Chapter 33
Production Security Hardening: Least Privilege Config, Skills Audit Workflow and Security Audit Command
Chapter 33: Production Security Hardening โ Least-Privilege Configuration, Skills Audit Workflow, and the security audit Command
"Security is not a feature; it is a property. It needs to be considered in every layer of design decisions, not bolted on as a patch at the end." โ OpenClaw Security Hardening Best Practices Guide, 2026
33.1 Defense in Depth: The Philosophy of Multi-Layer Security
After the two major security incidents ClawBleed and ClawHavoc, the OpenClaw community gradually developed a security hardening system based on Defense in Depth.
The core idea of defense in depth: assume every defensive layer will eventually be breached, so design multiple independent defensive measures that require attackers to simultaneously overcome all layers to succeed.
OpenClaw Defense in Depth Layered Model
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Layer 1: Network Layer โ
โ VPN/Tailscale + Firewall + Loopback binding โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 2: Authentication Layer โ
โ Strong Token (64-char) + Session timeout + IP ACL โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 3: Authorization Layer โ
โ Tool least privilege + Skills allowlist + Sandbox โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 4: Configuration Layer โ
โ allow_url_actions:false + Secure SECRET_KEY store โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Layer 5: Audit Layer โ
โ Structured logs + Alerts + Regular security audit โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
33.2 Complete Production Security Configuration File
The following is a complete openclaw.json security configuration file for production environments, covering all security hardening options:
{
"version": "2026.1",
"_comment": "Production security configuration - do not use directly in development",
"gateway": {
"bind": "loopback",
"port": 18789,
"auth": {
"token": "<64-character token generated with openssl rand -hex 32>",
"tokenRotationDays": 90,
"sessionTimeoutMinutes": 60,
"maxConcurrentSessions": 5
},
"cors": {
"allowedOrigins": ["http://localhost:3000"],
"allowCredentials": false
},
"rateLimit": {
"requestsPerMinute": 60,
"burstSize": 10
},
"tls": {
"enabled": true,
"certFile": "/etc/openclaw/tls/server.crt",
"keyFile": "/etc/openclaw/tls/server.key"
}
},
"sandbox": "all",
"tools": {
"allow": [
"read",
"write",
"browser.search",
"browser.navigate"
],
"deny": [
"exec",
"apply_patch",
"system.run",
"system.which",
"python",
"node",
"bash"
],
"fileAccess": {
"allowedPaths": [
"~/Documents/openclaw-workspace",
"/tmp/openclaw"
],
"deniedPaths": [
"~/.ssh",
"~/.gnupg",
"~/.aws",
"/etc/passwd",
"/etc/shadow"
]
}
},
"skills": {
"allow_list_only": true,
"allowed": [
"official/web-search",
"official/file-reader",
"official/calendar"
],
"autoUpdate": false,
"installApproval": "manual"
},
"memory": {
"encryption": true,
"encryptionKeySource": "vault",
"vaultPath": "secret/openclaw/memory-key",
"retentionDays": 180
},
"logging": {
"level": "INFO",
"sanitizeFields": [
"bearerToken",
"password",
"secretKey",
"apiKey",
"token",
"authorization"
],
"auditLog": {
"enabled": true,
"path": "/var/log/openclaw/audit.log",
"rotationDays": 30,
"maxSizeMB": 500
},
"errorLog": {
"includeStackTrace": false,
"includeRequestBody": false,
"includeSession": false
}
},
"security": {
"allow_url_actions": false,
"csrfProtection": true,
"contentSecurityPolicy": "default-src 'self'; script-src 'self'; connect-src 'self' ws://localhost:18789",
"xFrameOptions": "DENY",
"secretKeySource": "env",
"secretKeyEnvVar": "OPENCLAW_SECRET_KEY",
"apiKeyStorage": "vault"
},
"agents": {
"defaultModel": "claude-opus-4",
"maxContextTokens": 100000,
"allowModelOverride": false,
"systemPromptLock": true
},
"network": {
"outboundAllowlist": [
"api.anthropic.com",
"api.openai.com"
],
"blockPrivateRanges": true,
"blockLoopbackFromSkills": true
}
}
33.3 Gateway Security Hardening in Detail
33.3.1 Loopback Binding
{
"gateway": {
"bind": "loopback",
"port": 18789
}
}
Binding the Gateway to 127.0.0.1 (the loopback interface) means only processes running on the same machine can connect to the Gateway. This is the first line of defense at the network layer.
