Using Claude to audit OpenClaw setup reveals security issues

OpenClaw security audit with Claude

A developer shared their experience using Claude to review their OpenClaw setup after encountering operational issues. The user had OpenClaw running on a dedicated computer isolated from their main network, following standard setup instructions and community guidelines.

Setup process and issues encountered

The installation involved:

• Setting up Telegram integration successfully
• Multiple attempts to configure Discord (user attributed initial failures to their own errors)
• Creating a daily news briefing feature
• Regular security audits during setup where OpenClaw identified minor issues that were subsequently fixed

The developer experienced persistent problems with the gateway component, which kept reporting restarts that weren't actually occurring.

Claude security review findings

When Claude was installed on the same machine and asked to audit the OpenClaw setup, it identified several significant security issues:

• The bot was writing API keys in clear text in memory
• API keys were also stored in clear text within JSON files
• Additional security vulnerabilities beyond the API key exposure

After these findings, the developer had OpenClaw clear all exposed API data, and Claude recommended additional security settings to further lock down the installation.

Practical recommendation

The developer, who describes themselves as "technical but not that technical" and concerned about forgetfulness in their late 40s, strongly recommends having Claude recheck OpenClaw setups if possible. Their closing warning: "These bots lie!!"