Security
Device identity, authentication, sandboxing, and security best practices.
Trust Model
OpenClaw operates under a personal assistant model — one trusted operator per gateway. It is NOT designed for multi-tenant adversarial environments. If you need separate trust boundaries, use separate gateways.
Device Identity
All connections to the engine require ed25519 device signing.
- Device ID = SHA256 hex of the 32 raw public key bytes
- Public key = base64url of 32 raw bytes
- Identity file =
~/.openclaw/identity/device.json
xCloud creates and manages device identity automatically on first launch.
Signing Flow
- Server sends a challenge with a nonce
- Client signs the nonce with its ed25519 private key
- Server verifies the signature and grants access
Authentication Modes
| Mode | Description |
|---|---|
| Token (recommended) | Bearer token shared between client and gateway |
| Password | Via OPENCLAW_GATEWAY_PASSWORD environment variable |
| Trusted proxy | For reverse proxies with identity headers |
| None | No auth (testing only, localhost) |
xCloud uses token mode by default, generating a random token on first launch.
DM Policies
Control who can message your agents:
| Policy | Description |
|---|---|
| pairing (default) | 1-hour pairing code for unknown senders |
| allowlist | Only approved senders |
| open | Anyone (requires explicit "*") |
| disabled | Ignore all DMs |
Sandboxing
Agents can run in Docker containers for isolation:
| Mode | Description |
|---|---|
| all | Docker for everything |
| non-main | Docker only for non-main agents |
| off | No sandbox, host execution |
Workspace Access
| Level | Description |
|---|---|
| none | No access to workspace |
| ro | Read-only mount |
| rw | Read/write mount |
Security Audit
Run a security audit from the command line:
openclaw security audit # Basic audit
openclaw security audit --deep # Deep audit
openclaw security audit --fix # Auto-fix issuesCovers: filesystem permissions, gateway config, hooks, browser, sandbox, tools, and plugins.
Prompt Injection Mitigations
- DMs blocked by default (pairing/allowlists)
- Mention gating in groups
- Links and attachments treated as hostile
- Sandbox for sensitive execution
- Secrets stored outside accessible filesystem
- Use latest-generation models for agents with tools
Credential Storage
| Item | Location |
|---|---|
| Main config | ~/.openclaw/openclaw.json |
| Device identity | ~/.openclaw/identity/device.json |
| API keys | Environment variables or .env file |
| Secrets | ~/.openclaw/secrets.json |
All directories use permission 700, files use 600.