OpenClaw Security Best Practices: Protect Your Local Agent

Look, I'm going to be blunt with you: if you're running an OpenClaw agent on your local machine right now and you haven't touched the security settings, you're basically leaving your front door wide open with a sign that says "come on in, read my SSH keys, and maybe nuke my project directory while you're at it."

I don't say that to scare you. I say it because I've been there. About three months into using OpenClaw, I watched my agent — which was supposed to be summarizing research papers — casually read my .env file, pull out my API keys, and attempt to make calls to services I hadn't even told it about. Nothing malicious happened, but the potential was sitting right there, and I hadn't done a single thing to prevent it.

That was my wake-up call. Since then, I've gone deep on OpenClaw's security model, and I want to walk you through everything I've learned so you don't have to piece it together from scattered Discord threads and half-outdated GitHub issues.

The Core Problem: Your Agent Has Your Permissions

Here's the fundamental issue that most people don't think about until something goes wrong.

When you spin up an OpenClaw agent on your machine, that agent runs with the same operating system permissions as you. Whatever you can read, write, execute, or delete — your agent can too. And unlike you, your agent is a non-deterministic language model that can be influenced by prompt injection, hallucinate tool calls, or just make plain bad decisions about what actions to take.

This means your agent can:

• Read ~/.ssh/ and ~/.aws/ credentials
• Access every environment variable on your system
• Write to any file your user account can write to
• Execute arbitrary shell commands
• Make network requests to anywhere
• Spawn processes, open browser instances, and consume unlimited resources

And the default OpenClaw configuration? It ships with most tools enabled and very few guardrails. That's great for getting started quickly. It's terrible for anything resembling production use or even responsible local development.

Step 1: Lock Down the Workspace Directory

The single most impactful thing you can do is restrict your agent's file system access. By default, OpenClaw agents can read and write anywhere your user can. You need to change that immediately.

In your openclaw.config.yaml:

workspace:
  root: ./agent-workspace
  permissions:
    read:
      - ./agent-workspace/input
      - ./agent-workspace/data
    write:
      - ./agent-workspace/output
    deny:
      - ~/.ssh
      - ~/.aws
      - ~/.gnupg
      - ~/.env
      - ./.env
      - ./node_modules
      - ./.git

This does three things: it sets a root workspace so the agent thinks of ./agent-workspace as its home base, it explicitly lists which subdirectories are readable vs. writable, and it creates a deny list of sensitive paths the agent should never touch.

A few things to note here. The deny list takes priority over everything else. If a path shows up in both read and deny, the agent can't access it. Also, these paths are resolved relative to wherever you launch OpenClaw from, so be intentional about your working directory.

I also recommend creating the workspace structure before your agent runs:

mkdir -p agent-workspace/{input,output,data,temp}

This way your agent has clear, separated directories for different purposes and you can audit what ended up where after a run.

Step 2: Implement Tool-Level Permissions

File system restrictions are just the beginning. The real power — and the real danger — lives in OpenClaw's tool system. Tools are how your agent interacts with the world: shell execution, web browsing, API calls, code interpretation, file manipulation, and more.

Here's what a locked-down tool configuration looks like:

tools:
  enabled:
    - file_read
    - file_write
    - web_search
    - code_interpreter
  disabled:
    - shell_execute
    - browser_navigate
    - system_command
    - process_spawn
  
  tool_config:
    file_read:
      allowed_extensions: [".txt", ".md", ".csv", ".json", ".pdf"]
      max_file_size_mb: 50
    file_write:
      allowed_extensions: [".txt", ".md", ".csv", ".json"]
      require_confirmation: true
    web_search:
      allowed_domains: ["*"]
      block_domains: ["pastebin.com", "hastebin.com", "file.io"]
    code_interpreter:
      language: python
      timeout_seconds: 30
      max_memory_mb: 512
      network_access: false

Let me walk through the important decisions:

Disable shell_execute unless you absolutely need it. This is the most dangerous tool in the entire framework. It gives your agent a full shell. If you must enable it, wrap it with require_confirmation: true and allowed_commands (more on that below).

