OpenClaw Security Hardening Checklist (2026)
Eleven things every OpenClaw deployment should check. Each item includes the exact command to run and what a pass/fail looks like. This covers the most impactful items from the BulwarkAI Security Blueprint's full 40-point audit. Updated March 2026 with ClawJacked (CVE-2026-25253) checks.
Run these in order. Items 1-5 are critical — if any of those fail, stop and fix them before moving on. For a deep dive on what the built-in audit misses and how an open-source scanner fills the gaps, see You Ran openclaw security audit. Here’s the Other 40%.
Patch ClawJacked — CVE-2026-25253 CRITICAL
Any website can hijack your OpenClaw agent via WebSocket brute-force. The gateway's localhost rate limiter exemption + auto-approved device pairing means an attacker needs only a browser tab. Minimum safe version: 2026.2.25. See full ClawJacked analysis.
openclaw --version
# Must show 2026.2.25 or later
# If behind: openclaw updatePass: Version 2026.2.25 or later.
Fail: Any earlier version. Run openclaw update immediately.
Audit registered devices CRITICAL
If you were running an unpatched version, an attacker may have silently registered as a trusted device via ClawJacked. Even after patching, the rogue device retains access. No notification is shown when this happens.
# Open Control UI → Settings → Devices
# Remove any device you don't recognize
# If unknown devices found:
# 1. Assume compromise
# 2. Rotate ALL credentials (API keys, OAuth tokens, secrets)
# 3. Check for persistence (see items 9-10 below)Pass: Every registered device is one you personally paired.
Fail: Unknown devices present. Remove them and follow the post-compromise remediation steps.
Gateway binding CRITICAL
If your gateway is bound to 0.0.0.0 instead of 127.0.0.1, anyone on your network (or the internet, if on a VPS) can connect to your agents.
grep -i "bind" ~/.openclaw/openclaw.json
netstat -an | grep 18789 | grep LISTENPass: Shows 127.0.0.1:18789 or loopback.
Fail: Shows 0.0.0.0:18789. Fix: openclaw config set gateway.bind "loopback"
Firewall rules (VPS deployments) CRITICAL
Even with localhost binding, a misconfigured firewall or Docker port mapping can expose your gateway externally.
# Check UFW
sudo ufw status
# External check (from a different machine)
nmap -p 18789 YOUR_VPS_IPPass: Port 18789 is filtered/closed externally.
Fail: Port is open. Fix: sudo ufw deny 18789
Credential file permissions CRITICAL
API keys and tokens should only be readable by your user. World-readable credentials are an instant exfiltration risk. See also: 5 Levels of API Key Protection for a full credential hardening hierarchy beyond file permissions.
ls -la ~/.openclaw/credentials/
# Should show -rw------- (600) for all filesPass: All files show -rw------- (600).
Fail: Any file is group/world readable. Fix: chmod 600 ~/.openclaw/credentials/*
Identity file baseline HIGH
Your identity.json controls agent personas and permissions. A malicious skill can modify it to escalate its own access. Create a hash baseline and check it weekly.
# Create baseline (first time)
sha256sum ~/.openclaw/identity.json > ~/.openclaw/.identity-baseline
# Check baseline (weekly or after skill installs)
sha256sum -c ~/.openclaw/.identity-baselinePass: Hash matches baseline.
Fail: Hash mismatch. Investigate what changed before proceeding.
Scan all skill directories HIGH
The built-in audit only checks ~/.openclaw/skills/. Skills can hide in project directories, custom paths, or locations created by other skills.
# Find ALL SKILL.md files on your system
find / -name "SKILL.md" -type f 2>/dev/null | grep -v node_modules
# Compare to what OpenClaw knows about
openclaw skills list --pathsPass: Both lists match.
Fail: Unknown SKILL.md files found. Investigate each one.
Audit MCP server configurations HIGH
MCP servers give skills access to external tools. The built-in audit checks if MCP is enabled but doesn't verify what each server can do. The ClawHavoc campaign used MCP servers to proxy API calls through attacker endpoints.
cat ~/.openclaw/config.json | grep -A 20 '"mcpServers"'
# For each server: does this skill need this access?
# Is the binary/URL from a trusted source?Pass: Every MCP server is from a known source and has appropriate scope.
Fail: Unknown servers, overly broad access, or unverifiable binaries.
Check for persistence mechanisms HIGH
Malicious skills can survive uninstallation through cron jobs, shell profile injection, or symlinks.
# Cron jobs you didn't create
crontab -l
# Shell profile changes after skill installs
ls -la ~/.bashrc ~/.zshrc ~/.bash_profile 2>/dev/null
# Symlinks in skill directories
find ~/.openclaw -type l -lsPass: No unexpected entries in any of the three checks.
Fail: Unknown cron jobs, recent profile changes, or suspicious symlinks.
Review agent permissions scope MEDIUM
Each agent should have the minimum permissions it needs. The "lethal trifecta" (read + network + execute) should be broken for every agent.
# Review permissions in your config
grep -A 20 '"permissions"' ~/.openclaw/openclaw.json
# Each agent should have explicit deny rules for:
# ~/.ssh, ~/.aws, ~/.config, credentialsPass: Every agent has scoped filesystem, network, and execution permissions.
Fail: Any agent with unrestricted access to all three. See The 40% Gap for the fix.
Review outbound network traffic MEDIUM
A skill can be configured correctly and still exfiltrate data through legitimate-looking API calls.
openclaw logs --filter network | grep -oE 'https?://[^ ]+' | sort -u
# Every domain should be: your LLM provider, a configured MCP server,
# or a service you explicitly set upPass: All domains are recognized and expected.
Fail: Unknown domains. Investigate immediately — this could be active exfiltration.
Want the full 40-point audit?
This checklist covers the top 11 checks. The Security Blueprint includes the complete 40-point audit with executable scripts, hardened configs for 4 deployment types, the 1,184-skill IOC database, and the ClawJacked advisory with detection script.
Security Blueprint — $97 → Or get a personalized report — $297 →