Techalicious Academy / 2026-02-24-openclaw-ollama

(Visit our meetup for more great tutorials)

SECURITY HARDENING

This section is why the live meetup got cancelled. It's also why this tutorial is free. The security situation around OpenClaw is serious enough that you should understand exactly what you're getting into before you run this software on a machine that has your SSH keys, your browser passwords, and your crypto wallets.

Read this section carefully. It is not optional.

The ClawHavoc Attack

In late January 2026, a coordinated supply chain attack hit the ClawHub skill marketplace. Here's what happened:

An attacker using the account "hightower6eu" uploaded 677 malicious packages to ClawHub, the official marketplace for OpenClaw skills (plugins). At peak, 824 of approximately 10,700 skills, about 8% of the entire marketplace, were trojanized.

The payload was the Atomic macOS Stealer (AMOS). If you installed one of the compromised skills, AMOS would harvest:

Browser credentials (Chrome, Firefox, Safari)
SSH keys
Telegram sessions
Cryptocurrency wallets
Keychain data

This wasn't theoretical. This was a real attack that hit real users.

The Exposure Problem

Separately from ClawHavoc, security researchers found over 312,000 OpenClaw instances exposed on the public internet, many without any authentication. These aren't behind VPNs or firewalls. They're wide open. Anyone who finds them can send commands, read files, and potentially execute arbitrary code on the host machine.

Five CVEs were disclosed, including:

CVE-2026-25253 (CVSS 8.8): A one-click remote code execution through
the Control UI. An attacker could exfiltrate gateway tokens via
WebSocket, then use those tokens to send arbitrary commands to the
agent. The agent executes commands with your user's full permissions.

Let that sink in. If your OpenClaw gateway is accessible from the internet and doesn't have authentication, anyone can run commands on your Mac as you.

Step 1: Run The Built-In Security Audit

openclaw security audit --fix

This checks:

Inbound access policies
Tool blast radius (what the agent can do)
Network exposure
Browser control exposure
Filesystem permissions
Plugin allowlists
Model hygiene

The --fix flag auto-remediates what it can: mainly filesystem permissions (making ~/.openclaw/ non-world-readable) and enabling log redaction. Network and authentication issues require manual fixes.

For a deeper scan that includes live TCP port probing:

openclaw security audit --deep

Step 2: Gateway Binding and Authentication

Your openclaw.json should already have this from the configuration step:

"gateway": {
  "bind": "loopback",
  "port": 18789,
  "auth": {
    "mode": "token",
    "token": "your-64-char-random-hex-string"
  }
}

Two critical things to verify after every restart:

BINDING: The gateway must listen only on 127.0.0.1 (loopback), not on 0.0.0.0 (all interfaces). There is a known behavior where if loopback binding fails for any reason, the gateway SILENTLY falls back to 0.0.0.0 with no warning. No error in the logs. No alert. It just opens your machine to the network.

Verify after every start:

lsof -i :18789 -nP | grep LISTEN

You must see 127.0.0.1:18789 in the output. If you see *:18789 or 0.0.0.0:18789, your gateway is exposed to your entire network.

AUTHENTICATION: The token prevents unauthorized access to the gateway API. Without it, anyone on your network (or the internet, if binding went wrong) can send commands to your agent.

Generate a strong token:

openssl rand -hex 32

Step 3: Add a Firewall Rule

Defense in depth. Even if the binding is correct, add a macOS firewall rule to block external connections to the gateway port:

echo "block in on ! lo0 proto tcp to any port 18789" | sudo pfctl -ef -

This tells the macOS packet filter to block all incoming TCP traffic on port 18789 except from the loopback interface (lo0). Even if the gateway accidentally binds to 0.0.0.0, the firewall blocks external connections.

Step 4: Install SecureClaw

SecureClaw is an open-source security plugin by Adversa AI. It has 56 audit checks, 5 hardening modules, and 3 background monitors. It specifically looks for ClawHavoc indicators of compromise.

git clone https://github.com/adversa-ai/secureclaw.git
cd secureclaw/secureclaw
npm install && npm run build
npx openclaw plugins install -l .

Run its enhanced audit:

npx openclaw secureclaw audit --fix

This auto-remediates:

Gateway binding (changes 0.0.0.0 to 127.0.0.1)
Directory permissions
Config file permissions
Appends privacy and injection-awareness directives to your agent's
SOUL.md file

Step 5: Disable mDNS Broadcasting

You should already have this in your .env file:

OPENCLAW_DISABLE_BONJOUR=1

But let's talk about why this matters. By default, OpenClaw broadcasts a Bonjour (mDNS) service record on UDP port 5353. Every device on your local network can discover your OpenClaw instance. In "full" mode, the TXT records in the broadcast include filesystem paths and your username.

If you're at a coffee shop, a coworking space, or a meetup venue, everyone on the same Wi-Fi can see that you're running OpenClaw, where your home directory is, and what your username is.

There's also a known crash bug where brief Wi-Fi disconnections trigger an mDNS assertion error that permanently kills the Discord channel until manual restart.

Disable it. There is no reason to broadcast your presence.

Step 6: Do NOT Install Third-Party Skills

After ClawHavoc, Snyk scanned 3,984 ClawHub skills and found:

41.7% contain serious security vulnerabilities
7.1% leak credentials in plaintext through LLM context

Red flags to watch for if you ever consider installing a skill:

SKILL.md files with "Prerequisites" sections telling you to run
curl ... | bash (arbitrary code execution disguised as setup)

References to webhook.site, glot.io, or external paste services
(data exfiltration endpoints)

Password-protected ZIP downloads (hiding malicious code from
automated scanners)

Publishers with bulk uploads and no track record (the attacker
uploaded 677 packages from one account)

Any eval() calls or Base64-encoded content in scripts (obfuscated
payloads)

The safe approach: use only the 53 skills bundled with OpenClaw. These are first-party and carry zero supply chain risk. For third-party skills, check VirusTotal scan results on the skill's ClawHub page. As of February 2026, all uploads are scanned automatically via OpenClaw's VirusTotal partnership.

Better yet, just don't install third-party skills at all. The bundled ones cover most use cases.

macOS Permission Traps

Three macOS permissions are required for OpenClaw. Miss one and it breaks in confusing, hard-to-debug ways:

  1. Full Disk Access (System Settings, Privacy & Security)
  2. Accessibility access
  3. Screen Recording (if using browser automation)

The trap: you MUST restart Terminal after toggling any of these permissions. macOS does not apply permission changes to already-running terminal sessions. This is a 45-minute debugging rabbit hole that catches everyone at least once. Toggle the permission, fully quit Terminal, reopen Terminal, then test.

If you've completed this checklist, you have a reasonably hardened OpenClaw installation. It's not bulletproof. No software is. But you've closed the most obvious and most exploited attack vectors.

Now let's actually use the thing.