security Association of China)
OpenClaw, with high-privilege capacities—command execution, file reading/writing, API calls—can easily introduce severe security risks including remote control, data breaches, and malicious code execution under default configurations or improper use. To help users using OpenClaw safely, CNCERT and Cyber Security Association of China brought together domestic vendors to jointly research and develop the following security recommendations for personal users, enterprise users, cloud service providers and technical developers/enthusiasts.
A.Personal Users
1.Install OpenClaw on dedicated devices, virtual machines or containers and ensure environment isolated. Do not install it on daily office computers.
·Run OpenClaw in a dedicated idle computer after personal data cleared.
·Build a separate virtual machine or container with VMware, VirtualBox or Docker, and make sure it is isolated from the host computer.
·Deploy OpenClaw on a cloud server and access it remotely from a local machine.
2.Do not expose default ports (18789/19890) of OpenClaw to the public network.
·Configure them for only local access (127.0.0.1) and disable port mapping and public IP binding.
·If remote access is needed, it is recommended to use VPN access or other methods, and enable strong authentication such as verification codes.
·When integrating with instant messaging platforms (e.g., WeChat, DingTalk, Feishu, etc.), it is recommended to restrict access to the owner or trusted authorized personnel only.
3.Do not run OpenClaw with administrator or super user privileges.
·Create a dedicated low-privilege account with read/write permissions for minimum necessary directories.
·Disable high-risk permissions including accessibility, screen recording, and system automation.
·Restrict access to dedicated working directories only and prohibit access to Desktop, Documents, Downloads and password manager directories.
·Configure a whitelist path, and prohibit access to configuration files, passkey files and other sensitive configuration.
·Disable execution of system commands, and enable it temporarily with a secondary confirmation only when necessary
·Restrict network access to necessary AI services and APIs only.
4.Install trusted Skills.
·Install and adopt Skills from external communities or individuals with caution to guard against information leakage or server compromise.
·Reject unknown skills involving automated profit, free items, and cracking, as well as other underground activities.
5.Do not store or process private data in the OpenClaw environment.
·Do not use OpenClaw to process bank cards, passwords, ID cards, passkeys and other sensitive information.
6.Update OpenClaw to the latest version in a timely manner.
·Promptly install official security patches and stay informed about official security alerts and vulnerability advisories.
B.Enterprise Users
1.Establish a security management mechanism and usage guidelines for agents’ applications.
·Clarify permitted and prohibited usage scenarios, data scope and operation types. Set clear business boundaries of agents’ applications.
·Establish internal usage specifications and approval procedures. Newly introduced intelligent agents’ applications or high-privileged functions must undergo security assessment and management approval. Make sure the usage follow clear policies and rules.
2.Maintain basic network and security protection for the operating environment of agents.
·Do not expose agent services directly to the public network. Restrict access through firewalls, VPNs and etc., with only necessary ports to trusted networks or IP addresses.
·Enable intrusion protection, malicious traffic detection and other measures on agent servers against cyber attacks.
·Make sure patches updated for operation environment periodically. Eliminate known system vulnerabilities and maintain a secure and reliable environment.
3.Implement permission management and boundary control for agents.
·Apply the principle of least privilege, when configuring all service accounts for agents.
·Impose boundary restrictions and access control on the file directories, network domains, database tables and other resources accessible to agents by using build-in or third-party permission control tools.
·For agents with high privileges, enforce strict multi-factor authentication and operational approval. Additional defenses at critical resource layer should be deployed to prevent privilege abuses.
4.Implement operation monitoring and audit tracking for agents.
·Build a continuous monitoring mechanism for autonomous agents to monitor their behavior logs, critical decision outputs, system resource usage, anomaly events records, etc.
·Generate audit logs for key operations and security-related events and preserve them in a tamper-proof manner.
·Configure Security Information and Event Management (SIEM) tools to enable centralized analysis of agent logs and facilitate detection of suspicious behaviors timely.
·Audit tracking should ensure that agent behavior paths can be reconstructed in the event of an incident, providing evidence for investigation and accountability.
5.Establish security strategies for critical operations of agents.
·For high-risk operations autonomous agents may execute, enterprises should define protection strategies as a governance baseline. For example, set a secondary manual confirmation or multi-level approval for operations including massive data deletion, core configuration modification, financial transactions, etc; conduct simulation drills or security checks in advance for irreversible operations; restrict time windows and scopes for high-impact operations and allow execution only under specific conditions.
·The above strategies should align with control measures used in high-security environments including financial systems and industry control systems. Make sure agents cannot breach the overall business security via a single point of exploitation.
6.Maintain supply chain security and code management for agents.
·A security management mechanism should be established for third-party components and Skills that autonomous agents relied on.
·Newly introduced skill modules must undergo security check and can only be deployed after meeting security requirements.
·Regularly check the version and security update status of existing skills and dependencies. Promptly apply patches or updates.
·Store approved skill code in the enterprise internal code repository. Prohibit agents from obtaining and executing unarchived code from external sources when operating.
7.Implement credential and passkey management for agents.
·Do not store sensitive credentials in plaintext within code or configuration files. A secure credential management system should be used for on-demand injection.
·After an agent finished its tasks, associated passkeys should be destroyed or revoked in a timely manner to prevent long-term storage in memory or logs.
