VoxYZ logo
VoxYZ AI
Security checklist

OpenClaw Security Checklist

13.4% of skills on ClawHub have critical security issues. Here's how to protect your agents in 20 minutes.

Source: Snyk ToxicSkills Report, Feb 2026

Attack surface

13.4%

Of all 3,984 skills scanned on ClawHub by Snyk.

Time to harden

~20 min

Enough for a credible first hardening pass, not a final guarantee.

Ops habit

Nightly

A short automated audit catches drift before it stacks up.

Section 1

Let AI produce the report first

Do not ask AI to harden everything in one shot. Start with a conservative review that turns this page into a short, doctor-style report: what to fix today, what can wait, what still works, and what gets less convenient.

Recommended model: GPT-5.4 · reasoning: Extra High

Use a strong reasoning model for the review. Save the cheaper, faster models for follow-up work only after you understand the tradeoffs.

What a good first answer looks like

  • One clear overall status instead of a wall of warnings
  • No more than 3 things to fix right now
  • Plain-language tradeoffs for every suggested change
  • A smallest next step, plus what not to change blindly
AI review prompt
1Run a conservative security review for my OpenClaw setup.
2 
3Before making any claims, read the local OpenClaw docs snapshot and use it as the source of truth. Do not guess from memory.
4 
5Use this 5-step baseline as your review rubric:
61. Run `openclaw security audit --deep`
72. Check whether plaintext secrets still exist in config
83. Check whether elevated exec is enabled
94. Evaluate whether non-main or external sessions should be sandboxed
105. Check whether a nightly audit exists
11 
12Important:
13- Do not make any config changes.
14- Do not auto-fix anything.
15- Do not suggest maximum lockdown by default.
16- If a recommendation would reduce workflow convenience, explain that tradeoff clearly.
17- If sandboxing would break host tools, browser state, local passwords, or outbound API access, say so explicitly.
18 
19Return this exact format:
20 
21Overall status: [Safe enough / Needs attention / Fix now]
22 
23Fix today (max 3):
24- [issue]: protects [what], costs [what convenience]
25 
26Can wait (max 3):
27- [issue]: protects [what], costs [what convenience]
28 
29Skip for my workflow (optional, max 2):
30- [issue]: why it may not fit this setup right now
31 
32What still works after these changes: [one sentence]
33What gets less convenient: [one sentence]
34 
35End with:
36- the smallest next change I should consider
37- the exact command or file to inspect next
38- what I should not change blindly

Section 2

Quick Check

Five practical fixes. Start with the easiest baseline wins, then decide whether your workflow can tolerate tighter isolation.

Completion

0 / 5 done

Step 1

Run security audit

Start with the built-in audit, then read the critical findings before you touch anything else.

Why it matters

You need a current baseline. `openclaw security audit --deep` checks common footguns across gateway exposure, browser exposure, elevated allowlists, and local file permissions. Critical findings should be treated as active exposure, not backlog.

  • Use `--deep` when you want the extra best-effort live Gateway probe, not just static config checks.
  • Look at both `critical` and `warn`, but treat `critical` as stop-the-line work.
  • Review the report before using `--fix`; the fix path tightens safe defaults like channel policy, sensitive-log redaction, and local file permissions.
CLI
1openclaw security audit --deep

Step 2

Move secrets out of config

Stop storing plaintext API keys and tokens in `openclaw.json`; reference env vars or auth profiles instead.

Why it matters

Plaintext credentials in config are easy to leak through screenshots, logs, backups, and prompt-accessible files.

Step 3

Disable elevated exec by default

Turn off the direct path from chat to high-privilege host execution unless you truly need it.

Why it matters

Elevated execution turns prompt mistakes and malicious skills into host-level incidents much faster.

Step 4

Test sandboxing on non-main sessions first

This is a strong first isolation move if your workflow can tolerate it. Do not assume it is free.

Why it matters

Most risky automation and skill experimentation happens in side sessions. In OpenClaw, groups, channels, and other non-main sessions are the natural place to test isolation before you touch the main working loop.

Step 5

Set up nightly audit

Automate the deep audit so regressions are caught before they pile up.

Why it matters

Security drifts quietly: new skills, config changes, and copied secrets tend to appear outside the moment you are paying attention.

Section 3

Threat Landscape

The problem is not theoretical. The ecosystem already contains prompt-injected skills, hardcoded secrets, and large-volume malicious uploads.

3,984 skills scanned

3,984

Snyk

Critical issues

534 · 13.4%

Snyk

Any security flaw

1,467 · 36.8%

Snyk

Malicious skills using prompt injection

91%

Snyk

Skills with hardcoded secrets

10.9%

Snyk

Single-author malicious skill wave

314 · hightower6eu

Community report

Risk bars

What the scan numbers look like

Critical issues

At least one critical issue

13.4%

Any flaw

Any reported security issue

36.8%

Prompt injection in malicious skills

Prompt injection usage inside malicious samples

91%

Hardcoded secrets

Credentials exposed directly in skill packages

10.9%

What this means operationally

Do not assume the skill directory is clean by default. Treat installs like package intake: verify source, inspect code, then run inside the smallest permission envelope available.

It’s your personal assistant, not a bus. Treat the security surface accordingly.

steipeteOpenClaw creator, on why isolation defaults matter

Section 4

One real hardening pass

This is one real before/after snapshot from our own OpenClaw audit. It shows the shape of a first pass, not a universal final state.

This is one real hardening pass from our own audit, not a universal final state. If an agent must keep host tools, browser login state, or local credential access, you may tighten other controls first and keep sandboxing looser.

Real operator audit snapshot

Metric

Before

After

Critical

1

0

Warn

5

1

Plaintext secrets

Yes

No

Elevated exec

On

Off

Sandbox policy

Off

non-main (trial)

Nightly audit

No

Yes

Section 6

Turn the checklist into a real operating habit

The checklist gets you out of the obvious danger zone. Ship Faster Pro is where the full operating playbook lives: hardening patterns, review loops, and the production path behind a live multi-agent setup.

Playbook depth

From first audit to production-safe operating patterns.

Real configurations

Concrete settings, not generic "be careful" advice.

Ops cadence

Nightly checks and repeatable review loops so the setup stays clean.

Newsletter

Get future security notes

Practical hardening notes, operator patterns, and new OpenClaw security findings when they are worth reading.

New features, agent tips, and behind-the-scenes updates. No spam, unsubscribe anytime.