Is Your OpenClaw Safe? Here's How to Lock It Down 🔒
No Tech Degree Required — A step-by-step guide to protect yourself
before something bad happens
By AutoSolutions.ai
March 2026
⚠️ Why You Should Care — The Reality Check

This is not a drill. Real things happened to real people — within just 48 hours of OpenClaw going viral.
30K+
Exposed to the Internet 🚨
People accidentally left their agent wide open to the entire internet
341
Malicious Plugins 🦠
Dangerous "skill" plugins discovered delivering malware to users
36%
Risky Skills 😬
Of all downloadable skills had serious security problems
🤦 An AI Safety Director let the bot delete her entire inbox. Even experts make this mistake. Don't be next.
Think of it this way: installing OpenClaw without security is like leaving your front door wide open with a sign that says "I'm not home." 🏠
😰 What Can Actually Go Wrong? (In Plain English)
Here are the 4 ways things go sideways — explained simply, no jargon:
🔓 Strangers Can Control Your Bot
If your gateway isn't locked, anyone on the internet can send your agent commands. Imagine a stranger walking into your house and using your computer.
🎭 Bad Instructions Hide in Content
Your agent reads emails, web pages, Slack messages. Attackers hide secret commands inside this content. The bot obeys them without you knowing.
☠️ Fake "Skills" Install Malware
Some downloadable skills from ClawHub are traps. Installing them is like downloading a suspicious email attachment.
🧠 The Bot's Memory Gets Poisoned
Attackers can write to the bot's memory files, making it do harmful things in future sessions — even days later.
🥇 The Golden Rule Before Anything Else

The #1 mistake people make: running OpenClaw on their personal computer. Please don't do this!
Your Personal Computer Has:
  • Your personal files and photos
  • Your saved passwords
  • Your work documents
  • Everything you care about
A VPS (Cheap Server) Is Isolated:
  • If something goes wrong, only that server is affected
  • Your personal stuff stays safe
  • Costs just $6–10/month
  • Available on Hostinger or Hetzner
🏠 Think of it as renting a separate room just for your AI — so it can't accidentally reach your bedroom. Cheap, simple, and the single most important thing you can do.
🎯 Your First Action
Before anything else → Get a VPS. Sign up at Hostinger or Hetzner. Takes 10 minutes. Costs less than a coffee per week.
🔑 Step 1: Lock the Front Door
Make your agent require a password — it's easier than it sounds!
💡 What This Actually Does
Without this step, anyone who finds your server can control your bot — no password needed. With this, they'd need a password they'll never guess in a million years.
Use a password manager (like Bitwarden — it's free!) to generate and store your token. You only need to enter it once.

⚠️ Critical Warning: If you skip this step, everything else you do is pointless. This is your front door lock. Don't leave home without it!
🏠 Step 2: Make Your Agent Invisible to the Internet
Bind to Localhost — sounds technical, but it's just 3 clicks!
What to Do:
1
Open config.yaml
Same file you used in Step 1
2
Find gateway.bind
Look for this setting in the gateway section
3
Change it to "loopback"
Save the file and restart OpenClaw
😰 Before
Anyone on the internet can knock on your bot's door and try to get in
😊 After
Only YOU can reach it from your own machine — it's like making your house invisible on Google Maps!
🛡️ Step 3: Create Your Private Tunnel with Tailscale
Tailscale = a secret private network only YOU can use. And it's FREE! 🎉
Tailscale is a free app that creates a secret private network between your devices. Nobody on the public internet can even see your server exists — it's completely invisible to strangers.
Create Your Free Account
Go to tailscale.com and sign up — takes 2 minutes, completely free for personal use
Install on Both Devices
Install Tailscale on your server AND your personal computer or phone
Allow Only Tailscale Connections
In your firewall settings, allow connections only through Tailscale
Block Everything Else
Deny all other incoming connections — your server is now a private fortress 🏰

💰 Cost: Completely Free for personal use. This is one of the best free security tools available. No excuses not to use it!
🧱 Step 4: Set Up a Firewall (Your Digital Bouncer)
Think of a firewall as a bouncer at the door — it decides who gets in and who doesn't.
Just Copy & Paste These 3 Lines:
sudo ufw enable
sudo ufw default deny incoming
sudo ufw allow in on tailscale0
That's it. Three lines. Open your server's terminal, paste these in, press Enter. Done!
Blocks ALL incoming connections by default
Only allows traffic through your Tailscale tunnel
Makes your server a closed box to the outside world
🧱 Even if Tailscale ever has a problem, the firewall is your second layer of protection. Two locks are always better than one — just like your front door AND a deadbolt!
📱 Steps 5 & 6: Control Who Chats + Use Telegram
Step 5: Enable DM Pairing 🤝
Only allow YOUR messages to control the bot. In your config file:
  • Enable DM pairing for your messaging channel (Telegram, Discord, etc.)
  • Set requireMention: true for any group chats
  • Use dmScope: "per-channel-peer" for session isolation

📱 Think of it as: the bot only listens to YOU — like a well-trained assistant who ignores everyone else in the room!
Step 6: Use Telegram — The Safest Choice
4 independent security experts all agreed: Telegram is the way to go.
Easy to set up
Pairing is built-in and simple
Works great from your phone
Already has 2FA options built in
Use a dedicated account
Create a new Telegram account just for OpenClaw — sandboxed from your real one
Step 7: Run the Built-In Security Scanner
OpenClaw has a built-in safety checker — like a pilot's pre-flight checklist! ✈️
Run This One Command:
openclaw security audit
This will tell you exactly what's safe and what needs fixing. For a deeper check:
openclaw security audit --deep
What to Look For:
  • Green items = properly set up
  • Red items = still exposed — fix these first!
  • 🔧 Orange items = can be auto-fixed

🎯 Goal: No critical or high-severity findings. If something shows up red, fix it before moving on to anything else.
🔍 Skills Safety Check
Before installing any skill: ask the bot to scan it, check the author's reputation, start minimal, and use SkillCheck by Repello at repello.ai/tools/skills — free, no install needed. 36% of ClawHub skills had problems!
🚫 Never Connect These
Personal Gmail/Outlook, work email or Slack, online banking, password managers, production databases, or cloud storage with sensitive files. Always use dedicated/burner accounts instead.