Note: As discussed in Chapter 31, loopback binding cannot defend against the ClawJacked variant attack (browser pivot). Therefore it must be combined with application-layer CSRF protection and allow_url_actions:false.
33.3.2 Strong Token Generation and Management
Generating a production-grade Gateway Token:
# Generate a 64-character (256-bit) strong random Token
openssl rand -hex 32
# Example output:
# a3f8b2c9d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1
# Store the Token in an environment variable (don't write to config file)
export OPENCLAW_GATEWAY_TOKEN="a3f8b2c9d4e5f6..."
# Or store in system Keychain (macOS)
security add-generic-password -s "openclaw-gateway-token" -a "openclaw" -w "a3f8b2c9..."
33.3.3 Tailscale Instead of Public Network Access (Strongly Recommended)
For scenarios requiring remote access to the OpenClaw Dashboard, using Tailscale (zero-trust VPN) is recommended over exposing the Gateway on the public internet:
# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
# Get the Tailscale-assigned IP
tailscale ip -4 # Example: 100.64.1.23
# Bind the Gateway to the Tailscale interface
openclaw config set gateway.bind "100.64.1.23"
openclaw restart
# Now only devices joined to the same Tailscale network can access it
Tailscale advantages:
- End-to-end encryption (WireGuard protocol)
- No need to open firewall ports
- Device identity-based authentication โ more reliable than IP allowlists
- Supports fine-grained ACL control (which device can access which service)
33.4 Tool Least-Privilege Configuration in Detail
33.4.1 Permission Assessment Matrix
Before configuring tool permissions, assess the Agent's actual work requirements:
Tool Permission Assessment Matrix
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโ
โ Tool โ Support โ Code โ Data โ System โ
โ โ Bot โ Assistantโ Analysis โ Admin โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโค
โ read (file read) โ No โ Yes โ Yes โ Yes โ
โ write (file write) โ No โ Yes โ Yes โ Yes โ
โ browser.search โ Yes โ Yes โ Yes โ No โ
โ exec (run commands) โ No โ No โ No โ Yes โ
โ system.run โ No โ No โ No โ Yes โ
โ python โ No โ Yes โ Yes โ Yes โ
โ apply_patch โ No โ Yes โ No โ No โ
โโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโ
33.4.2 Configuration Examples for Each Scenario
Support Bot (minimum permissions):
{
"tools": {
"allow": ["browser.search", "browser.navigate"],
"deny": ["exec", "apply_patch", "read", "write", "system.run", "python"]
}
}
Code Assistant (moderate permissions):
{
"tools": {
"allow": ["read", "write", "browser.search", "apply_patch", "python"],
"deny": ["exec", "system.run", "bash"],
"fileAccess": {
"allowedPaths": ["~/code/my-project"],
"deniedPaths": ["~/.ssh", "~/.aws", "/etc"]
}
}
}
System Administration (elevated permissions, must be combined with other hardening layers):
{
"tools": {
"allow": ["read", "write", "exec", "system.run", "python"],
"deny": [],
"execApproval": {
"required": true,
"approvalTimeoutSeconds": 30,
"logAllExec": true
}
}
}
33.5 Five-Step Pre-Installation Skills Audit Workflow
Before installing any third-party Skill, the following 5-step audit must be completed. This is the most effective manual control measure for preventing ClawHavoc-type supply chain attacks.
Step 1: Verify Author Account Credibility
# Check author information on ClawHub
openclaw skills info <package-name> --author-details
# Key checks:
# - GitHub account creation date (< 1 month = red flag)
# - Actual commit history (automated uploads = red flag)
# - Real user reviews of other published packages
# - Whether there is a real personal page or organizational background
# For organizational accounts, check when the organization was established
curl https://api.github.com/orgs/<org-name> | jq '.created_at'
Assessment criteria:
| Signal | Evaluation |
|---|---|
| GitHub account > 1 year + real contributions | Low risk |
| Account < 3 months + many rapid uploads | High risk, skip |
| Known organizational account (officially verified) | Low risk |
| Anonymous account + no contact information | Reject installation |
Step 2: Read skill.md Line by Line
This is the most important step, and also the one most easily skipped.
