Close-up of electronic circuitry used as a security metaphor

Security Guide | OpenClaw

OpenClaw security hardening guide: what to lock down?

5 March 2026 11 min read SureClaw Team
Back to blog Book a Security Consult

Last updated: 5 March 2026

Short answer: OpenClaw is safe when the gateway is private, authentication is enforced, and your version is patched to at least 2026.2.26. The highest risk in 2026 remains exposed public instances running stale versions with weak or missing auth.

We run SureClaw deployments across Australia, and the same failure pattern repeats: public gateway exposure, firewall assumptions that break in Docker, or rushed token setup. This guide covers the exact checks we use in production.

Why 2026 made OpenClaw security urgent

OpenClaw growth from roughly 1,000 publicly exposed instances to over 21,000 in a single week at the end of January 2026 dramatically increased the attack surface. Independent security reporting also found more than 42,000 exposed instances, with a large subset actively vulnerable and many showing authentication bypass conditions.

The critical vulnerability CVE-2026-25253 (CVSS 8.8) enabled one-click remote code execution via a malicious link. It was patched in OpenClaw 2026.1.29, and the later ClawJacked issue required patching to 2026.2.25 or later.

Cisco, Palo Alto Networks, and CrowdStrike all published warnings in 2026, highlighting the risk profile of exposed OpenClaw environments with broad tool access.

How exposed is OpenClaw right now?

Multiple scanning teams documented exposure at scale. Censys reported 21,639 exposed instances as of 31 January 2026, and Bitsight observed more than 30,000 in its wider analysis window.

On the skills side, Snyk found that 36.82% of community skills had at least one security flaw. Other researchers identified hundreds of malicious skills in ClawHub, including credential theft and data exfiltration payloads.

For Australian businesses, these global numbers translate directly: if your gateway is open on a public IP with default settings, you are in the highest-risk category.

Security hardening checklist

Run these ten checks first. If any fail, treat the setup as non-production.

  1. Upgrade OpenClaw to at least version 2026.2.26.
  2. Bind gateway to 127.0.0.1 only, never 0.0.0.0.
  3. Require and validate auth tokens for every gateway request (generate with openssl rand -hex 32).
  4. Put a reverse proxy in front of OpenClaw with HTTPS, rate limiting, and request size caps.
  5. Block port 18789 at both cloud firewall and host firewall layers.
  6. Disable password SSH and enforce key-only host access.
  7. Patch the base OS weekly and pin Docker image tags (do not use :latest in production).
  8. Store API keys outside writable app directories.
  9. Review enabled skills and remove non-essential tool access.
  10. Alert on repeated auth failures and unusual gateway request spikes.

The Docker + UFW firewall footgun

One of the most common mistakes is trusting UFW alone on a Docker host. Docker can program iptables rules that bypass UFW unless explicit policy controls are in place.

We never rely on one layer. Block ingress at the cloud firewall, enforce host-level rules, and keep the gateway private behind a tailnet or VPN.

The ClawHub supply chain risk

ClawHub is OpenClaw’s skills marketplace, and it carries the same supply-chain risk pattern seen in package registries. Skills run with whatever permissions the agent has, and low-friction publishing increases abuse risk.

For business deployments, whitelist vetted skills and audit source code before enabling community plugins.

Our recommended deployment model for Australian businesses

Hosting model Best fit Security posture
Local Mac or PC + Tailscale Solo founders and small teams Strong when no public gateway exists
Sydney VPS + VPN or tailnet Teams needing always-on access Strong with strict firewall and private bind
Public VPS with direct exposure Almost nobody Weak and not recommended

For most Australian teams, use a private-first model in an Australian data centre with no public gateway by default. Open public routes only when business requirements force it, and keep them behind authenticated reverse proxy controls.

Which version should you run?

As of March 2026, 2026.2.26 or later is the minimum acceptable deployment baseline. Patch first, then validate auth and network posture.

Frequently Asked Questions

Is OpenClaw safe to use for Australian businesses?

Yes, if you enforce private networking, proper authentication, current patch levels, and vetted skills. Most incidents in 2026 involved exposed gateways, stale versions, or malicious community skills.

What is the biggest OpenClaw security mistake?

Publicly exposing the gateway on 0.0.0.0 and assuming token auth alone is sufficient. Network posture must be private-first.

Do I need an OpenClaw security audit?

If your setup is public-facing, shared across staff, or connected to sensitive systems, yes. A short audit catches misconfigurations quickly and is far cheaper than incident response.

Need this checked by engineers who deploy OpenClaw every week?

We run a fast security pass that verifies gateway exposure, auth chain integrity, patch posture, and skill risk for your exact setup.

Book a consult Run the assessment quiz