Restrict file extensions. Your agent probably doesn't need to read .pem files or write .sh scripts. Be explicit about what file types are legitimate for your use case.

Sandbox the code interpreter. The network_access: false flag is critical. Without it, your agent can write a Python script that makes HTTP requests, effectively bypassing any network restrictions you've set elsewhere. The timeout and memory limits prevent runaway processes — I've had agents spawn infinite loops that ate 16GB of RAM before I added these.

Block known exfiltration domains. Paste sites and file-sharing services are the first place an agent (or an attacker using prompt injection) will try to send your data. Block them explicitly.

Step 3: Enable Human-in-the-Loop for Dangerous Actions

This is the single most underused feature in OpenClaw, and honestly, it's the one that's saved me the most times.

confirmation:
  require_for:
    - file_write
    - file_delete
    - shell_execute
    - api_call
    - code_interpreter
  mode: interactive  # options: interactive, batch, auto_deny
  timeout_seconds: 120
  default_on_timeout: deny

When require_confirmation is enabled for a tool, OpenClaw will pause the agent's execution and show you exactly what it wants to do:

[CONFIRMATION REQUIRED]
Tool: file_write
Path: ./agent-workspace/output/analysis.json
Size: 2.3KB
Content preview:
  {"results": [{"title": "Q3 Revenue Analysis", ...}]}

Allow this action? [y/n/inspect]:

The inspect option lets you see the full content before approving. This is invaluable for catching cases where the agent is about to write something unexpected.

If you're running the agent in a more automated fashion, batch mode collects all pending confirmations and presents them together, while auto_deny rejects anything that requires confirmation (useful for fully autonomous pipelines where you'd rather the agent fail than do something unauthorized).

Set default_on_timeout: deny. If you walk away from your computer and the agent asks for permission to do something, you want the answer to be "no," not "yes."

Step 4: Run in a Sandbox

Even with all the configuration above, you're still relying on OpenClaw's own permission enforcement, which runs in the same process as the agent. Defense in depth means adding OS-level isolation.

The easiest approach is Docker:

FROM python:3.11-slim

RUN useradd -m -s /bin/bash openclaw-agent
RUN pip install openclaw

USER openclaw-agent
WORKDIR /home/openclaw-agent

COPY openclaw.config.yaml .
COPY agent-workspace/input ./agent-workspace/input

CMD ["openclaw", "run", "--config", "openclaw.config.yaml"]

Run it with tight constraints:

docker run \
  --rm \
  --memory=1g \
  --cpus=1.0 \
  --network=none \
  --read-only \
  --tmpfs /tmp:size=100m \
  -v $(pwd)/agent-workspace/output:/home/openclaw-agent/agent-workspace/output \
  -e OPENCLAW_API_KEY=$OPENCLAW_API_KEY \
  my-openclaw-agent

Let's break down the critical flags:

• --network=none — No network access whatsoever. If your agent needs to make API calls, use --network=bridge with iptables rules to restrict outbound traffic to specific IPs.
• --read-only — The container file system is immutable. The agent can only write to the explicitly mounted output volume and the tmpfs.
• --memory=1g and --cpus=1.0 — Prevents resource exhaustion. Your agent doesn't need more than this for most tasks.
• --tmpfs /tmp:size=100m — Gives the agent a small scratch space that disappears when the container exits.

Never mount docker.sock into the container. I've seen tutorials that do this "for convenience." It gives the agent full control over your Docker daemon, which means full control over your host machine.

Step 5: Manage Secrets Properly

This is where most people mess up, including experienced developers who should know better.

Never pass secrets as environment variables in your openclaw.config.yaml. If your config file is in a git repo (and it probably is), those secrets will end up in your commit history.

Instead, use environment variables at runtime:

# openclaw.config.yaml
llm:
  provider: openclaw
  api_key: ${OPENCLAW_API_KEY}

integrations:
  github:
    token: ${GITHUB_TOKEN}

And pass them at execution time:

OPENCLAW_API_KEY=$(cat ~/.secrets/openclaw-key) \
GITHUB_TOKEN=$(cat ~/.secrets/github-token) \
openclaw run --config openclaw.config.yaml

Better yet, use a proper secret manager. If you're on macOS, the Keychain works. On Linux, pass or age encryption. For team environments, HashiCorp Vault or similar.

