OpenClaw Cloud Host Security: Default Configuration Blueprint and Hardening Guide

Threat Model and Attack Surface

The author enumerates ten threat categories (T1‑T10) ranging from public‑port exposure to prompt injection and memory poisoning, providing concrete statistics such as 469,000 exposed instances and a 27.2% high‑risk rate.

Network Security Layer

Key hardening steps include binding the Gateway to 127.0.0.1, changing the default port to 18987, enforcing token authentication with a rate‑limit of 5 attempts per minute, and disabling X‑Real‑IP fallback. The article shows the exact JSON fragment to achieve these settings and explains why each field mitigates the corresponding threat.

{
  "gateway": {
    "bind": "loopback",
    "port": 18987,
    "auth": {
      "mode": "token",
      "token": {"source": "env", "provider": "default", "id": "OPENCLAW_GATEWAY_TOKEN"},
      "rateLimit": {"maxAttempts": 5, "windowMs": 60000, "lockoutMs": 300000, "exemptLoopback": true}
    },
    "trustedProxies": ["127.0.0.1", "::1"],
    "allowRealIpFallback": false
  }
}

mDNS Broadcast

Because mDNS can leak service metadata, the guide recommends setting "discovery": {"mdns": {"mode": "off"}} for production.

Remote Access Options

Two secure methods are described:

SSH Tunnel : Forward the local Gateway port to a remote server using a custom ssh -N -L 18987:127.0.0.1:18987 user@host command.

Tailscale VPN : Deploy Tailscale with three modes (serve, funnel, tailnet) and enforce token‑only authentication for the serve mode.

Browser Security Layer

The built‑in browser is disabled by default ( "enabled": false) and evaluateEnabled is set to false to prevent arbitrary JavaScript execution. The article also lists the exact --dangerouslyAllowPrivateNetwork flag that must stay false.

Channel Security (IM Groups)

Group chat is disabled ( "groupPolicy": "disabled") and direct‑message policy is set to pairing, ensuring that only paired users can interact with the bot.

Sandbox Isolation

A Docker‑based sandbox is configured with read‑only root, non‑root user 1000:1000, no network, limited memory (2 GB), CPU (2 cores), and a strict capability drop list. The article provides the full sandbox JSON block and explains the trade‑offs of each restriction.

{
  "sandbox": {
    "mode": "all",
    "scope": "session",
    "backend": "docker",
    "docker": {
      "image": "openclaw-sandbox-browser:bookworm-slim",
      "readOnlyRoot": true,
      "network": "none",
      "user": "1000:1000",
      "capDrop": ["ALL"],
      "pidsLimit": 256,
      "memory": "2g",
      "cpus": 2
    }
  }
}

Tool Permission Layers

OpenClaw uses a seven‑layer permission model where deny rules have the highest precedence. The article walks through each layer (profile, provider profile, global deny, agent‑level, sandbox policy, elevated mode, exec approvals) and shows how to construct a minimal‑risk policy that disables exec, gateway, cron, browser, and canvas.

Credential Management

All secrets must be stored as SecretRef objects (environment, file, or exec sources). The guide supplies the JSON schema for secrets.providers and demonstrates how to reference a token via

{"source":"env","provider":"default","id":"OPENCLAW_GATEWAY_TOKEN"}

. It also explains the validation rules and common error cases.

Logging Redaction

Logging is set to "level": "info" with "redactSensitive": "tools". The article compares the output before and after redaction, showing how API keys, passwords, and tokens are replaced with [REDACTED].

Prompt‑Injection and Memory Poisoning Defenses

The SOUL.md safety rails are reproduced verbatim, emphasizing "Prompt Injection Defense", "Skills/Plugin Poisoning Defense", and explicit confirmation for sensitive actions. The article also describes how to lock the allowPromptInjection flag in plugins to false.

Skills Supply‑Chain Scanning

Before installing or updating any skill, run openclaw security audit --deep and optionally --fix. The guide cites Snyk and Koi Security statistics to justify the need for regular scans.

Approval Workflow (Human‑in‑the‑Loop)

High‑risk exec commands are routed to a designated Feishu user for manual approval. The JSON snippet shows "mode": "targets" with a list of admin IDs, and the article explains timeout handling ( timeoutMs": 300000).

Observability via OpenTelemetry

Diagnostics are enabled and exported to an OTLP collector. The article lists the most useful metrics ( openclaw.tokens, openclaw.cost.usd, openclaw.run.duration_ms, openclaw.queue.depth) and provides example PromQL queries and alerting rules for Grafana.

Deployment Checklist

A concise pre‑deployment checklist is presented, covering port binding verification, token authentication, mDNS shutdown, sandbox container health, read‑only configuration files, log redaction, and successful security audit execution.

Full Configuration Overview

The article concludes with a complete, commented JSON configuration that integrates all the hardening measures described above.