OpenClaw Security Best Practices

OpenClaw’s security track record in 2026 has been challenging:

CVE-2026-25253 (CVSS 8.8): One-click RCE via WebSocket hijacking
512 vulnerabilities found in January 2026 security audit
341 malicious skills on ClawHub distributing malware
42,665 publicly exposed instances found by researchers

Microsoft, CrowdStrike, Kaspersky, and Sophos have all published advisories.

Curate-Me’s governance chain prevents every known attack vector.

Sandbox Isolation

Every agent session runs in an isolated sandbox with one of four access tiers:

Tier	Description	Use Case
READ_ONLY	No writes except /tmp	Analysis, reporting
WRITE_RESTRICTED	Only explicit path patterns	Controlled automation
WRITE_PROJECT	Write anywhere in project tree	Development tasks
FULL_ACCESS	Unrestricted	Trusted admin operations

Deny patterns (always blocked)

These paths are blocked regardless of sandbox tier:

.env, .env.* — Environment files with secrets
*.pem, *.key — Cryptographic keys
.git/config — Git credentials
~/.ssh/* — SSH keys

Configuration


# Set sandbox tier when creating a runner
runner = client.gateway.runners.create(
    tool_profile="write_project",
    sandbox_config={
        "tier": "WRITE_PROJECT",
        "deny_patterns": [".env", "*.pem", ".git/config"],
        "max_write_bytes": 104857600  # 100MB limit
    }
)

Network Phase Separation

Curate-Me enforces distinct network postures during agent execution:


SETUP (network ON)     →  Install deps, git clone, download assets
EXECUTION (network OFF) →  Run agent code, local resources only
TEARDOWN (network ON)   →  Upload artifacts, push results

During EXECUTION phase, agents cannot make outbound network calls. This prevents:

Data exfiltration
SSRF attacks
Unauthorized API calls
Command & control communication

Access levels per phase

Level	Description
FULL	Unrestricted internet access
ALLOWLIST_ONLY	Only approved domains/ports
LOCAL_ONLY	Loopback only (127.0.0.1)
NONE	All outbound blocked

PII Scanning

Before any request reaches an LLM provider, Curate-Me scans for:

API keys (OpenAI, Anthropic, AWS, GCP patterns)
Passwords and secrets
Email addresses
Phone numbers
Credit card numbers
Social Security Numbers

Detected PII can be:

Blocked — Request rejected with error
Redacted — PII replaced with [REDACTED] before forwarding

Human-in-the-Loop Approvals

Configure approval requirements for sensitive operations:


# Dashboard → Policies → HITL
# Or via API:
client.gateway.admin.update_policies(
    org_id="org_xxx",
    hitl_config={
        "enabled": True,
        "cost_threshold": 10.00,  # Require approval for requests > $10
        "auto_deny_timeout": 300,  # Auto-deny after 5 minutes
    }
)

MCP Server Allowlist

Only vetted MCP servers are permitted in managed sessions. The allowlist includes pre-configured popular servers (brave-search, github-mcp, etc.) with:

Signed manifest verification
Per-org category blocks
Network restriction enforcement
Maximum servers per session limit

Security Audit Dashboard

The dashboard provides:

Compliance score — 0-100 based on policy adherence
Violation detection — Real-time alerting
Auto-remediation — Automatic fixes for common issues
Audit export — Full audit trail in JSON/CSV