Your Agent Can Read Everything
Your OpenClaw instance can read your messages, access your files, run terminal commands, and use every API key you've given it. If someone gains access to your agent — through an exposed port, a compromised skill, or a supply chain attack — they effectively own your entire digital life.
Even the people who built the underlying concepts are concerned. The 400,000+ lines of code powering these tools are actively being probed. Exposed instances, remote code execution vulnerabilities, malicious skills in the registry, supply chain poisoning — this isn't theoretical. It's happening now.
This guide is the practical checklist. Thirteen steps, in order. Each one reduces your attack surface. Do all thirteen and you're ahead of 99% of people running AI agents.
Before You Start: This guide assumes you have a running OpenClaw instance, either on a VPS or on local hardware. If you haven't set up yet, bookmark this and come back. Security on day one is easier than security after a breach.
The 13 Steps
Step 1: Run on a separate machine
Never run your AI agent on your primary computer. Use a VPS ($5–10/month) or a dedicated Mac Mini. If the agent gets compromised, the blast radius is limited to that machine. Your personal files, your browser sessions, your password manager — all on a different device, untouched.
Step 2: Never run as root
Create a dedicated user account for your agent. Root access means the agent (or anyone who compromises it) can modify system files, install software, and access everything on the machine. A dedicated user with limited permissions contains the damage.
sudo adduser openclaw-user
sudo usermod -aG docker openclaw-user
su - openclaw-userStep 3: Change the default port
Port 8080 is public knowledge. Every script kiddie scanning the internet checks it. Pick a random port between 10000 and 65535. This doesn't stop a determined attacker, but it stops the automated scans that account for 90% of attempts.
Step 4: Install Tailscale
Tailscale creates a private network that makes your server invisible to the public internet. Free for personal use. After setup, your agent is only accessible from devices on your Tailscale network. Everyone else sees nothing — the port doesn't even respond.
This Is the Single Biggest Security Win: If you do nothing else from this guide, install Tailscale. It eliminates the entire category of "exposed instance" attacks. Your agent goes from publicly accessible to completely invisible in about five minutes.
Step 5: SSH keys + Fail2ban
Disable password authentication for SSH. Use key-based authentication only. Install Fail2ban and configure it to ban IPs after three failed login attempts for 24 hours. This stops brute-force attacks cold.
sudo apt install fail2ban
# /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
bantime = 86400Step 6: Firewall with UFW
Close every port you're not actively using. Open only SSH and your chosen agent port. Everything else is blocked by default.
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow YOUR_PORT/tcp
sudo ufw enableStep 7: Allowlist users
Tell OpenClaw exactly which Telegram accounts (or other messaging accounts) are authorized to interact with it. Anyone not on the list gets ignored. This prevents strangers from commanding your agent if they somehow discover the endpoint.
Step 8: Ask your bot to audit itself
OpenClaw can check its own configuration for security issues. Ask it: "Audit your own security config. What's exposed? What permissions do you have that you shouldn't?" The agent will often find things you missed — open ports, overly broad file access, environment variables in unexpected places.
Step 9: Set up real-time alerts
Configure notifications for unusual activity. Failed login attempts, unexpected API calls, file access outside normal patterns. You want to know when something's off before it becomes a breach. Even a simple Telegram alert for failed SSH attempts is better than nothing.
Step 10: DMs only
Never let your agent operate in group chats. In a group, anyone can send messages that your agent reads and potentially acts on. That's a prompt injection attack waiting to happen. Keep all agent interactions in private, one-to-one channels.
Step 11: Sandbox subagents in Docker
If your agent spawns subagents or processes external content, run those in Docker containers. A subagent that reads a malicious webpage can't steal your .env file if it's running in a sealed container with no access to the host filesystem. This is your defense against prompt injection through external content.
# Run subagent tasks in isolated container
docker run --rm --network none \
-v /tmp/task-input:/input:ro \
agent-sandbox:latest python run_task.pyStep 12: Daily security audit cron
Security isn't a one-time setup. Add a daily cron job that checks for open ports, reviews file permissions, verifies Tailscale is running, and scans for unauthorized processes. A two-minute automated audit every morning catches drift before it becomes a problem.
Step 13: Use the security audit skill
If your framework has a security audit skill in the skill registry, install it and run it regularly. These skills are built by the community specifically to catch common misconfigurations. Run it weekly at minimum.
The Bottom Line
Your OpenClaw instance is only as secure as the weakest link in its chain. Most people have multiple weak links they don't know about — default ports, root access, no firewall, public exposure.
The 13 steps above take about an hour to implement. That hour buys you the peace of mind that your agent isn't an open door to your entire digital life. The tools are powerful. The risks are real. Take both seriously.
One Thing to Do Right Now: Check whether your agent is publicly accessible. Open a browser on your phone (not on WiFi — use cellular). Type your server's IP and port. If anything loads: you're exposed. Install Tailscale today.
From the desk of @astergod — February 2026