07-security-hardening.txt

SECURITY HARDENING ==================== This section is why the live meetup got cancelled. It's also why this tutorial is free. The security situation around OpenClaw is serious enough that you should understand exactly what you're getting into before you run this software on a machine that has your SSH keys, your browser passwords, and your crypto wallets. Read this section carefully. It is not optional. The ClawHavoc Attack --------------------- In late January 2026, a coordinated supply chain attack hit the ClawHub skill marketplace. Here's what happened: An attacker using the account "hightower6eu" uploaded 677 malicious packages to ClawHub, the official marketplace for OpenClaw skills (plugins). At peak, 824 of approximately 10,700 skills, about 8% of the entire marketplace, were trojanized. The payload was the Atomic macOS Stealer (AMOS). If you installed one of the compromised skills, AMOS would harvest: Browser credentials (Chrome, Firefox, Safari) SSH keys Telegram sessions Cryptocurrency wallets Keychain data This wasn't theoretical. This was a real attack that hit real users. The Exposure Problem --------------------- Separately from ClawHavoc, security researchers found over 312,000 OpenClaw instances exposed on the public internet, many without any authentication. These aren't behind VPNs or firewalls. They're wide open. Anyone who finds them can send commands, read files, and potentially execute arbitrary code on the host machine. Five CVEs were disclosed, including: CVE-2026-25253 (CVSS 8.8): A one-click remote code execution through the Control UI. An attacker could exfiltrate gateway tokens via WebSocket, then use those tokens to send arbitrary commands to the agent. The agent executes commands with your user's full permissions. Let that sink in. If your OpenClaw gateway is accessible from the internet and doesn't have authentication, anyone can run commands on your Mac as you. Step 1: Run The Built-In Security Audit ----------------------------------------- openclaw security audit --fix This checks: Inbound access policies Tool blast radius (what the agent can do) Network exposure Browser control exposure Filesystem permissions Plugin allowlists Model hygiene The --fix flag auto-remediates what it can: mainly filesystem permissions (making ~/.openclaw/ non-world-readable) and enabling log redaction. Network and authentication issues require manual fixes. For a deeper scan that includes live TCP port probing: openclaw security audit --deep Step 2: Gateway Binding and Authentication -------------------------------------------- Your openclaw.json should already have this from the configuration step: "gateway": { "bind": "loopback", "port": 18789, "auth": { "mode": "token", "token": "your-64-char-random-hex-string" } } Two critical things to verify after every restart: BINDING: The gateway must listen only on 127.0.0.1 (loopback), not on 0.0.0.0 (all interfaces). There is a known behavior where if loopback binding fails for any reason, the gateway SILENTLY falls back to 0.0.0.0 with no warning. No error in the logs. No alert. It just opens your machine to the network. Verify after every start: lsof -i :18789 -nP | grep LISTEN You must see 127.0.0.1:18789 in the output. If you see *:18789 or 0.0.0.0:18789, your gateway is exposed to your entire network. AUTHENTICATION: The token prevents unauthorized access to the gateway API. Without it, anyone on your network (or the internet, if binding went wrong) can send commands to your agent. Generate a strong token: openssl rand -hex 32 Step 3: Add a Firewall Rule ------------------------------ Defense in depth. Even if the binding is correct, add a macOS firewall rule to block external connections to the gateway port: echo "block in on ! lo0 proto tcp to any port 18789" | sudo pfctl -ef - This tells the macOS packet filter to block all incoming TCP traffic on port 18789 except from the loopback interface (lo0). Even if the gateway accidentally binds to 0.0.0.0, the firewall blocks external connections. Step 4: Install SecureClaw ---------------------------- SecureClaw is an open-source security plugin by Adversa AI. It has 56 audit checks, 5 hardening modules, and 3 background monitors. It specifically looks for ClawHavoc indicators of compromise. git clone https://github.com/adversa-ai/secureclaw.git cd secureclaw/secureclaw npm install && npm run build npx openclaw plugins install -l . Run its enhanced audit: npx openclaw secureclaw audit --fix This auto-remediates: Gateway binding (changes 0.0.0.0 to 127.0.0.1) Directory permissions Config file permissions Appends privacy and injection-awareness directives to your agent's SOUL.md file Step 5: Disable mDNS Broadcasting ------------------------------------ You should already have this in your .env file: OPENCLAW_DISABLE_BONJOUR=1 But let's talk about why this matters. By default, OpenClaw broadcasts a Bonjour (mDNS) service record on UDP port 5353. Every device on your local network can discover your OpenClaw instance. In "full" mode, the TXT records in the broadcast include filesystem paths and your username. If you're at a coffee shop, a coworking space, or a meetup venue, everyone on the same Wi-Fi can see that you're running OpenClaw, where your home directory is, and what your username is. There's also a known crash bug where brief Wi-Fi disconnections trigger an mDNS assertion error that permanently kills the Discord channel until manual restart. Disable it. There is no reason to broadcast your presence. Step 6: Do NOT Install Third-Party Skills ------------------------------------------- After ClawHavoc, Snyk scanned 3,984 ClawHub skills and found: 41.7% contain serious security vulnerabilities 7.1% leak credentials in plaintext through LLM context Red flags to watch for if you ever consider installing a skill: SKILL.md files with "Prerequisites" sections telling you to run curl ... | bash (arbitrary code execution disguised as setup) References to webhook.site, glot.io, or external paste services (data exfiltration endpoints) Password-protected ZIP downloads (hiding malicious code from automated scanners) Publishers with bulk uploads and no track record (the attacker uploaded 677 packages from one account) Any eval() calls or Base64-encoded content in scripts (obfuscated payloads) The safe approach: use only the 53 skills bundled with OpenClaw. These are first-party and carry zero supply chain risk. For third-party skills, check VirusTotal scan results on the skill's ClawHub page. As of February 2026, all uploads are scanned automatically via OpenClaw's VirusTotal partnership. Better yet, just don't install third-party skills at all. The bundled ones cover most use cases. +----------------------------------------------------------+ | SECURITY CHECKLIST | | | | [ ] openclaw security audit --fix | | [ ] Gateway binds to 127.0.0.1 only (verify with lsof) | | [ ] Gateway has token authentication | | [ ] Firewall rule blocks external access to port | | [ ] OPENCLAW_DISABLE_BONJOUR=1 | | [ ] No cloud API keys in environment | | [ ] ~/.openclaw/ permissions are 700 | | [ ] Config files permissions are 600 | | [ ] No third-party skills installed | | [ ] SecureClaw installed and audit passed | +----------------------------------------------------------+ macOS Permission Traps ----------------------- Three macOS permissions are required for OpenClaw. Miss one and it breaks in confusing, hard-to-debug ways: 1. Full Disk Access (System Settings, Privacy & Security) 2. Accessibility access 3. Screen Recording (if using browser automation) The trap: you MUST restart Terminal after toggling any of these permissions. macOS does not apply permission changes to already-running terminal sessions. This is a 45-minute debugging rabbit hole that catches everyone at least once. Toggle the permission, fully quit Terminal, reopen Terminal, then test. If you've completed this checklist, you have a reasonably hardened OpenClaw installation. It's not bulletproof. No software is. But you've closed the most obvious and most exploited attack vectors. Now let's actually use the thing.