Is OpenClaw Safe? Complete Security Guide (2026)

OpenClaw is one of the most popular open-source AI agent frameworks, letting you run a personal AI assistant on your own server. But after the ClawHavoc incident in early 2026, one question keeps coming up on Reddit and Hacker News: is OpenClaw actually safe to run?

The short answer is: OpenClaw can be safe, but only if you configure it properly. Out of the box, the default settings leave too many doors open. This guide covers every security concern, what went wrong with ClawHavoc, and a complete hardening checklist.

The ClawHavoc Incident: What Happened

In February 2026, security researcher Mara Chen published the ClawHavoc report, revealing that over 135,000 OpenClaw instances were publicly accessible on the internet with no authentication. Many of these were running with default configurations that exposed:

• The OpenClaw admin panel on port 3080
• Full shell access through the agent's command execution skill
• Unencrypted API keys stored in plaintext configuration files
• Memory databases containing sensitive user data

The root cause was not a bug in OpenClaw itself. It was a combination of poor default settings and users who followed quick-start guides without understanding the security implications.

The RCE Vulnerability (CVE-2026-1847)

Alongside the exposure report, a Remote Code Execution (RCE) vulnerability was disclosed in OpenClaw versions prior to 0.9.4. The vulnerability existed in the skill installation pipeline, where a maliciously crafted skill package could execute arbitrary commands during the install process.

This was patched in version 0.9.4, but many exposed instances were running older versions.

OpenClaw's Actual Security Model

To understand whether OpenClaw is safe, you need to understand what it actually does:

1. OpenClaw runs commands on your server. That is its core function. An AI agent that can execute shell commands, install packages, read files, and make network requests.
2. Skills are third-party code. When you install a skill, you are running someone else's code on your machine with the permissions of the OpenClaw process.
3. Channels connect to external services. Telegram, WhatsApp, Signal, email — each channel is an attack surface.

This is not inherently unsafe, but it means you need to treat OpenClaw the way you would treat any application with shell access.

What OpenClaw Does Right

• Open source: Full code audit is possible. The community regularly reviews PRs.
• Local-first: Your data stays on your server. No third-party cloud dependency.
• Skill sandboxing (v0.9.5+): Skills can now run in isolated containers.
• Auth tokens: Channel authentication prevents unauthorized access.
• Audit logging: All commands executed by the agent are logged.

What OpenClaw Gets Wrong (by Default)

• No authentication on the admin panel — anyone with the URL can access it.
• Binds to 0.0.0.0 — listens on all interfaces, not just localhost.
• Skills run unsandboxed — unless you explicitly enable container isolation.
• No rate limiting — a compromised channel can spam commands.
• API keys in plaintext — stored in config.yaml without encryption.

Complete Security Hardening Checklist

Follow every step in this checklist to make your OpenClaw installation secure.

1. Update to the Latest Version

openclaw update
openclaw --version

Always run the latest stable release. Security patches are backported to the current major version.

2. Enable Authentication

Edit your config.yaml:

server:
  auth:
    enabled: true
    token: "your-secure-random-token-here"
    admin_password: "strong-password-here"

Generate a secure token:

openssl rand -hex 32

3. Bind to Localhost Only

server:
  host: "127.0.0.1"
  port: 3080

Never bind to 0.0.0.0 unless you have a reverse proxy with authentication in front.

4. Configure Firewall Rules

# UFW (Ubuntu/Debian)
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw enable

# Only allow OpenClaw port from localhost
sudo ufw deny 3080

If you need remote access, use a VPN or SSH tunnel instead of exposing the port.

5. Use Docker Isolation

Running OpenClaw in Docker adds a layer of isolation between the agent and your host system:

# docker-compose.yml
services:
  openclaw:
    image: openclaw/openclaw:latest
    restart: unless-stopped
    ports:
      - "127.0.0.1:3080:3080"
    volumes:
      - ./config:/app/config
      - ./data:/app/data
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp

6. Vet Every Skill Before Installing

# Check skill source before installing
openclaw skill info skill-name
openclaw skill inspect skill-name

Only install skills from the official registry or repositories you trust. Read the source code of any skill that requests shell access.

