← Back to blog

Securing Your Autonomous Agents: A Guide to OpenClaw Permissions and Host Safety

Giving an AI agent access to your file system, your APIs, and your communication channels is an incredible productivity multiplier. It is also a massive security risk if handled poorly. When moving OpenClaw from local experimentation to production reality, host safety and permission boundaries must be your top priority.

Here is a practical guide to securing your autonomous agents against both external threats and their own well-meaning mistakes.

1. The Principle of Least Privilege for Agents

Just like human employees, an AI agent should only have the access necessary to do its job. If an agent is designed to write blog posts, it does not need access to your production database credentials or the ability to execute arbitrary shell scripts.

• Tool Restrictions: Disable tools (like `exec` or `nodes`) globally if they aren't needed, or restrict them to specific, highly trusted subagents.
• Directory Scoping: Keep agents confined to specific workspace directories. Do not give them free rein over the entire host file system.

2. Channel Allowlists Are Non-Negotiable

If your agent is connected to a public-facing platform like Discord or Telegram, it must be locked down. A misconfigured agent can easily be manipulated by a malicious actor into leaking data or running harmful commands.

OpenClaw’s `allowlist` policy is the strongest defense here. Configure your `openclaw.json` to explicitly allow only specific User IDs or Guild IDs to interact with the agent. Never leave a production agent on a completely open "public" policy.

3. Securing the Gateway and API

If you are running the OpenClaw gateway headless on a VPS, the API surface must be protected.

• Bind to Loopback: Whenever possible, bind the gateway to `127.0.0.1` and use a reverse proxy or VPN (like Tailscale) to access it securely.
• Token Authentication: Ensure `gateway.auth.mode` is set to `token` and use strong, randomly generated secrets. Never expose the raw gateway port to the open internet without auth.

4. Managing the `exec` Tool Safely

The `exec` tool (the ability to run shell commands) is the most dangerous tool in the arsenal. While incredibly useful for coding agents, it poses significant risks.

If you must enable `exec`, ensure `tools.exec.security` is set appropriately. Use `ask` modes to require human confirmation before any destructive or elevated command is executed. Better yet, run the agent in an isolated sandbox or container rather than directly on the host OS.

5. Protecting Secrets and Credentials

Agents will inevitably need API keys to do their work (GitHub, Stripe, Vercel, etc.).

• Never store raw secrets in the agent's memory files (`MEMORY.md` or daily logs).
• Use environment variables injected at runtime, or a secure credential manager (like the 1Password integration).
• Rotate keys regularly, especially if you suspect an agent may have accidentally logged one in a chat channel.

Final Takeaway

Security in agentic systems is about building guardrails. You want the agent to be capable, but you want the blast radius of a mistake—whether caused by a hallucination or an external prompt injection—to be as small as possible. Secure the host, lock down the channels, and always verify before executing.