Secure Your OpenClaw Agent with Claude Code

The Problem

42,665 OpenClaw instances are exposed to the internet right now. 93% have no authentication. Researchers found 341 malicious skills on ClawHub — one of them steals every API key on your machine. Your agent has access to your file system, your terminal, and your API keys. If anyone can reach it, they can use all of that.

What You're Building

A locked-down agent. Token authentication, secure credential storage, sandboxed execution, and a skill whitelist. Same functionality, none of the exposure.

Milestone 1: Run a Security Audit

Before you fix anything, you need to know what's exposed.

Run a security audit on my OpenClaw setup. Check: 1) Is port 18789 accessible from outside my local machine? 2) Is authentication enabled in my config? 3) Are my API keys stored securely or in plain text? 4) What skills are installed and are any of them flagged? 5) Is sandboxing enabled for agent execution? Give me a report with red/yellow/green status for each check.

What Claude Code does: It inspects your OpenClaw configuration and network exposure. The audit checks five attack surfaces — network access, authentication, credential storage, skill integrity, and execution sandbox. Most fresh installs fail at least three.

Try it: Read the audit report. Red items get fixed in the next milestones.

Milestone 2: Enable Authentication

93% of exposed instances have no auth. Let's not be in that group.

Enable token-based authentication on my OpenClaw gateway. Generate a strong random token, add it to my openclaw.json under gateway.auth with mode "token", and set up rate limiting — max 10 failed attempts per minute with a 5-minute lockout. Restart the gateway and verify that requests without the token are rejected.

What Claude Code does: It configures token authentication on your gateway. Token auth means every request must include a secret token — without it, the gateway returns 401. Rate limiting prevents brute force: 10 wrong guesses, 5-minute lockout. This single change blocks 93% of the attacks.

Try it: Access http://localhost:18789 without the token — authentication error. With the token — access granted.

Milestone 3: Secure Your API Keys

Your Anthropic and Gemini keys shouldn't sit in plain text config files.

Move all my API keys out of the openclaw.json config file. Instead, reference them as environment variables. Update the config to use ANTHROPIC_API_KEY, GEMINI_API_KEY, and any other keys from my environment. Make sure none of the keys appear in plain text in any file under ~/.openclaw/. Then verify the agent still works.

What Claude Code does: It replaces hardcoded keys with environment variable references. OpenClaw's JSON5 config supports environment variable expansion — keys don't appear in any file, can't be stolen by malicious skills, and aren't accidentally committed to version control.

Try it: Search for your API key strings in ~/.openclaw/ — nothing. Send a message to your bot — still works.

Milestone 4: Configure Sandboxing and Access Controls

Your agent can run shell commands and read files. Let's limit what it can do.

Enable Docker sandboxing for non-main agents in my OpenClaw config. Set the sandbox to: read-only root filesystem, no network access by default, 256 PID limit, 1GB memory limit, drop all capabilities. Also configure tool allow/deny lists — the main agent can use file tools and shell, but restrict elevated permissions to specific allowed senders only (my Telegram user ID).

What Claude Code does: It adds sandboxing and access controls. Docker sandboxing isolates agent execution — even if a malicious skill tries to access your filesystem, it's trapped in a container. Only YOUR messages can trigger elevated actions.

Try it: Check your config — sandbox mode set to "non-main" with all security restrictions active.

Milestone 5: Create a Safe Skills Policy

341 malicious skills were found on ClawHub. Let's make sure you only run trusted ones.

Set up a skill security policy for my OpenClaw instance. 1) Create a whitelist of approved skills — only skills I explicitly approve can be installed. 2) Block any skill that requires shell access or file system write permissions unless I manually review it. 3) Review my currently installed skills and flag any that request suspicious permissions.

What Claude Code does: It creates a skill approval policy. OpenClaw lets you control which skills are allowed via allowBundled lists and permission restrictions. Nothing gets installed without your approval. The audit catches skills requesting more access than they need.

Try it: Try installing a random ClawHub skill — blocked. Add it to approved list — installs. You're in control.

What You Built

Remember that open-door agent anyone could walk into? You just:

• Audited your entire setup and found the vulnerabilities
• Added token authentication with brute-force protection
• Moved all API keys to secure environment variables
• Sandboxed agent execution in Docker containers
• Created a skill whitelist so nothing runs without approval

Your agent is no longer in the 93%. Same functionality, none of the exposure.

Take It Further

• Set up Tailscale — access your agent securely from anywhere without exposing ports
• Add monitoring — get alerts when authentication fails repeatedly
• Schedule monthly audits — cron job to re-run the security check automatically