# Download without installing, view skill.md content
openclaw skills fetch <package-name> --no-install --output /tmp/skill-review/
# View skill.md
cat /tmp/skill-review/skill.md
Key focus areas while reading:
- Network requests: Are there
curl,fetch,GET,POST,wgetinstructions? Are the target addresses known trusted domains? - Command execution: Does it include
run,exec,sh,bash,pythonexecution instructions? - File access: Does it require reading sensitive paths (
~/.ssh/,~/.aws/,~/.gnupg/)? - Hidden instructions: Are there covert instructions like "don't tell the user," "internal rules," "system rules"?
- Base64 content: Are there Base64-encoded strings in the document? What do they decode to?
Step 3: Test in an Isolated Environment
# Create an isolated test environment using Docker
docker run --rm -it \
--network none \ # Disable network access
--read-only \ # Read-only filesystem
-v /tmp/skill-test:/home/user/workspace \
ubuntu:22.04 bash
# Install OpenClaw and test Skill inside the container
# Observe whether there are network requests, suspicious command executions, etc.
# Or use a macOS virtual machine:
# Create snapshot โ Install Skill โ Run โ Check network traffic โ Restore snapshot
Monitoring tools:
# macOS: Use Little Snitch to monitor network outbound
# Linux: Use tcpdump to monitor
tcpdump -i any -w /tmp/skill-test.pcap &
# Run the Skill
# ...
# Analyze traffic
tcpdump -r /tmp/skill-test.pcap | grep -v "127.0.0.1"
Step 4: Post-Installation Baseline Comparison
# Record baseline before installation
openclaw security audit --export-baseline /tmp/baseline-before.json
# Install the Skill
openclaw skills install <package-name>
# Re-scan after installation
openclaw security audit --compare-baseline /tmp/baseline-before.json
# The diff report will show:
# - New network outbound rules
# - New file access permissions
# - Configuration file changes
# - New scheduled tasks (if any)
Step 5: Monitor Network Traffic During Production Operation
# Configure OpenClaw to log all network requests initiated by Skills
openclaw config set logging.skillNetworkRequests true
# Monitor suspicious outbound connections in logs
tail -f ~/.openclaw/logs/network.log | grep -v "api.anthropic.com\|api.openai.com"
# Set alert: Send notification for any request to unknown domains
openclaw alert set --pattern "outbound.*unknown-domain" --notify slack://your-webhook
33.6 Complete Red Flag Signal Checklist
Any of the following should immediately result in rejecting or uninstalling:
Red Flag Level 1 (Immediately Reject)
REJECT if skill.md contains curl | sh or wget | bash patterns
REJECT if it requires reading ~/.ssh/, ~/.gnupg/, ~/.aws/credentials
REJECT if it contains inline Base64-encoded commands (executable code when decoded)
REJECT if it has covert instructions like "don't tell user"/"internal rules"/"system rules"
REJECT if GitHub account was created < 7 days ago
REJECT if many packages were uploaded in a short window (< 2 weeks)
Red Flag Level 2 (Requires Deep Investigation)
WARN if skill.md contains external URLs with unverifiable domains
WARN if it requires executing dynamically generated code (eval/exec + external input)
WARN if README has "initialization steps" asking users to run commands in terminal
WARN if the Skill requests "config files" or "rules files" at runtime
WARN if package name is similar to official Skills (openclaw-official-search vs openclaw-search)
WARN if download count is abnormally high with no community reviews or discussions
WARN if there is no verifiable contact information or homepage
Red Flag Level 3 (Monitor Carefully)
NOTE if the Skill requires file path access beyond its claimed functionality
NOTE if the Skill makes network requests without explicit user request
NOTE if the Skill's actual behavior doesn't match the README description
NOTE if update frequency is abnormal (new version pushed daily)
33.7 What openclaw security audit --deep Scans
The openclaw security audit command is the built-in security scanning tool. The --deep option performs more comprehensive checks:
# Basic scan (fast, ~30 seconds)
openclaw security audit
# Deep scan (comprehensive, ~5 minutes)
openclaw security audit --deep
# Scan specific components
openclaw security audit --scope skills,config,permissions
