OpenClaw Permissions & Security

OpenClaw can run shell, drive a browser, send/receive email, and connect to chat platforms — extremely capable, and extremely risky. This is the most important chapter in the tutorial; please take it seriously.


Why Security Is Especially Critical in OpenClaw

Capability                Potential risk
──────────                ──────────────
Shell commands            Wreck the system, run malicious scripts
Browser automation        Log into accounts, mis-submit forms, leak data
Email / calendar          Impersonated sends, deleting important info
Control-plane port :18789 Remote hijack → remote code execution
Community skills (unsandboxed) Malicious skills run directly on your machine

OpenClaw's security governance centers on approve, isolate, tighten exposure, stay updated.


1) Tool Policies & Approval Gates

The first line of defense is tool policies: reads pass automatically while sends/deletes/writes and other high-risk actions require human approval.

high-risk action → approval gate → runs only after you confirm
  • Default to as tight as possible, loosen as needed
  • Keep all sends, deletes, payments, logins, shell writes behind human confirmation
  • Configure policies centrally in openclaw.json

2) Known Critical Vulnerability: Update Now

OpenClaw has had a serious vulnerability — a fact you must know:

IDDescriptionSeverityFixed in
CVE-2026-25253Cross-site WebSocket hijacking, can trigger remote code execution via a malicious linkCVSS 8.8 (high)2026.1.29+

Action items:

  • Update to 2026.1.29 or newer immediately
  • Do not expose the control-plane port :18789 to the public internet — bind to 127.0.0.1 only
  • Be wary of links from unknown sources

3) Community Skill Risk: Not Sandboxed by Default

Skills are powerful, but not sandboxed by default, and the ecosystem has contained malicious content:

  • In early February 2026, 230+ malicious skills were uploaded to ClawHub
  • Analysis found ~26% of community skills contained at least one vulnerability
  • Code in a skill runs directly on your machine

Action items:

  • Review line by line before installing any third-party skill, focusing on shell / network / secret parts
  • Prefer trusted sources; be skeptical of "powerful but unknown-origin" skills
  • Track skills/ changes with Git for auditing and rollback

4) Network & Credential Security

  • Bind local: the control plane should listen only on 127.0.0.1:18789; use an SSH tunnel for remote access instead of public exposure
  • Isolate credentials: keep API keys and platform tokens in env vars / a separate config — never in a public repo
  • Directory permissions: tighten ~/.openclaw/ to your user only
  • Channel allowlists: restrict which users/groups may interact

Security Checklist

[ ] Updated to 2026.1.29+ (fixes CVE-2026-25253)
[ ] Control-plane port bound to 127.0.0.1 only, not exposed publicly
[ ] Tool policies tightened: reads allowed, send/delete/write require approval
[ ] All third-party skills reviewed line by line before install
[ ] API keys / tokens in env vars, out of Git
[ ] ~/.openclaw permissions tightened; Git-backed up privately (no secrets)
[ ] Chat channels use user/group allowlists
[ ] Heartbeat frequency and model cost have spending alerts
[ ] Rehearse high-risk tasks in an isolated environment / test accounts first

Defense in Depth

┌─────────────────────────────────────────────┐
│ Network: 127.0.0.1 only + SSH tunnel + updates│
├─────────────────────────────────────────────┤
│ Channel: user/group allowlists               │
├─────────────────────────────────────────────┤
│ Decision: tool policies + approval gates     │
├─────────────────────────────────────────────┤
│ Skill: review before install + Git audit (unsandboxed)│
├─────────────────────────────────────────────┤
│ Data: credential isolation + dir perms + private backup│
└─────────────────────────────────────────────┘

No single layer is a silver bullet. OpenClaw gives you powerful execution — the corresponding security responsibility is on you.


Next Steps