The critical thing is to also add deny rules for wherever your secrets live on disk:

workspace:
  permissions:
    deny:
      - ~/.secrets
      - ~/.config/gh
      - ~/.netrc

Because even if you don't tell the agent about your secrets, it can discover them if it has file system access to those paths.

Step 6: Enable Audit Logging

You need to know what your agent did, even (especially) when things go well:

logging:
  level: detailed
  output: ./agent-workspace/logs/audit.jsonl
  include:
    - tool_calls
    - tool_results  
    - llm_requests
    - llm_responses
    - permission_checks
    - confirmation_requests
  redact_secrets: true
  max_log_size_mb: 100

The detailed level captures every tool invocation with full arguments and return values. This is essential for post-run review and for debugging permission issues.

The redact_secrets flag will attempt to mask anything that looks like an API key, token, or password in the logs. It's not perfect — nothing is — but it's better than logging raw credentials.

After every agent run, I do a quick scan of the audit log:

cat agent-workspace/logs/audit.jsonl | jq 'select(.type == "tool_call")' | head -50

This gives me a chronological list of every tool the agent used, and I can quickly spot anything unexpected.

A Faster Way to Get All of This Right

Here's the thing — I've spent weeks dialing in these configurations, debugging edge cases, and figuring out which combination of settings actually provides meaningful security without making the agent useless. If you're getting started with OpenClaw and you don't want to go through that same trial-and-error process, Felix's OpenClaw Starter Pack on Claw Mart is genuinely worth the $29.

It includes pre-configured skills with sensible security defaults already baked in — workspace isolation, tool permissions, confirmation prompts for dangerous actions, and logging are all set up out of the box. The configurations are well-commented so you understand what each setting does and can customize from a working baseline instead of starting from zero. I wish it had existed when I was getting started because it would have saved me a lot of "why did my agent just do that?" moments.

It's not a replacement for understanding these concepts — you still need to know why you're locking things down — but it's an excellent starting point that gets you to "secure by default" without the headache.

Putting It All Together: A Security Checklist

Before you run any OpenClaw agent that touches real data or has access to real credentials, make sure you've addressed every item:

1. Workspace isolation — Agent is restricted to a specific directory with explicit read/write zones and a deny list for sensitive paths.
2. Tool restrictions — Only the tools the agent actually needs are enabled. Shell access is disabled or gated behind confirmation.
3. File type restrictions — The agent can only read and write file extensions relevant to its task.
4. Code interpreter sandbox — Timeouts, memory limits, and no network access.
5. Human-in-the-loop — Destructive or expensive actions require your explicit approval.
6. Container isolation — The agent runs in Docker with --network=none (or restricted), --read-only, and resource limits.
7. Secret management — No secrets in config files. Environment variables loaded at runtime from a secure source. Secret file paths on the deny list.
8. Audit logging — Full tool call and LLM interaction logging with secret redaction.
9. Resource limits — CPU, memory, and timeout caps both at the OpenClaw config level and the container level.
10. Exfiltration prevention — Blocked domains, disabled paste/upload tools, no unnecessary outbound network access.

Next Steps

If you've been running OpenClaw without any of this, don't panic — but also don't wait. Start with the workspace permissions and tool restrictions (Steps 1 and 2), because those give you the most protection for the least effort. Then add Docker sandboxing when you have time to set it up properly.

If you want to go deeper, look into OpenClaw's plugin permission system, which lets you define custom approval workflows for third-party tools, and explore the network proxy feature for controlling exactly which external services your agent can talk to.

Security for AI agents isn't a "set it and forget it" situation. The models get more capable, the tools get more powerful, and the attack surface grows. Build the habit of reviewing your audit logs after every significant run, and update your configurations as your use cases evolve.

Your agent is only as trustworthy as the constraints you put around it. Make those constraints count.