Is OpenClaw secure out of the box?

No. The default OpenClaw installation prioritizes ease of setup over security. It binds to 0.0.0.0 (all interfaces), has no authentication by default, and runs as whatever user executes the installer. Research shows 42,665 OpenClaw instances are exposed on the public internet with 93.4% having no authentication. The software itself is well-written, but the default deployment configuration is dangerously permissive.

Can I secure OpenClaw myself?

Absolutely. Everything in our 12-point audit can be done manually if you have Linux system administration experience. We provide the verification checklist on this page so you can check your own installation. However, a single misconfiguration — a forgotten open port, a .env file with world-readable permissions, a container running with --privileged — can undo everything else. Our service exists because security is about consistency, not just knowledge.

What is ClawHavoc and should I be worried?

ClawHavoc (CVE-2026-25253) is a critical remote code execution vulnerability discovered in January 2026. It exploits the MCP (Model Context Protocol) server connection to inject malicious commands that execute with the OpenClaw process permissions. If your OpenClaw instance is patched to v2026.1.15 or later and you only connect to verified MCP servers, you are protected. Every OpenClawPro installation is deployed on the latest patched version.

How do you handle my API keys during installation?

Your API keys are entered directly on your server via an encrypted SSH connection. We never store, transmit, or log your keys on our systems. The keys are written to a .env file with 600 permissions (owner-only read/write), owned by the dedicated openclaw system user. We do not have ongoing access to your server after installation unless you are on the Managed plan and explicitly grant it.

What happens if my server gets compromised despite the security audit?

If you are on the Managed plan, we handle incident response: isolate the threat, restore from encrypted backups, rotate all API keys, and provide a post-incident report. For Starter and Pro plans, our 12-point audit makes compromise extremely unlikely, and the automated daily backups ensure you can always recover. We also configure monitoring alerts so you know within minutes if something suspicious occurs.

OpenClaw Security Guide 2026 | 12-Point Audit, ClawHavoc, VPS Hardening

Why Security Is Critical

OpenClaw is extraordinary software. With 42,665 GitHub stars and growing, it has become the most popular open-source personal AI assistant platform in history. But popularity has a dark side: it makes OpenClaw a high-value target for attackers, and the default installation is alarmingly insecure.

42,665

Instances exposed on the public internet

93.4%

Without any authentication

$6,000

Overnight bill from one compromised key

Critical: OpenClaw runs with system-level access. It can execute shell commands, read and write files, manage Docker containers, and interact with every service on your server. If an attacker gains access to an unsecured OpenClaw instance, they do not just read your chats — they control your entire machine.

The numbers come from independent security research conducted in early 2026. Using Shodan and Censys scans, researchers identified 42,665 OpenClaw instances directly accessible from the public internet. Of those, 93.4% had no authentication configured whatsoever — meaning anyone with the IP address could send messages, read conversation history, access connected integrations, and in many cases execute arbitrary commands through the AI assistant.

The $6,000 overnight bill is not hypothetical. It happened to a developer who posted about it on Reddit in February 2026. An attacker found their exposed instance, extracted the OpenAI and Anthropic API keys from the conversation context, and ran automated requests through both APIs for 14 hours before the developer woke up to billing alerts. The API providers refunded part of it, but not all. The developer had no backups and lost 6 months of conversation history and custom configurations.

This is not a criticism of OpenClaw itself. The core software is well-maintained, actively developed, and responsibly disclosed when vulnerabilities are found. The problem is deployment. OpenClaw's one-liner installer prioritizes ease of setup — get running in 5 minutes — and leaves security configuration to the user. Most users are not system administrators. They follow the quickstart guide, see it working, and move on. That is when the clock starts ticking.

The gap between "installed and working" and "installed and secure" is exactly what OpenClawPro exists to close. Below, we detail every step of our 12-point security audit — the same process we apply to every installation, starting from the $299 Starter plan.

Our 12-Point Security Audit

Every OpenClawPro installation — from the $299 Starter plan to the Managed tier — receives this complete security hardening. Each point addresses a specific attack vector that we have observed exploited in the wild. Nothing is optional. Nothing is skipped.

Fully audited: When all 12 points are configured, your OpenClaw instance goes from being one of the 93.4% without authentication to a hardened deployment that meets enterprise-grade security standards. Most attacks simply fail silently against a properly configured server.