# Export scan report
openclaw security audit --deep --output-format json > audit-report.json
33.7.1 Detailed Scan Items
openclaw security audit --deep Scan Items
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[Configuration Security]
โ SECRET_KEY strength check (entropy >= 256 bit)
โ Gateway Token strength check
โ Whether allow_url_actions is false
โ Whether sandbox is enabled
โ Whether log sanitization fields are fully configured
โ Whether CORS configuration is too permissive
[Network Security]
โ Gateway binding address (0.0.0.0 = warning)
โ Whether TLS is enabled (not enabled = warning)
โ Whether firewall rules exist (Linux only)
โ Whether access is via Tailscale/VPN
[Skills Security]
โ Author account history of all installed Skills
โ Static analysis of skill.md content (network request patterns/command execution patterns)
โ Whether allow_list_only mode is enabled
โ Unused Skills (recommend uninstalling)
โ Whether Skills versions are up to date
[Permission Configuration]
โ Whether Tools deny list includes high-risk tools
โ Whether file access path restrictions are configured
โ Whether execApproval is enabled (high-privilege scenarios)
[File System Security]
โ ~/.openclaw directory permissions (should be 700)
โ config.json file permissions (should be 600)
โ Log directory permissions (should be 750)
โ Whether any API Keys are written in plaintext to config files
[Log Security]
โ Whether error logs contain sensitive fields
โ Whether audit logging is enabled
โ Whether log rotation is configured
[Dependency Security]
โ Whether OpenClaw version is current (check known CVEs)
โ Whether npm dependencies have known vulnerabilities (npm audit)
โ Whether third-party integration API Keys have expired
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
33.7.2 Understanding the Audit Report
# Typical audit report output
$ openclaw security audit --deep
OpenClaw Security Audit Report
================================
Scan completed at: 2026-04-26 10:23:45
OpenClaw version: 2026.1.29
CRITICAL (0 issues)
None
HIGH (2 issues)
[HIGH] Gateway bound to 0.0.0.0 - exposed to all network interfaces
Fix: openclaw config set gateway.bind loopback
[HIGH] 3 installed Skills not in allow_list (allow_list_only is disabled)
Skills: csv-processor-v2, data-formatter-pro, workflow-optimizer
Fix: openclaw config set skills.allow_list_only true
MEDIUM (3 issues)
[MED] ~/.openclaw directory permissions are 755 (should be 700)
Fix: chmod 700 ~/.openclaw
[MED] Audit logging is disabled
Fix: openclaw config set logging.auditLog.enabled true
[MED] API key for OpenAI stored in plaintext config
Fix: Use environment variable OPENAI_API_KEY instead
LOW (1 issue)
[LOW] OpenClaw version is 30 days behind latest
Current: 2026.1.29, Latest: 2026.3.15
Fix: npm install -g openclaw@latest
PASSED (18 checks)
โ SECRET_KEY strength: 256-bit entropy
โ allow_url_actions: false
โ sandbox: all
... (14 more)
Overall Security Score: 6.2/10 (MEDIUM)
Run 'openclaw security audit --fix-auto' to automatically fix safe issues.
33.8 ~/.openclaw Directory Permission Configuration
Correct filesystem permissions are the foundation for preventing local privilege escalation attacks:
# Set ~/.openclaw directory permissions (owner read/write/execute only)
chmod 700 ~/.openclaw
chmod 700 ~/.openclaw/agents/
chmod 700 ~/.openclaw/memory/
# Set configuration file permissions (owner read/write only)
chmod 600 ~/.openclaw/config.json
chmod 600 ~/.openclaw/.env
# Set log directory permissions (owner full, group readable, others none)
chmod 750 ~/.openclaw/logs/
chmod 640 ~/.openclaw/logs/*.log
# Verify permission settings
ls -la ~/.openclaw/
# Expected output:
# drwx------ 10 user staff 320 Apr 26 10:00 .openclaw/
# -rw------- 1 user staff 2048 Apr 26 10:00 config.json
# drwx------ 5 user staff 160 Apr 26 10:00 agents/
33.8.1 Enhanced Protection with macOS Extended Attributes
# macOS: Add immutable flag to config file (prevent malicious Skills from deleting config)
chflags uchg ~/.openclaw/config.json
# View flags
ls -lO ~/.openclaw/config.json
# Output: -rw------- 1 user staff uchg 2048 Apr 26 config.json
# Temporarily remove (for legitimate configuration updates)
chflags nouchg ~/.openclaw/config.json
openclaw config set ...
