OpenClaw 보안: 시작해야 할 강화된 기준선

✍️ OpenClawRadar📅 게시일: June 27, 2026🔗 Source
OpenClaw 보안: 시작해야 할 강화된 기준선
Ad

Self-hosting OpenClaw does not mean it's self-securing. A post on r/openclaw highlights that the harder part isn't getting the bot running—it's deciding what the bot is allowed to do, who can reach it, and how much damage a bad message can cause. The post walks through OpenClaw's documented hardened baseline config, which starts closed and widens later.

Gateway: Local-Only First

The most common mistake is exposing the Gateway. The hardened baseline requires:

  • gateway.mode: "local"
  • gateway.bind: "loopback"
  • gateway.auth.mode: "token"

Expose later only when you understand the boundary you're widening.

DM Session Isolation

If multiple people can DM the bot, you need session isolation to prevent context bleed. The hardened baseline uses session.dmScope: "per-channel-peer". The rule: never combine shared DMs with broad tool access.

Tools Blast Radius

Most people think about who can message the bot before considering what authority a message inherits. The hardened baseline:

  • tools.profile: "messaging"
  • Denies group:automation, group:runtime, group:fs
  • Denies sessions_spawn and sessions_send
  • exec.security: "deny" and exec.ask: "always"
  • elevated.enabled: false

Start from denial, then re-enable the minimum you can justify.

Ad

Groups: Mention-Gated

Groups should be opt-in and mention-triggered unless you have a strong reason to loosen. The baseline uses requireMention: true for all groups.

Practical Starting Config

{
  "gateway": {
    "mode": "local",
    "bind": "loopback",
    "auth": {
      "mode": "token",
      "token": "replace-with-long-random-token"
    }
  },
  "session": {
    "dmScope": "per-channel-peer"
  },
  "tools": {
    "profile": "messaging",
    "deny": [
      "group:automation",
      "group:runtime",
      "group:fs",
      "sessions_spawn",
      "sessions_send"
    ],
    "fs": {
      "workspaceOnly": true
    },
    "exec": {
      "security": "deny",
      "ask": "always"
    },
    "elevated": {
      "enabled": false
    }
  },
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "groups": {
        "*": {
          "requireMention": true
        }
      }
    }
  }
}

Four Questions Before Widening

Before opening anything, ask:

  • Can the Gateway be reached from more places than needed?
  • Can one person's DM context leak into another's session?
  • Can an ordinary message inherit tool authority broader than intended?
  • Can a room trigger the bot too easily?

If yes, the fix is config hardening, not prompt engineering. OpenClaw gives you the surfaces—use them.

📖 Read the full source: r/openclaw

Ad

👀 See Also