- Rotate the default gateway token immediately — it is publicly documented and offers zero protection
- Never expose the gateway port directly to the internet; run behind Nginx or Caddy with TLS and IP allowlisting
- Use skill allowlists in every agent config to limit blast radius if a prompt injection succeeds
- Ship logs to a centralized system and alert on authentication failures and skill execution spikes
- Run the web UI behind VPN or internal-only access — it exposes full agent configuration and memory
Forty percent of self-hosted AI agent deployments never change the default credentials. That figure comes from community audit data shared in the OpenClaw Discord in early 2025, and it tracks with what we see when teams ask for incident help. The attack surface of a misconfigured OpenClaw instance is significant — a bad actor with gateway access can read conversation history, inject messages, modify shared memory, and trigger any registered skill. The fix takes twenty minutes. Here's exactly what to do.
Why Security Matters More for Agent Systems
Traditional web apps have well-understood security models. Agent systems are different. An OpenClaw agent isn't just serving data — it's executing actions. A compromised agent can send emails, call external APIs, modify files, and trigger downstream automations. The scope of what an attacker can do via a single gateway token is much larger than, say, read access to a database.
Sound familiar? This is why the security checklist for an OpenClaw deployment looks more like a DevOps security review than a standard app hardening guide.
The good news: every major attack vector has a straightforward mitigation. None of these require specialized security knowledge. They require discipline and a checklist — which is exactly what follows.
Gateway Token Security
The gateway token is the master credential for your OpenClaw deployment. It authenticates agent connections, API calls, and in many setups, the web UI. If it leaks, everything is compromised.
Step 1: Generate a Strong Token
Generate a cryptographically random token at minimum 32 bytes long. The easiest approach:
# Generate a 48-character random token
openssl rand -hex 24Never use dictionary words, your organization name, dates, or anything a human would choose. The token needs to be random enough that brute force is not feasible.
Step 2: Set the Token via Environment Variable
Do not write the token directly into gateway.yaml. Use an environment variable reference:
# gateway.yaml
gateway:
token: "${OPENCLAW_GATEWAY_TOKEN}"
port: 8080Set OPENCLAW_GATEWAY_TOKEN in your deployment environment — via systemd unit file, Docker secrets, or your infrastructure's secret manager. This keeps the token out of source control and configuration files that might be committed.
Search your repository history for the string "token" before pushing. If a token was ever committed, it is compromised regardless of whether you rotated it in the current config. Rotate and treat the old token as fully exposed.
Step 3: Rotate on Schedule
Rotate the gateway token every 90 days and immediately whenever a team member with access departs. Rotation is a two-step process: update the secret in your environment, restart the gateway service. Total downtime is under 30 seconds.
Network Exposure and Reverse Proxy Configuration
The OpenClaw gateway should never be directly accessible from the public internet. Place it behind a reverse proxy that handles TLS, rate limiting, and access control.
Nginx Configuration Example
server {
listen 443 ssl;
server_name agents.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/agents.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/agents.yourdomain.com/privkey.pem;
# Restrict to known IP ranges if possible
allow 203.0.113.0/24;
deny all;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Rate limiting
limit_req zone=openclaw burst=20 nodelay;
}
}Add the limit_req_zone definition in your main Nginx config: limit_req_zone $binary_remote_addr zone=openclaw:10m rate=10r/s;
If you want zero-config TLS, Caddy automatically provisions and renews Let's Encrypt certificates. A basic Caddyfile takes ten lines and handles everything Nginx requires twenty lines to configure. For teams without dedicated ops, Caddy reduces misconfiguration risk significantly.
Skill Allowlisting
By default, an OpenClaw agent can execute any installed skill. That default is convenient for development and dangerous in production.