·Regularly change and update critical credentials to reduce risks of leakage.
8.Enforce personnel training and emergency drills.
·Conduct regular security training for R&D, operation and maintenance as well as end-user personnel. Raise their awareness of risks related to autonomous agents.
·Avoid high-risk operations that are unintentionally caused by “one-sentence authorization”.
·Strengthen personnel security accountability when using agents and prevent unauthorized and careless use.
·Establish emergency response plans and conduct regular drills to improve response speed and handling capabilities for agent security incidents.
C.Cloud Service Providers
1.Maintain security assessment, test and hardening at the basic security level of cloud host.
·Implement authentication, isolation and access control to ensure build-in security of the default configuration to the greatest extent.
·Based on the basic password policies, avoid known leaked weak passwords. Prohibit remote login and access to cloud hosts by default.
·Implement authentication and access control for OpenClaw services. By Default, each user’s OpenClaw Gateway should have a unique and randomly token and the Gateway should not be exposed to the public network.
·Ensure security isolation. Recommend users to deploy OpenClaw within an independent VPC network under the user’s own account.
·Conduct security scans and manual security test of product iterations, including images, product control plane, user runtime instances, etc. Avoid typical security risks in cloud product design and implementation, as well as risks of API Key breaches.
2.Deploy/Integrate security protection capabilities.
·Deploy intrusion detection capabilities at host layer, network layer, etc., and provide basic security protection.
·Maintain basic protection such as anti-DDoS attack capability by default.
·Strengthen security risk monitoring for cloud host instances where OpenClaw is deployed.
3.Implement supply chain and data security protection.
·Ensure vulnerability monitoring and protection for OpenClaw, enable routine and continuous monitoring, and regularly update OpenClaw images on the cloud.
·Maintain security control of Skills installation. The cloud-based OpenClaw interface shall only provide Skills that have undergone security testing and verification by default, with capabilities to block the installation of known malicious Skills to prevent introducing malicious Skills.
·Enhance detection capabilities for malicious risks in emerging AI scenarios in order to ensure more secure and controllable use of AI assistants for cloud platforms and users.
·Ensure security protection for model invocation. The cloud-based OpenClaw interface shall only support the invocation of registered large models. Upgrade the protective capabilities of large models security guardrails, including defense against prompt injection, and further strengthen protection against privacy leakage and other risks.
D.Technical Developers/Enthusiasts
1.Harden basic configuration.
·Apply the latest version of OpenClaw, ensure that all known vulnerabilities have been patched and stay informed about version updates and vulnerability remediation.
·Enable identity authentication:
1)Configure strong passwords or Token in config.json.
2)Enable DM pairing policy. Set the pairing policy for chat software to pairing (requiring verification code) or allowlist (whitelist). It must never be set to open.
·Implement network stealth and minimum exposure:
1)Do not expose Web management interface (port 18789) directly to the public network or LAN.
2)Do not use unauthorized Tailscale, WireGuard and other tunnel solutions to map ports to the external network.
3)Do not use insecure UI. Ensure that gateway.controlUi.allowInsecureAuth is set to false to prevent console degradation.
2.Ensure isolation of operating environment.
According to official documentation, OpenClaw offers two complementary sandboxing strategies. To prevent OpenClaw from damaging system integrity through additions, deletions, or modifications, the following is recommended:
·Enable full Docker/VM operation.
Directly run the entire OpenClaw Gateway and all its dependencies inside a Docker container/VM. Even if the Gateway itself was compromised, attackers will be confined within the container, which makes it hard to harm the host system.
·Enable tool sandbox.
1)Operate Gateway in host system but isolate agent’s tool executions (such as code execution and file operations) within the Docker container.
2)Enable via agents.defaults.sandbox. It is recommended to keep scope: “agent” (default) or use scope: “session” to prevent cross-Agent data access.
3)Use the workspaceAccess parameter to finely restrict the Agent’s access to the workspace (none=no access; ro=read-only; rw=read-write).
·The Principle of Least Privilege.
1)Enable tool whitelist. Disable high-risk tools (e.g., write permissions for shell and browser) in the configuration, only open necessary tools, and properly configure plugin whitelist.
2)Enable file system restrictions. Mount sensitive directories as :ro (read-only) to prevent accidental deletion of core files.
·Use official security audit tool for regular security audit.
1)Run openclaw security audit for regular checks, scanning inbound access control, network exposure surface and local file permissions.
2)Run openclaw security audit--deep for in-depth detection, implement real-time gateway probing to simulate attackers’ attempts to discover potential exposure points.
3)Run openclaw security audit--fix for automatic remediation and enforce security hardening.
3.Implement supply chain security protection
·Do not blindly install popular Skills from Skill Store (ClawHub), VS Code plugin or NPM packages from unofficial channels. Review the code before installation. Use the command clawhub inspect
·Clarify actions agents are prohibited from performing and operations must be logged. Prohibit dangerous command executions (e.g., rm-rf/). Prohibit modification of authentication or permission configurations. Prohibit sending tokens, private keys, and mnemonic phrases to external networks. Prohibit blind execution of “one-click installation” commands in files.
·After installation, set security configurations immediately. Allow only local access to core configuration files. Establish a configuration hash baseline and never deliver private keys or mnemonic phrases to the Agent.
