5 OpenClaw Cost Mistakes
▶ New Video 8 min watch
5 OpenClaw Mistakes Costing You Money Right Now
Cut your bill from $36K/yr to $5–10K — heartbeat fix, model routing, session resets
Watch →
Need help? Remote OpenClaw setup, troubleshooting, and training - $100/hour Book a Call →
View on Amazon →
💻 Running OpenClaw locally? MINIMUM MacBook Pro M-series (24 GB) ↗ RECOMMENDED Premium Mac for 48 GB+ ↗
← Back to Blog
Security March 21, 2026

OpenClaw Security Checklist: 14 Steps to Harden Your Setup

Over 40,000 OpenClaw instances are exposed to the internet right now. A critical RCE vulnerability, a malware campaign with hundreds of poisoned skills, and weak default settings have put thousands of users at risk. This is the step-by-step hardening guide that should have existed months ago.

5 OpenClaw Cost Mistakes
5 OpenClaw Mistakes Costing You Money Right Now
Heartbeat fix, model routing, session resets — cut $36K/yr to $5-10K
WATCH →

The threat landscape in 2026

Researchers reported over 40,000 OpenClaw instances reachable from the public internet. CVE-2026-25253 allows one-click RCE via crafted skill cards. ClawHavoc planted 341 malicious skills on ClawHub.

If you have not installed OpenClaw yet, bookmark this and follow it immediately after setup.

The 14-step security checklist

1. Update to OpenClaw 3.13 or later

openclaw --version
openclaw update --to 3.13

2. Set a strong gateway token

openclaw doctor --generate-gateway-token
openclaw config get gateway.auth.token

3. Bind the gateway to loopback only

openclaw config set gateway.bind loopback

4. Audit and remove untrusted ClawHub skills

openclaw skills list --installed
openclaw skills remove <skill-name>

5. Disable automatic skill approval

openclaw config set skills.auto_approve false

6. Run OpenClaw inside Docker

7. Secure your API keys

echo "ANTHROPIC_API_KEY=sk-ant-..." >> ~/.openclaw/.env
chmod 600 ~/.openclaw/.env

8. Set strict file permissions

chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/.env
chmod 600 ~/.openclaw/config.yaml

9. Disable unused channels

openclaw channels status
openclaw channels disable <channel-name>

10. Add firewall rules for the gateway port

11. Enable gateway TLS

12. Review agent permissions and tool access

13. Set up logging and monitoring

14. Schedule regular security reviews

Bottom line

Steps 1 through 5 are critical and take under ten minutes. The rest add defense-in-depth. See our NemoClaw comparison for enterprise security alternatives.

Get guides like this in your inbox every Wednesday.

No spam. Unsubscribe anytime.

You'll probably need this again.

Press Cmd+D (Mac) or Ctrl+D (Windows) to bookmark this page.

Need help with your OpenClaw setup?

We do remote setup, troubleshooting, and training worldwide.

Book a Call

Read next

Self-Hosting OpenClaw: The Risks Nobody Talks About
42K+ exposed instances, 9 CVEs in 2026, update failures. Real risks of self-hosting OpenClaw and who should pay someone else to do it.
OpenClaw Enterprise Security: Private Bedrock Access with VPC PrivateLink
How to connect OpenClaw on AWS LightSail to Bedrock without exposing traffic to the internet. VPC PrivateLink, security groups, and private subnet architecture for enterprise AI.
Every OpenClaw CVE in 2026 Explained: 5 Vulnerabilities, 40K Exposed Instances
All five OpenClaw CVEs disclosed in 2026 explained. CVE-2026-25253 enables one-click RCE. 40K exposed instances. Fix commands included.