Is OpenClaw Safe? Security Risks Explained

# The security promise:
# 1. Your prompts stay on your server
# 2. Your documents stay on your server
# 3. API keys (Anthropic, OpenAI) are stored locally
# 4. No telemetry sent to openclaw.com (by default)

# What OpenClaw does send out:
# - API calls to LLM providers (Anthropic, OpenAI) with your prompts
# - Requests to external tools/APIs if skills use them
# - ClawHub requests when browsing/installing skills

# What you control:
# - Who can access your OpenClaw instance (network firewall)
# - What skills are installed (manual approval)
# - Where logs are stored (local filesystem or external SIEM)

# Data flow for a typical query:
# 1. You type a prompt in OpenClaw UI (browser -> your server)
# 2. OpenClaw processes it locally (reads files, runs skills)
# 3. OpenClaw sends prompt + context to LLM API (your server -> Anthropic/OpenAI)
# 4. LLM response comes back (Anthropic/OpenAI -> your server)
# 5. OpenClaw displays result (your server -> browser)

# Your data DOES leave your server when:
# - Sent to LLM providers (necessary for AI functionality)
# - Skills make external API calls (e.g., a "Search Google" skill)
# - You use cloud integrations (Slack, GitHub, etc.)

# Your data NEVER leaves your server for:
# - Storage (all files, chat history stored locally)
# - Authentication (local user accounts or self-hosted SSO)
# - Logging (logs stay on your server unless you configure external shipping)

# ClawHub skill safety indicators:
# 1. Verification badge: Audited by ClawHub team
# 2. Download count: Popular skills are scrutinized by community
# 3. Last updated: Abandoned skills may have unpatched vulnerabilities
# 4. Source code link: Can you review the code yourself?

# Red flags:
# - Requests excessive permissions (filesystem, network)
# - Obfuscated code (base64, minified JavaScript)
# - External API calls to unknown domains
# - Recently published with few downloads
# - No source code available

# Before installing a skill:
# 1. Check verification status
# 2. Read reviews and comments
# 3. Review source code if available
# 4. Test in a sandbox environment first
# 5. Monitor logs after installation

# 1. Enable authentication (don't run OpenClaw publicly without auth)
# In docker-compose.yml:
services:
  openclaw:
    environment:
      - AUTH_ENABLED=true
      - AUTH_SECRET=<generate-32-byte-secret>

# 2. Use HTTPS (don't send credentials over HTTP)
# Use Caddy reverse proxy for auto-HTTPS:
services:
  caddy:
    image: caddy:2.7-alpine
    ports:
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data

# 3. Restrict network access (only allow trusted IPs)
# Use firewall (ufw, iptables) or cloud security groups

# 4. Rotate API keys regularly (Anthropic, OpenAI keys)
# Set a calendar reminder to rotate every 90 days

# 5. Enable audit logging
# In gateway.yaml:
logging:
  audit_events: true
  log_file: /app/logs/audit.log

# Monthly security checklist:
# [ ] Review installed skills (remove unused ones)
# [ ] Check for OpenClaw updates (security patches)
# [ ] Review user access list (remove ex-employees)
# [ ] Audit API key usage (look for anomalies)
# [ ] Review firewall rules (ensure principle of least privilege)
# [ ] Check disk space (logs can fill disk)
# [ ] Test backups (can you restore from backup?)
# [ ] Review authentication logs (failed login attempts)

# Quarterly checklist:
# [ ] Rotate LLM API keys
# [ ] Update dependencies (Docker images, OS packages)
# [ ] Re-validate SSL certificates (if not auto-renewed)
# [ ] Run security audit (external or internal)
# [ ] Review incident response plan
# [ ] Test disaster recovery (restore from backup)

# Save this checklist and assign an owner.