🔒

OpenClaw Security

Autonomous AI agents are powerful — and that power needs guardrails. OpenClaw gives you fine-grained control over what your agent can do, from sandbox restrictions to credential management.

Sandbox ModesAutonomy TiersCredential Safety

Security Philosophy

OpenClaw follows a "trust but verify" model. You decide how much autonomy your agent gets, and the platform enforces those boundaries. The goal: maximum productivity with minimum risk.

🛑 The Golden Rules

  • Prioritize safety over task completion — always
  • • Never bypass safeguards, even if the agent suggests it
  • trash over rm — recoverable beats gone forever
  • • When in doubt, the agent should ask, not act
  • • Sensitive actions always require human confirmation

Exec Security Modes

OpenClaw's exec tool controls how the agent runs shell commands. Choose the level of access appropriate for your use case:

🚫 Deny Mode

No shell command execution at all. The agent can only use built-in tools.

security: "deny"

Best for: untrusted environments, pure chat agents

📋 Allowlist Mode

Only pre-approved commands can run. Everything else is blocked.

security: "allowlist"

Best for: production agents, business automation

✅ Full Mode

Unrestricted shell access. The agent can run any command.

security: "full"

Best for: development, trusted environments, power users

Example Allowlist Configuration

# Allowed commands for a content automation agent allowlist: - git status - git add - git commit - git push - npm run build - npm run test - cat - ls - grep - rg # ripgrep for code search - curl # API calls # Blocked by default (not in allowlist): # rm, sudo, chmod, chown, ssh, scp, etc.

Start restrictive and expand as needed. It's easier to grant permissions than to recover from accidents.

Autonomy Policy (Green / Yellow / Red)

Beyond shell commands, OpenClaw's autonomy policy classifies all agent actions into three tiers. This is your master control for what the agent can do without asking.

🟢 Green — Automatic

Agent does these freely without asking:

  • • Research and web searches
  • • Reading files and code
  • • Writing summaries and drafts
  • • Local file organization
  • • Monitoring and status checks
  • • Memory updates

🟡 Yellow — Confirm First

Agent asks before doing these:

  • • Sending external messages (email, social)
  • • Publishing content
  • • Code deployments
  • • System configuration changes
  • • Installing packages
  • • Creating external accounts

🔴 Red — Manual Only

Agent never does these — human must act:

  • • Financial transactions / payments
  • • Credential creation or changes
  • • Infrastructure / security policy changes
  • • Deleting important data
  • • Modifying safety rules
  • • Granting access to others

Credential Management

✅ Recommended: 1Password CLI

OpenClaw's built-in 1Password skill lets agents securely fetch credentials at runtime. Secrets never appear in config files or prompts.

op read "op://vault/item/field"

⚠️ Acceptable: .env Files

Environment files with restricted permissions. Make sure .env is in .gitignore and has proper file permissions (600).

chmod 600 ~/.openclaw/.env

❌ Never Do This

  • • Store API keys in code or config files committed to git
  • • Put credentials in SKILL.md or memory files
  • • Share .env files in group chats or Discord
  • • Let agents log credentials in daily memory files

Content Safety for Public Output

When your agent generates public-facing content (social posts, newsletters, PDFs), additional safety rules apply to prevent accidental information leaks:

Sanitize Before Publishing

  • • Never include workspace file paths
  • • Strip API keys and internal IDs
  • • Remove personal information
  • • Review links before publishing

Automated Checks

  • • Run content sanitizer scripts on generated output
  • • Check for pattern-matching on key formats
  • • Verify no internal context leaked
  • • Log all published content for audit

Security Setup Checklist

Configure exec security mode (allowlist recommended for production)
Set up AUTONOMY_POLICY.md with green/yellow/red tiers
Move credentials to 1Password or properly secured .env
Restrict filesystem access to necessary directories
Enable content sanitization for public outputs
Configure quiet hours to prevent overnight surprises
Set up monitoring/logging for agent actions
Test safety boundaries with harmless test cases
Review and update policies quarterly

Stay Secure, Stay Autonomous

Get security best practices, policy templates, and updates on AI safety from builders running production agents.

No spam. Unsubscribe anytime.

Security FAQ

How does OpenClaw sandbox agent actions?

Configurable sandbox modes control shell commands: deny (no shell), allowlist (approved commands only), or full (unrestricted). Most production setups use allowlists.

How should I manage API keys?

Use 1Password CLI for the best security. Alternatively, use .env files with restricted permissions (chmod 600). Never store credentials in git-tracked files.

What is an autonomy policy?

Three tiers: Green (auto), Yellow (ask first), Red (manual only). Defines what the agent can do freely, what needs confirmation, and what requires human action. Prevents dangerous autonomous actions.

Can agents access my entire filesystem?

By default, agents work in their workspace directory. You can restrict or expand filesystem access through security configuration. Best practice: limit to only necessary directories.

Secure Your Agent Today

Set up proper security from day one. Your future self will thank you.

Setup GuideAutomationCost Optimization