$ security audit --fix
Security

Hardening Your OpenClaw: Security Audit and Access Control Checklist

Run a comprehensive security audit on your OpenClaw deployment. Learn about DM policies, allowlists, sandboxing, and permission hygiene for production environments.

OT
OPENCLAW.EXPERT TEAM
|JAN 3, 2025|11 MIN READ

Running the Security Audit

OpenClaw includes a built-in security audit tool:

openclaw security audit --deep --fix

This scans for:

  • Overly permissive access controls

  • Missing authentication

  • Insecure file permissions

  • Exposed credentials

    • DM Policy Configuration

    Control who can message your bot:

    Pairing Mode (Recommended for Personal Use)

    {
      "channels": {
        "whatsapp": {
          "dmPolicy": "pairing"
        }
      }
    }

    New contacts receive a pairing code they must enter to start messaging.

    Allowlist Mode (Recommended for Business)

    {
      "channels": {
        "whatsapp": {
          "dmPolicy": "allowlist",
          "allowFrom": ["+1555123456", "+1555789012"]
        }
      }
    }

    Only pre-approved numbers can interact with your bot.

    Group Chat Policies

    Restrict to Specific Groups

    {
      "channels": {
        "telegram": {
          "groupPolicy": "allowlist",
          "allowedGroups": ["-1001234567890"]
        }
      }
    }

    Group Policy Options

  • allowlist: Only allowed groups

  • open: Any group (not recommended)

  • ask: Prompt for approval

    • Sandboxing Tool Execution

    Isolate potentially dangerous operations in Docker containers:

    {
      "sandbox": {
        "enabled": true,
        "docker": {
          "image": "openclaw/sandbox:latest"
        }
      }
    }

    File Permission Hygiene

    Ensure proper permissions on your OpenClaw directory:

    # Check permissions
    ls -la ~/.openclaw
    # Fix permissions
    chmod 700 ~/.openclaw
    chmod 600 ~/.openclaw/openclaw.json
    chmod 600 ~/.openclaw/credentials/*

    Credential Storage

    Credentials are stored in ~/.openclaw/credentials/ with:

  • Directory permissions: 700 (owner only)

  • File permissions: 600 (owner read/write only)

    • Never commit credentials to version control!

    Reverse Proxy Security

    If running behind nginx/Caddy/Traefik:

    {
      "gateway": {
        "trustedProxies": ["127.0.0.1", "::1"]
      }
    }

    This ensures X-Forwarded-For headers are only trusted from your proxy.

    Production Checklist

    Before going live:

  • [ ] DM policy is not "open"

  • [ ] Group policy restricts access

  • [ ] Sandboxing is enabled for tool execution

  • [ ] File permissions are 700/600

  • [ ] Credentials are not in version control

  • [ ] Gateway authentication is enabled for remote access

  • [ ] Regular security audits scheduled

    • Enterprise Security

    Need SOC 2 compliance or custom security configurations? Contact us for enterprise hardening services.

    Need Professional OpenClaw Setup?

    Skip the technical hassle. Our expert team handles installation, configuration, and ongoing support so you can focus on what matters.

    Get Professional SetupView Services
    Back to All Articles