Set an explicit allowed_skills list in every agent's config file:
# agents/researcher.yaml
agent:
name: researcher
allowed_skills:
- web_search
- summarize
- send_slack_message
# NOT listed: file_write, shell_exec, send_emailHere's where most people stop. They set the allowlist but leave it too broad. An agent that needs web search does not need send_email. The principle of least privilege applies to skills exactly as it applies to database permissions.
If a prompt injection attack succeeds against a well-allowlisted agent, the damage is bounded by what that agent is permitted to do. That's the entire point.
Logging, Monitoring, and Alerting
Security without visibility is just hope. You need logs you actually look at and alerts for the patterns that matter.
What to Log
The OpenClaw gateway logs authentication events, message processing, and skill executions by default. Make sure these logs are being collected. At minimum, ship them to a centralized log aggregator — Elasticsearch, Loki, or even a simple S3 bucket with log rotation.
Alerts That Matter
Set alerts for these specific patterns — they are the early warning signals of active attacks:
- More than 5 consecutive 401 errors from a single IP — credential stuffing or token brute force attempt
- Skill execution volume spike — more than 3x baseline in a 10-minute window — possible runaway automation or injected task loop
- Unknown channel ID in API requests — may indicate an attacker probing for channel names
- Outbound requests to unexpected domains from skill execution — data exfiltration attempt via compromised skill
You don't need a SIEM to implement this. Most log aggregators support alert rules. The patterns above are simple enough to implement in a 15-minute alerting session.
Common Security Mistakes in OpenClaw Deployments
- Default gateway token in production — the single most common and most dangerous mistake. This is found by automated scanners within hours of a public deployment.
- Web UI accessible publicly — the web UI shows full configuration, memory, and conversation history. Even with a password, it widens the attack surface unnecessarily.
- Skills with excessive filesystem or shell access — skills that can write files or execute shell commands are the highest-risk category. If you need them, scope them tightly.
- No token rotation policy — a gateway token that has never been rotated is a liability. Every engineer who ever had access to it still has access to it.
- Shared tokens across environments — using the same gateway token for development, staging, and production means a compromise in any environment compromises all of them.
- Skipping TLS for internal deployments — traffic between your application and the gateway may cross shared infrastructure. TLS protects against eavesdropping even on "internal" networks.
Frequently Asked Questions
What is the most critical OpenClaw security setting to configure?
Rotating the default gateway token is the single most critical step. The default token is public knowledge. Any deployment running with it is fully exposed. Change it before the gateway touches the internet, then treat that secret with the same care as a root database password.
Should I run OpenClaw behind a reverse proxy?
Running behind a reverse proxy like Nginx or Caddy is strongly recommended for any production deployment. The proxy handles TLS termination, rate limiting, and IP allowlisting before requests ever reach OpenClaw. Direct public exposure of the gateway port is a significant attack surface.
How do I restrict which skills an OpenClaw agent can execute?
Use the skills allowlist in your agent config file. Set allowed_skills to an explicit list of skill names rather than a wildcard. This prevents a compromised skill or malicious prompt from triggering skills outside the intended scope of the agent.
What should I do with OpenClaw API logs for security monitoring?
Ship gateway and agent logs to a centralized logging system and set alerts for repeated 401 errors, unusual message volumes, and skill execution spikes. These patterns are the earliest signal of an active attack or compromised credential.
Is it safe to expose the OpenClaw web UI to the public internet?
No. The web UI should only be accessible on an internal network or via VPN. It gives direct access to agent configuration, shared memory, and conversation history. Even with authentication enabled, exposing it publicly creates unnecessary risk.
How often should I rotate OpenClaw gateway tokens?
Rotate gateway tokens every 90 days at minimum, and immediately after any team member with access leaves. Rotation takes under two minutes — update gateway.yaml and restart the service. The short disruption is worth eliminating the risk of stale credential exposure.
A. Larsen has hardened OpenClaw deployments for teams across fintech, healthcare, and SaaS. Has conducted security reviews of over 30 OpenClaw production environments and built the community security checklist referenced across the official Discord.