OpenClaw Setup Guide

Part 1: Secure & Private Setup Guide

1.1 Understanding the Architecture

OpenClaw is a long-running Node.js service that connects LLMs (Claude, GPT, DeepSeek, local models) to your local machine and messaging apps (Signal, Telegram, Discord, WhatsApp). Key architectural facts:

• Local-first but NOT local-processing: The core app runs on your hardware, but prompts still travel over the public internet to LLM API endpoints
• Gateway model: OpenClaw’s Gateway listens on port 18789 via WebSocket — this is the primary attack surface
• Skills system: Functionality comes from skill directories containing SKILL.md files — these are a supply chain risk vector
• Persistent memory: Stores context across sessions in SOUL.md and MEMORY.md files

1.2 Hardware & Environment Setup

Option A: Dedicated Cloud VPS (Recommended)

• Use a dedicated VPS (e.g., DigitalOcean, Hetzner, Contabo — 2vCPU, 8GB RAM, ~$5–10/month)
• This isolates OpenClaw from your personal devices entirely
• Run inside Docker for additional containment

Option B: Local Machine (Convenient but higher risk)

• Use a dedicated VM or container — never run directly on your main OS
• Microsoft explicitly recommends: “not appropriate to run on a standard personal or enterprise workstation”

Option C: Dedicated Physical Device

• Repurpose an old laptop or use a Raspberry Pi 5 (8GB)
• Air-gap from sensitive networks

1.3 Installation Steps

1. Create a dedicated non-root user:

   sudo adduser openclaw --disabled-password
   sudo su - openclaw

2. Install via official script (always verify the script first):

   # Download and review before piping to shell
   curl -fsSL https://get.openclaw.ai -o install.sh
   less install.sh  # REVIEW IT
   bash install.sh

3. Run the onboarding wizard — it generates a gateway token by default
4. Immediately run security audit:

   openclaw security audit --fix

1.4 Network Security Hardening

1. Never expose the Gateway to the public internet directly
   • Bind to loopback only: OPENCLAW_GATEWAY_HOST=127.0.0.1
   • For remote access, use SSH tunnel or Tailscale:

     ssh -L 18789:localhost:18789 user@your-vps

2. Disable mDNS broadcasting:

   export OPENCLAW_DISABLE_BONJOUR=1

   This prevents leaking filesystem paths and hostname info on your local network.

3. Firewall rules: Block port 18789 from all external access

   sudo ufw deny 18789

4. Use a reverse proxy with TLS if you must expose it (Caddy or nginx with Let’s Encrypt)

1.5 Authentication & Credential Management

1. Use strong gateway tokens — the wizard generates one, but verify it’s not weak
2. Scoped API tokens: For every integration (Gmail, GitHub, etc.), create tokens with minimum required permissions (read-only where possible)
3. Short-lived credentials over long-lived ones wherever possible
4. Never store secrets in .env files the agent can read — use a secrets manager or OS keychain
5. Disable memory storage of secrets: Ensure SOUL.md/MEMORY.md never contain API keys or passwords

1.6 Skill & Supply Chain Security

1. Audit every skill before installing: Read the SKILL.md and all associated code manually
2. Only install skills from verified/trusted authors
3. Never install skills that request exec/shell access unless you’ve audited them thoroughly
4. Pin skill versions — don’t auto-update
5. Run openclaw security audit after every skill install
6. Consider writing your own skills for sensitive workflows rather than trusting third-party ones

1.7 LLM API Key Management

• Create a dedicated API key for OpenClaw (not your personal/main key)
• Set spending limits on the API key ($20–50/month to start)
• Monitor usage dashboards for anomalous spikes (could indicate prompt injection exfiltrating data)
• Rotate keys monthly

1.8 Ongoing Maintenance

• Run openclaw security audit --fix regularly (weekly minimum)
• Monitor the OpenClaw GitHub security advisories
• Review SOUL.md/MEMORY.md periodically for injected content (memory poisoning attacks)
• Check logs for suspicious activity

Part 2: Top 20 Use Cases with Risk Assessments

Part 3: Risk Summary Matrix

Part 4: Universal Security Principles

1. Start small: Begin with low-risk use cases (#14, #17, #7) and build confidence
2. Principle of least privilege: Every integration gets the minimum permissions needed
3. Human in the loop: Require approval for all write/send/deploy actions initially
4. Defense in depth: Container + firewall + auth + scoped tokens + monitoring
5. Assume compromise: Design your setup so that even if the agent is hijacked, the blast radius is limited
6. Local LLMs for sensitive data: Use Ollama + Llama/Mistral for financial, health, or confidential data
7. Regular audits: Run openclaw security audit weekly, review memory files monthly
8. Stay updated: 60+ CVEs in 4 months (including CVSS 9.9) — always run the latest version
9. Vet all skills: Never install unaudited third-party skills (~20% of ClawHub skills were malicious)
10. Monitor costs: Set API spending limits to detect exfiltration-via-API-abuse early