SSH Key-Only Authentication

Disable password login entirely

Password-based SSH is the single most attacked vector on any VPS. Automated bots hammer port 22 thousands of times per hour, trying common passwords and brute-forcing weak ones. We generate an Ed25519 SSH key pair for you, install the public key on your server, and permanently disable PasswordAuthentication in /etc/ssh/sshd_config. This makes brute-force attacks mathematically impossible — there is nothing to guess.

Fail2ban Configuration

Brute-force protection that bans attackers

Even with key-only SSH, persistent bots waste bandwidth and clutter logs. Fail2ban watches authentication logs in real-time and automatically bans IP addresses after 3 failed attempts for 24 hours. We configure jails for SSH, HTTP auth, and OpenClaw-specific endpoints. Repeat offenders get permanent bans. This drops malicious traffic by 95% within the first week.

UFW Firewall Rules

Allow only ports 22, 80, and 443

A default-deny firewall is your first line of defense. We enable UFW (Uncomplicated Firewall) with deny-all incoming by default, then explicitly allow only three ports: 22 (SSH), 80 (HTTP for Let's Encrypt), and 443 (HTTPS). Every other port — including database ports, Docker daemon, Redis, and debug interfaces — is silently dropped. No response, no connection, no footprint.

Automatic Security Updates

unattended-upgrades for zero-day patches

Critical CVEs get patched within hours of disclosure, but only if your system is configured to apply them. We install and configure unattended-upgrades to automatically apply security patches from the official Ubuntu/Debian security repository every 6 hours. Kernel updates trigger automatic reboots during a maintenance window you choose (default: 4 AM UTC). You stay patched without lifting a finger.

Docker/Podman Sandboxing

No --privileged flag, ever

Running containers with --privileged gives them full root access to the host machine — it defeats the entire purpose of containerization. We run OpenClaw with the minimum required capabilities (NET_BIND_SERVICE only), a read-only root filesystem where possible, no-new-privileges security option, and isolated networking. The container cannot access the host's devices, kernel modules, or other containers.

Non-Root User for OpenClaw

Principle of least privilege

OpenClaw never runs as root. We create a dedicated system user (openclaw) with no login shell, no sudo access, and ownership only of the directories it needs. If an attacker somehow compromises the OpenClaw process, they are confined to a powerless user account with no ability to escalate privileges, modify system files, or install packages.

Environment Variable Encryption

.env permissions locked to 600

Your .env file contains API keys worth hundreds of dollars — OpenAI, Anthropic, Google, Stripe. A single leaked key can run up a $6,000 bill overnight. We set file permissions to 600 (owner read/write only), owned by the openclaw user. The file is excluded from all backup scripts and version control. We also configure Docker secrets for production deployments where .env files are insufficient.

Rate Limiting on API Endpoints

Prevent abuse and cost overruns

An unprotected OpenClaw API endpoint is a free AI gateway for anyone who finds it. We configure nginx rate limiting at 30 requests/minute for chat endpoints, 5 requests/minute for auth endpoints, and 100 requests/minute for static assets. Burst allowances handle legitimate spikes. Custom rate-limit headers tell clients exactly how many requests remain. Excessive requests get 429 responses, not expensive AI completions.

CORS Policy Configuration

Restrict cross-origin access

Without CORS configuration, any website on the internet can make requests to your OpenClaw instance through a visitor's browser. We configure strict CORS headers: only your specific domains are allowed as origins, credentials require explicit opt-in, and preflight responses are cached for 24 hours. This prevents cross-site request forgery and unauthorized API access from malicious websites.

SSL/TLS with Auto-Renewal

Let's Encrypt certificates, always valid

Every OpenClawPro installation gets HTTPS from day one using Let's Encrypt certificates. We configure Certbot with automatic renewal 30 days before expiry, HTTP-to-HTTPS redirect, HSTS headers with a 1-year max-age, TLS 1.2 minimum (TLS 1.3 preferred), and an A+ rating on SSL Labs. No mixed content warnings, no certificate expiry downtime, no excuses.

Log Rotation and Monitoring

Detect intrusions before damage occurs

Logs are your security camera footage. We configure logrotate for all OpenClaw, nginx, and system logs with 30-day retention and compression. More importantly, we set up log monitoring with alerts: failed SSH attempts beyond threshold, unusual API usage patterns, container restart loops, and disk space warnings at 80%. You get notified via your configured messaging channel (Telegram, Discord, etc.) when something looks wrong.

Backup Strategy

Automated daily snapshots

A security incident without backups is a catastrophe. With backups, it is an inconvenience. We configure automated daily snapshots of your OpenClaw data directory, Docker volumes, and configuration files. Backups are compressed, encrypted with AES-256, and stored in a separate location (either a different directory for VPS snapshots or an S3-compatible bucket). We keep 7 daily, 4 weekly, and 3 monthly backups. Restoration is tested during installation.