7. Set Up VPN or Tailscale

For remote access, use Tailscale or WireGuard instead of exposing OpenClaw directly:

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Access OpenClaw via Tailscale IP
# https://100.x.y.z:3080

This ensures only devices on your private network can reach the admin panel.

8. Enable Skill Sandboxing

In OpenClaw 0.9.5+, enable container-based skill isolation:

skills:
  sandbox:
    enabled: true
    runtime: "docker"
    network: "none"  # Skills cannot make network requests by default
    memory_limit: "256m"
    cpu_limit: "0.5"

Channel Security

Each messaging channel is a potential entry point. Secure them individually.

Telegram

• Use a dedicated bot token (never share it)
• Enable allowed_users to restrict who can send commands
• Set allowed_chats to limit which groups the bot responds in

Email (via Inbounter)

If you are using email as a channel, services like Inbounter provide webhook-based email delivery with built-in authentication. This is safer than running your own SMTP server because:

• Inbounter validates sender identity before forwarding to your agent
• Webhook payloads are signed, preventing spoofed commands
• You do not need to expose any ports for incoming email

WhatsApp and Signal

• Require registration with a phone number, which adds a layer of identity verification
• Enable allowed_numbers in your channel config

Monitoring for Security Issues

Set up basic monitoring to catch problems early:

# Check for failed auth attempts
openclaw logs --filter "auth_failed" --since 24h

# Monitor active connections
openclaw status --connections

# Check for unusual skill activity
openclaw logs --filter "skill_exec" --since 1h

Consider setting up alerts via email or SMS when suspicious activity is detected. Inbounter's API can send real-time notifications to your phone when your agent detects anomalous behavior.

Common Security Mistakes

Mistake 1: Running as Root

Never run OpenClaw as the root user. Create a dedicated user:

sudo useradd -r -s /bin/false openclaw
sudo chown -R openclaw:openclaw /opt/openclaw

Mistake 2: Storing API Keys in Config

Use environment variables instead of storing keys in config.yaml:

export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."

Mistake 3: Disabling Logging

The audit log is your forensic trail. Never disable it:

logging:
  level: "info"
  audit:
    enabled: true
    retention_days: 90

Mistake 4: Using Public Wi-Fi to Access the Admin Panel

Even with authentication, use a VPN when accessing OpenClaw from public networks.

Our Honest Assessment

OpenClaw is as safe as you make it. The framework itself is well-architected and actively maintained. The security issues come from:

1. Default configurations that prioritize ease of setup over security
2. Users who follow quick-start tutorials without hardening
3. Third-party skills that have not been audited

If you follow the checklist in this guide, OpenClaw is a reasonable choice for a self-hosted AI agent. If you skip the hardening steps, you are running an unauthenticated remote code execution server on the internet.

For most users, we recommend:

• Docker deployment with the security options shown above
• Tailscale for remote access
• Email/SMS notifications via Inbounter for security alerts
• Regular updates — subscribe to the OpenClaw security mailing list

Frequently Asked Questions

Has OpenClaw ever been hacked?

The ClawHavoc incident exposed 135K instances, but this was due to misconfiguration, not a breach of OpenClaw itself. The CVE-2026-1847 RCE vulnerability was patched before any known exploitation in the wild.

Is OpenClaw safer than running ChatGPT?

They are different threat models. ChatGPT sends your data to OpenAI's servers. OpenClaw keeps data local but gives an AI agent shell access to your machine. Neither is inherently safer — it depends on your threat model.

Can I run OpenClaw on a home network safely?

Yes, as long as you do not port-forward the admin panel. Use Tailscale for remote access and bind to localhost only.

Should I use OpenClaw for business-critical tasks?

With proper hardening, yes. But add monitoring, regular backups, and alerting. Use Inbounter to set up email alerts for any agent failures or security events.

How often should I update OpenClaw?

Check for updates weekly. Subscribe to the security mailing list for critical patches.

Does OpenClaw encrypt data at rest?

Not by default. The memory database and configuration files are stored in plaintext. You can enable disk encryption at the OS level (LUKS on Linux, FileVault on macOS).

Need to send security alerts from your OpenClaw agent? Inbounter provides a simple API for AI agents to send email and SMS notifications. Set up alerts in minutes.