Part 5: Verification Checklist

After setup, verify security by:

1. Running openclaw security audit --fix and confirming zero findings
2. Port scanning your host to confirm 18789 is not externally accessible
3. Testing that the gateway rejects unauthenticated WebSocket connections
4. Verifying API key spending limits are set
5. Confirming mDNS is disabled (OPENCLAW_DISABLE_BONJOUR=1)
6. Testing a benign prompt injection to see if the agent’s guardrails hold
7. Reviewing SOUL.md and MEMORY.md for any unexpected content
8. Verifying allow_url_actions: false in openclaw.yaml to block the one-click RCE vector
9. Confirming you’re running version 2026.3.12+ (patches all known CVEs)
10. Testing that WebSocket connections from non-localhost origins are rejected
11. Verifying Docker container runs as non-root with --cap-drop=ALL and --read-only

Part 6: Pentester / Whitehat Review

Upgraded Risk Assessments

Based on the full CVE landscape and real-world attack data, these risk levels should be upgraded:

Critical Attack Vectors Missing from Original Guide

1. The “Lethal Trifecta” (Penligent/OctoClaw research)

The combination of System Access + Execution Power + Untrusted Ingestion creates a perfect storm. Most OpenClaw setups have all three by default. Never combine all three in a single agent instance. Use separate agents with different permission levels.

2. Time-Shifted Memory Poisoning (Palo Alto Networks)

Malicious inputs written to SOUL.md/MEMORY.md can appear benign at ingestion but “detonate” later when the agent’s state aligns — logic bomb-style. Palo Alto mapped OpenClaw to every category in the OWASP Top 10 for Agentic Applications.

Mitigation: Treat memory files as code, not data. Use file integrity monitoring (FIM), enforce read-only permissions during runtime, require admin approval for memory file changes.

3. Log Poisoning → Indirect Prompt Injection

Attackers can write malicious content to log files via WebSocket requests. Since the agent reads its own logs, this is an injection vector. Mitigation: Ensure logs are write-only from the agent’s perspective; use a separate log viewer.

4. Container Escape via API

CVE-2026-25253’s WebSocket hijacking works even inside Docker containers — the container boundary doesn’t block it. A containerized install running a vulnerable image is just as exposed as bare-metal.

5. Localhost Trust Assumption (ClawJacked)

OpenClaw’s gateway exempted localhost from rate limiting entirely. Browser JavaScript could brute-force the gateway at hundreds of guesses/second with no lockout and no logging.

Docker Hardening Deep Dive

# docker-compose.yml — hardened OpenClaw deployment
version: '3.8'
services:
  openclaw:
    image: openclaw/openclaw:2026.3.12  # Pin to patched version
    read_only: true                      # Read-only root filesystem
    cap_drop:
      - ALL                              # Drop all Linux capabilities
    security_opt:
      - no-new-privileges:true           # Prevent privilege escalation
      - seccomp=openclaw-seccomp.json    # Custom seccomp profile
    user: "1000:1000"                    # Non-root user
    ports:
      - "127.0.0.1:18789:18789"         # Bind to loopback ONLY
    volumes:
      - ./config:/app/config:ro          # Config read-only
      - ./data:/app/data                 # Data writable (minimal)
    mem_limit: 2g                        # Memory cap
    cpus: 1.0                            # CPU cap
    networks:
      - openclaw-internal

  # Optional: egress proxy to restrict outbound traffic
  egress-proxy:
    image: nginx:alpine
    # Allowlist only LLM API endpoints
    networks:
      - openclaw-internal
      - external

networks:
  openclaw-internal:
    internal: true   # No direct internet access for OpenClaw
  external:
    driver: bridge

Key points:

• internal: true network prevents the agent from reaching the internet directly — all traffic goes through an egress proxy
• Even a fully compromised agent cannot exfiltrate data to arbitrary servers
• Never mount docker.sock — it grants container escape
• Never use --network=host — it removes network isolation entirely

Incident Response Plan

If you suspect compromise:

1. Immediately: Disconnect OpenClaw from the network (stop container or kill process)
2. Within 1 hour: Rotate ALL credentials the agent had access to
3. Audit: Check logs for unexpected system.run calls; review sandbox list state
4. Review: Examine SOUL.md/MEMORY.md for injected instructions
5. Scan: Check for installed backdoor skills or modified skill files
6. Report: If you find evidence of exploitation, report to OpenClaw security (GitHub Security Advisories)

Pentester Mitigation Ratings by Use Case

Real-World Scale of the Problem

As of March 2026:

• 220,000+ OpenClaw instances exposed to the internet
• 12,812 confirmed exploitable via RCE
• 63% of observed deployments were vulnerable
• 60+ CVEs and 60+ GHSAs disclosed in ~4 months
• 900+ malicious ClawHub skills identified (Atomic Stealer payloads)
• Meta has banned OpenClaw from corporate devices
• China restricted OpenClaw in government agencies
• Palo Alto Networks called it “the potential biggest insider threat of 2026”

Part 7: OpenClaw vs Claude Code

What is Claude Code?

