OpenClaw Security: The Hardened Baseline You Should Start With

Self-hosting OpenClaw does not mean it's self-securing. A post on r/openclaw highlights that the harder part isn't getting the bot running—it's deciding what the bot is allowed to do, who can reach it, and how much damage a bad message can cause. The post walks through OpenClaw's documented hardened baseline config, which starts closed and widens later.
Gateway: Local-Only First
The most common mistake is exposing the Gateway. The hardened baseline requires:
gateway.mode: "local"gateway.bind: "loopback"gateway.auth.mode: "token"
Expose later only when you understand the boundary you're widening.
DM Session Isolation
If multiple people can DM the bot, you need session isolation to prevent context bleed. The hardened baseline uses session.dmScope: "per-channel-peer". The rule: never combine shared DMs with broad tool access.
Tools Blast Radius
Most people think about who can message the bot before considering what authority a message inherits. The hardened baseline:
tools.profile: "messaging"- Denies
group:automation,group:runtime,group:fs - Denies
sessions_spawnandsessions_send exec.security: "deny"andexec.ask: "always"elevated.enabled: false
Start from denial, then re-enable the minimum you can justify.
Groups: Mention-Gated
Groups should be opt-in and mention-triggered unless you have a strong reason to loosen. The baseline uses requireMention: true for all groups.
Practical Starting Config
{
"gateway": {
"mode": "local",
"bind": "loopback",
"auth": {
"mode": "token",
"token": "replace-with-long-random-token"
}
},
"session": {
"dmScope": "per-channel-peer"
},
"tools": {
"profile": "messaging",
"deny": [
"group:automation",
"group:runtime",
"group:fs",
"sessions_spawn",
"sessions_send"
],
"fs": {
"workspaceOnly": true
},
"exec": {
"security": "deny",
"ask": "always"
},
"elevated": {
"enabled": false
}
},
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": {
"*": {
"requireMention": true
}
}
}
}
}
Four Questions Before Widening
Before opening anything, ask:
- Can the Gateway be reached from more places than needed?
- Can one person's DM context leak into another's session?
- Can an ordinary message inherit tool authority broader than intended?
- Can a room trigger the bot too easily?
If yes, the fix is config hardening, not prompt engineering. OpenClaw gives you the surfaces—use them.
📖 Read the full source: r/openclaw
👀 See Also

Malware Found in OpenClaw Community Skills — Crypto Theft Alert

LiteLLM v1.82.8 Compromise Uses .pth File for Persistent Execution
LiteLLM v1.82.8 was compromised on PyPI and includes a .pth file that executes arbitrary code on every Python process startup, not just when the library is imported. The payload runs even if LiteLLM is installed as a transitive dependency and never used directly.

Windows Notepad App Remote Code Execution Vulnerability CVE-2026-20841
CVE-2026-20841 is a remote code execution vulnerability in the Windows Notepad app. Details and mitigation steps are available in the Microsoft Security Response Center update guide.

AI Agent Exploits SQL Injection to Compromise McKinsey's Lilli Chatbot
Security researchers at CodeWall used an autonomous AI agent to hack McKinsey's internal Lilli chatbot, gaining full read-write access to its production database in two hours via an SQL injection vulnerability in unauthenticated API endpoints.