OpenClaw is one of the fastest-growing open-source projects ever - 200,000+ GitHub stars in under three months. But that growth came with a serious security cost.

Here’s the timeline:

SecurityScorecard’s STRIKE team found 135,000+ OpenClaw instances exposed on the public internet with default configs. Over 15,000 were specifically vulnerable to remote code execution. The Hacker News covered the “ClawJacked” attack where malicious sites hijacked local OpenClaw agents via WebSocket.

If you’re self-hosting OpenClaw, security isn’t optional. You need to be running version 2026.2.25 or later at minimum, and here’s every hardening measure on top of that.

Why OpenClaw is a High-Value Target

OpenClaw isn’t a simple web app. It’s an autonomous AI agent with:

A compromised OpenClaw instance gives an attacker a fully equipped foothold on your server, plus access to your messaging accounts and API keys. That’s why the default “just run docker-compose up” approach from most tutorials is dangerous.

The 8 Hardening Steps

1. Bind the Gateway to Localhost

By default, OpenClaw’s gateway listens on 0.0.0.0:3000 - every network interface. This means anyone who can reach your server’s IP on port 3000 has direct access to the OpenClaw admin interface.

Fix: Set the gateway to bind to 127.0.0.1 only, then use a reverse proxy (nginx or Caddy) to handle external access with authentication.

# config.yaml
gateway:
  host: 127.0.0.1
  port: 3000

If you’re using Docker Compose, map the port to localhost only:

ports:
  - "127.0.0.1:3000:3000"

What most guides miss: Nearly every “deploy OpenClaw” tutorial maps the port as 3000:3000 (all interfaces). That single line is the #1 reason 135,000+ instances are exposed.

2. Enable Sandbox Mode

Sandbox mode restricts OpenClaw’s file system access to a specific directory. Without it, OpenClaw (and any prompt injection attack) can read /etc/passwd, your SSH keys, other application configs - anything the process user can access.

# config.yaml
sandbox:
  enabled: true
  root: /opt/openclaw/data
  allowed_paths:
    - /opt/openclaw/data
    - /tmp/openclaw

What this prevents: CVE-2026-26329 (path traversal in browser upload) and prompt injection attacks (CVE-2026-25475) that try to read files outside the data directory. Sandbox mode contains the blast radius.

3. Configure Tool Deny Lists

OpenClaw’s shell execution capability is powerful - and dangerous. By default, it can run any command the process user has access to, including rm -rf, curl to exfiltrate data, or wget to download malware.

# config.yaml
tools:
  shell:
    deny_commands:
      - rm
      - dd
      - mkfs
      - wget
      - curl
      - nc
      - ncat
      - ssh
      - scp
      - rsync
    deny_patterns:
      - "rm -rf"
      - "chmod 777"
      - "> /dev/"

Tailor this to your use case. If you need OpenClaw to fetch web pages, keep curl allowed but block wget and nc. The deny list is a safety net, not a complete defense - but it stops the low-hanging attacks.

4. Set Up systemd Service Isolation

If you’re running OpenClaw directly on the host (not Docker), systemd provides kernel-level isolation that limits what the process can do even if it’s compromised.

[Service]
# Prevent privilege escalation
NoNewPrivileges=true

# Read-only filesystem except for data directory
ProtectSystem=strict
ReadWritePaths=/opt/openclaw/data

# Isolate temp directory
PrivateTmp=true

# Block kernel module loading
ProtectKernelModules=true

# Block kernel parameter changes
ProtectKernelTunables=true

# Restrict network protocols
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Limit system calls
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

Why this matters: Even if an attacker gains code execution through OpenClaw, systemd sandboxing prevents them from escalating to root, modifying system files, or loading kernel modules. This is defense in depth.

5. Disable mDNS Discovery

OpenClaw broadcasts its presence on the local network via mDNS (Bonjour/Avahi) by default. On a shared network or VPS with multiple tenants, this tells other machines exactly where your OpenClaw instance is running.

# config.yaml
mdns:
  enabled: false

On a VPS, there’s no good reason to have mDNS enabled. It’s useful for local development when you want to find OpenClaw on your LAN, but on a production server it’s just broadcasting attack surface.

6. Enable Log Redaction

OpenClaw logs can contain API keys, message content, and authentication tokens in plain text. If your logs are shipped to a centralized logging service, indexed by a search tool, or accessible to other users on the server, that’s a data leak.

# config.yaml
logging:
  redact_keys: true
  redact_messages: true
  redact_patterns:
    - "sk-[a-zA-Z0-9]+"
    - "xoxb-[a-zA-Z0-9-]+"
    - "Bearer [a-zA-Z0-9._-]+"

Especially important if you’re using OpenClaw for email triage or financial tasks. Those logs could contain sensitive personal data.

7. Set Up a Reverse Proxy with Auth

Never expose OpenClaw directly to the internet. Use nginx or Caddy as a reverse proxy with:

# nginx config
location / {
    proxy_pass http://127.0.0.1:3000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;

    # Rate limit
    limit_req zone=openclaw burst=20 nodelay;

    # WebSocket support (required for messaging)
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

8. Keep OpenClaw Updated

This should be obvious, but 8 of the 14 CVEs were patched within days of disclosure. If you’re running a version from two months ago, you’re running with known critical vulnerabilities.

Set up a cron job or use Watchtower (Docker) to check for updates weekly at minimum.

What Most Hosting Guides Miss

I reviewed the top 10 “deploy OpenClaw” tutorials ranking on Google. Here’s what they cover:

Security Measure Typical VPS Guide This Guide
HTTPS/SSL Sometimes Yes
Localhost gateway binding No Yes
Sandbox mode No Yes
Tool deny lists No Yes
systemd isolation No Yes
mDNS disabled No Yes
Log redaction No Yes
Reverse proxy + rate limiting Sometimes Yes

Most tutorials get you a running instance. None of them get you a secure one.

Skip the Hardening - Deploy Pre-Secured

Every security measure in this guide takes time to configure and test. Misconfigure one setting and you’ve either broken OpenClaw or left a gap in your defenses.

On InstaPods, every OpenClaw pod launches with all 8 hardening measures pre-configured:

You get a hardened OpenClaw instance in 30 seconds. No config files to edit, no security audit to run, no “did I miss something” anxiety.

$15/mo flat. SSH access included so you can verify every security measure yourself.

TL;DR

OpenClaw is powerful but has a serious security track record - multiple critical CVEs (including CVSS 8.8 RCE), 135,000+ exposed instances, 15,000+ vulnerable to RCE. If you’re self-hosting:

  1. Bind gateway to localhost
  2. Enable sandbox mode
  3. Configure tool deny lists
  4. Set up systemd isolation
  5. Disable mDNS
  6. Enable log redaction
  7. Use a reverse proxy with rate limiting
  8. Keep it updated

Or deploy on InstaPods where all of this is pre-configured.

Deploy Pre-Secured OpenClaw on InstaPods - Every hardening measure, pre-configured. 30 seconds, $15/mo.