Claude Code is Anthropic’s official CLI and agentic coding tool. It runs in your terminal, IDE (VS Code, JetBrains), and now as a desktop app (Cowork). Unlike OpenClaw’s messaging-app-first approach, Claude Code is purpose-built for software development with deep filesystem and git integration.

New in 2026: Channels & Cowork

Claude Code Channels (launched March 20, 2026): Bridges messaging platforms (Telegram, Discord, Slack) to your Claude Code CLI session. This directly competes with OpenClaw’s core messaging-app model.

Claude Cowork (launched 2026): The desktop agent for knowledge workers. Same agentic architecture as Claude Code but with a desktop interface.

Agent Teams (experimental): Coordinates multiple Claude Code instances working together via CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS.

Head-to-Head Comparison

When to Use Claude Code

• Software development: Code review, refactoring, debugging, architecture
• Enterprise/regulated environments: SOC 2, GDPR, audit trails, SSO/RBAC
• Security-conscious teams: Sandboxed execution, managed by Anthropic’s security team
• Git-heavy workflows: Native git integration, PR management
• Managed security: No CVE patching or infrastructure hardening required

When to Use OpenClaw

• Life automation beyond coding: Email, calendar, smart home, finance, health
• Messaging-native workflows: If your team lives in Telegram/Signal/WhatsApp
• LLM flexibility: Local models, DeepSeek, or mixed providers
• Full data sovereignty: Run entirely on your hardware with local LLMs
• Maximum customization: Full source access, custom skills, custom personality

Part 8: Steinberger’s Perspective

Based on Peter Steinberger’s public statements — his blog (Feb 15, 2026), Pragmatic Engineer podcast, Lex Fridman #491, Fortune/TechCrunch/CNBC interviews, and GitHub activity.

His Philosophy: Empowerment, Not Containment

Steinberger positions OpenClaw as “an AI that actually does things” — a revolutionary tool for power users. His vision is building “an agent that even my mum can use.” He frames AI agents as a new skill: “You pick up the guitar — you’re not going to be good at the guitar in the first day.” He calls this approach “agentic engineering” and explicitly distinguishes it from “vibe coding.”

Where Steinberger Would Push Back

1. The tone is too CISO-like: He’d lead with the empowerment narrative before the risk narrative.
2. Absolutist “NEVER” prohibitions: He favors graduated trust models over blanket bans. Instead of “NEVER connect door locks,” he’d say “start read-only, level up as you validate.”
3. The Microsoft quote: He’d note this is Microsoft’s external security team’s view, not universal consensus. His entire pitch is that OpenClaw runs on YOUR machine.
4. Model interchangeability: A core design principle — route sensitive tasks to local models and mundane tasks to cloud APIs on the same agent.

Where Steinberger Acknowledges the Risks

• Announced moving OpenClaw to an independent open-source foundation (Apache/PSF model) on Feb 14, 2026
• Active in GitHub Security Advisory work, though critical of GitHub’s reporting system as “a mess” with “AI-generated slop”

Uncomfortable Truths

1. ClawHavoc response was slow: Steinberger was criticized for saying he was “too busy” to address malicious skills. C2 infrastructure stayed operational for days.
2. Community as security asset: ClawCon drew 1,000+ attendees; Cisco’s DefenseClaw and VirusTotal scanning integration came from community contributions.
3. One maintainer’s candid warning (Discord): “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”

The Balanced Take

Steinberger is more optimistic about OpenClaw’s risk-reward tradeoff than the security community. This guide deliberately errs on the side of security researchers (Microsoft, Palo Alto Networks, Cisco). That’s the right call for a security-focused setup guide. But Steinberger’s graduated-trust approach (“start minimal, expand carefully”) is valid for experienced users who understand the risks.

Sources

• OpenClaw, OpenAI and the future — steipete.me
• “I ship code I don’t read” — Pragmatic Engineer
• OpenClaw creator joins OpenAI — TechCrunch
• Who is Peter Steinberger? — Fortune
• ClawHavoc Poisons ClawHub — CyberPress
• OpenClaw founder rips GitHub reporting — Cryptopolitan
• Lex Fridman #491 — Summify