chflags uchg ~/.openclaw/config.json
33.9 API Key Storage Security
33.9.1 Insecure Storage Methods (Avoid)
// Wrong: Plaintext in config.json
{
"integrations": {
"openai": {
"apiKey": "sk-proj-xxxxxxxxxxxxxxxxxxxx" // NEVER do this
}
}
}
33.9.2 Secure Storage Method 1: Environment Variables
# Add to ~/.zshrc or ~/.bashrc
# (Note: still stored in plaintext, but not in OpenClaw config)
export OPENAI_API_KEY="sk-proj-xxxx"
export ANTHROPIC_API_KEY="sk-ant-xxxx"
{
"integrations": {
"openai": {
"apiKeySource": "env",
"apiKeyEnvVar": "OPENAI_API_KEY"
}
}
}
33.9.3 Secure Storage Method 2: macOS Keychain
# Store in macOS Keychain
security add-generic-password \
-s "openclaw-openai-key" \
-a "openclaw" \
-w "sk-proj-xxxx"
{
"integrations": {
"openai": {
"apiKeySource": "keychain",
"keychainService": "openclaw-openai-key",
"keychainAccount": "openclaw"
}
}
}
33.9.4 Secure Storage Method 3: HashiCorp Vault (Enterprise Recommended)
# Store API Keys in Vault
vault kv put secret/openclaw/integrations \
openai_api_key="sk-proj-xxxx" \
anthropic_api_key="sk-ant-xxxx"
{
"security": {
"apiKeyStorage": "vault",
"vault": {
"address": "https://vault.your-org.com",
"authMethod": "kubernetes",
"secretPath": "secret/openclaw/integrations"
}
}
}
33.10 Regular Security Maintenance Checklist
33.10.1 Daily Checks (Automated)
# Recommend adding to crontab for automated execution
# crontab -e
# Quick security scan every day at 3:00 AM
0 3 * * * /usr/local/bin/openclaw security audit --scope config,logs >> /var/log/openclaw-daily-audit.log 2>&1
# Check anomalous logs every day at 3:05 AM
5 3 * * * /usr/local/bin/openclaw logs check --alert-on-anomaly --notify-email [email protected]
33.10.2 Weekly Checks (Manual + Automated)
Weekly Checklist
[ ] Run openclaw security audit --deep and review report
[ ] Review anomalies in last week's audit logs (especially run-script operations)
[ ] Check for newly installed Skills (not in allowlist)
[ ] Check whether OpenClaw version is current
[ ] Verify all API Keys are still valid (not revoked)
[ ] Check Gateway access logs for anomalous IPs
33.10.3 Monthly Checks
Monthly Checklist
[ ] Rotate Gateway Token (openclaw auth rotate-token)
[ ] Rotate SECRET_KEY and force all users to re-login
[ ] Run npm audit to check dependency vulnerabilities
[ ] Re-evaluate necessity of all installed Skills (uninstall unused ones)
[ ] Check TLS certificate validity (renew immediately if expiring within 90 days)
[ ] Update filesystem permissions baseline (new files/directories)
[ ] Review and update tool allowlist/denylist configuration
33.10.4 Token Rotation Procedure
# 1. Rotate Gateway Token
openclaw auth rotate-token
# 2. Force all Sessions to log out
openclaw auth revoke-all-sessions
# 3. Rotate SECRET_KEY
NEW_KEY=$(openssl rand -hex 64)
openclaw config set SECRET_KEY $NEW_KEY
# Or (if using environment variable)
echo "export OPENCLAW_SECRET_KEY=$NEW_KEY" >> ~/.zshrc
# 4. Restart service to activate new key
openclaw restart
# 5. Notify all team members using OpenClaw to re-login
# 6. Rotate downstream service credentials (follow order from Chapter 31)
33.11 Summary
Production security hardening is not a one-time configuration task but an ongoing operational effort requiring continuous maintenance. The configuration templates, audit workflows, and maintenance checklists provided in this chapter can serve as the foundation for your OpenClaw production deployment security system.
Core principles summarized:
- Least privilege: Agents receive only the minimum tool set and file access scope needed to complete their work
- Defense in depth: Simultaneously harden all five layers โ network, authentication, authorization, configuration, and audit
- Continuous auditing: Daily automated scanning + weekly manual review + monthly deep audit
- Credential management: Tokens never stored in plaintext, rotated regularly, immediately revoked on anomaly detection
- Supply chain control: Skills allowlist mode is the most effective measure against supply chain attacks
In the next chapter, we dive deep into the Multi-Agent routing architecture, learning how to implement intelligent routing across multiple accounts and channels through Bindings configuration.
Chapter keywords: defense in depth, openclaw.json, Gateway hardening, Tailscale, least privilege, Skills audit, security audit, Token rotation, Vault, filesystem permissions