Real Threats

These are not theoretical attack vectors. Every threat described below has been observed in the wild against OpenClaw deployments in 2025-2026. We track them so you do not have to.

ClawHavoc — CVE-2026-25253

CRITICAL — CVSS 9.8

Discovered in January 2026, ClawHavoc is a remote code execution vulnerability in OpenClaw's MCP (Model Context Protocol) server connection handler. A malicious MCP server can inject crafted tool responses that bypass OpenClaw's input sanitization, causing the AI to execute arbitrary shell commands with the permissions of the OpenClaw process.

The attack is devastatingly simple: an attacker publishes a seemingly useful MCP server (a "weather API" or "stock ticker") on a public registry. When an OpenClaw user connects to it, the malicious server returns tool responses containing embedded command sequences. OpenClaw passes these to the AI model, which faithfully executes them. The attacker gains a reverse shell in under 30 seconds.

Affected versions: OpenClaw v2024.12.0 through v2026.1.14. All users must update to v2026.1.15 or later immediately. The patch adds strict input validation and a sandbox layer for MCP tool responses.

Malicious Skills on ClawHub

HIGH RISK

As of March 2026, security researchers have identified 341 malicious skills on ClawHub, OpenClaw's community skill marketplace. These range from credential-harvesting skills that exfiltrate API keys to cryptominers that quietly consume your server's CPU, to backdoors that open reverse shells on installation.

The ClawHub team has improved moderation significantly, but the review backlog means newly published skills may remain unvetted for 48-72 hours. We recommend installing only skills with 100+ downloads, verified publisher badges, and source code you have personally reviewed. OpenClawPro installations include a curated allowlist of 50 verified, audited skills.

Prompt Injection Attacks

MEDIUM RISK

When OpenClaw processes external data — emails, web pages, documents — that data can contain hidden instructions that manipulate the AI's behavior. A carefully crafted email could instruct OpenClaw to forward all future messages to an attacker's address, or a malicious web page could tell it to reveal its system prompt and API configuration.

OpenClaw v2026.2+ includes basic prompt injection detection, but it is not foolproof. OpenClawPro deployments add an additional input sanitization layer and configure the system prompt with explicit anti-injection directives that significantly reduce the success rate of these attacks.

Token Theft via OAuth Misconfiguration

MEDIUM RISK

OpenClaw integrates with services like Google Calendar, GitHub, Notion, and Linear through OAuth tokens. A common misconfiguration stores these tokens in plain text within the SQLite database or Docker volume with overly permissive file access. If any other service on the server is compromised, those tokens provide access to every connected account.

Worse, many users configure OAuth tokens with overly broad scopes — granting "full access" when "read-only" would suffice. OpenClawPro configures each integration with the minimum required scope and stores tokens in an encrypted credential store rather than plain text in the database.

Security Verification Checklist

Run these commands on your server right now to check your security posture. Each command verifies one of the critical hardening steps. If any result does not match the expected output, your installation has a vulnerability that needs immediate attention.

Check open ports

$ ss -tlnp

Expected: You should only see ports 22, 80, and 443

Verify Fail2ban is active

$ sudo fail2ban-client status

Expected: Should show active jails for sshd at minimum

Check UFW firewall status

$ sudo ufw status verbose

Expected: Status: active, Default: deny (incoming), allow (outgoing)

Docker privilege check

$ docker inspect --format='{{.HostConfig.Privileged}}' openclaw

Expected: Must return "false" — never "true"

.env file permission check

$ stat -c "%a %U" /opt/openclaw/.env

Expected: Should show "600 openclaw" — not 644 or root

Important: If any of these checks fail, your OpenClaw instance is vulnerable. Do not wait. Either fix the issue immediately using the corresponding audit step above, or contact us for emergency hardening assistance.

We Do This For You

Every OpenClawPro installation includes the complete 12-point security audit described on this page. No shortcuts. No "we'll get to it later." Your server is hardened before we hand you the keys.

Security audit points

A+

SSL Labs rating

90min

Average audit time

Every plan includes security. The 12-point audit is not an upsell. It is included in every installation, starting at $299 with the Starter plan. Your AI assistant deserves the same security standards as any production service.

View Plans — Starting at $299 Talk to Us First

Frequently Asked Questions

Common questions about OpenClaw security, our audit process, and how we handle sensitive data during installation.