OpenClaw Codex

Security

Security Baseline

OpenClaw automation is executable infrastructure. Security requires policy, not only HTTPS.

Network Exposure

  • Default to loopback/private networking.
  • Use VPN or SSH tunneling for remote operator access.
ssh -N -L <LOCAL_PORT>:<REMOTE_HOST>:<REMOTE_PORT> user@host

Authentication

{
  "gateway": {
    "bind": "loopback",
    "auth": { "mode": "token", "token": "<rotate-me>" }
  }
}

Plugin / Skill Trust

  • Treat plugins and scripts as production code.
  • Install from trusted sources only.
  • Run with least privilege and explicit allowlists.

Minimum Production Controls

  • No public control-plane endpoints.
  • Separate public site and operational interfaces.
  • Centralized secret management and rotation.
  • Audit and rate-limit all exposed APIs.