OpenClaw AI
Best Practices Guide

The definitive reference for deploying and running OpenClaw AI safely. Built for security-conscious teams who treat their AI agent as production infrastructure — not a toy.

EXPOSED INSTANCES21,639

MALICIOUS SKILLS341+

FLAWED SKILLS36.8%

CVE SEVERITYCVSS 8.8

PATCHED VERSION2026.1.29+

The Safest Way

Hardened infrastructure, Docker isolation, network lockdown, and skill supply chain defense.

Rule #1: Never Run on Your Personal Computer

OpenClaw can execute terminal commands, read your file system, and access your browser sessions. If compromised via a malicious skill or prompt injection, an attacker gains access to your SSH keys, personal files, and credentials. A dedicated VPS costs $5/month. Your personal data is worth far more.

Deployment Method Comparison

Rank	Method	Score	Auto-Patch	Isolation	Best For
1	Managed Hosting (xCloud)	★★★★★	✓ Yes	Full	Non-technical users
2	Self-Hosted (Hardened Docker)	★★★★	✗ Manual	Docker	Developers
3	Self-Hosted (Default Config)	★★	✗ Manual	Partial	Testing only
4	Local Machine (Mac/Linux)	★	✗ Manual	None	Never recommended

Hardened Docker Compose Configuration

Read-Only FS

Container filesystem is immutable

Non-Root User

Runs as uid:gid 1000:1000

Dropped Capabilities

cap_drop: ALL + no-new-privileges

version: '3.8'
services:
  openclaw-gateway:
    image: openclaw/openclaw:latest
    container_name: openclaw-gateway
    restart: unless-stopped
    user: "1000:1000"
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp:rw,noexec,nosuid,size=100m
    volumes:
      - ./config:/home/node/.openclaw/config:rw
      - ./workspace:/home/node/.openclaw/workspace:rw
      - ./state:/home/node/.openclaw/state:rw
    networks:
      - openclaw-internal
    ports:
      - "127.0.0.1:18789:18789"
    mem_limit: 2g
    cpus: 2
    pids_limit: 100
    environment:
      - NODE_ENV=production
      - OPENCLAW_AUTH_TOKEN=${OPENCLAW_AUTH_TOKEN}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

networks:
  openclaw-internal:
    driver: bridge
    internal: true

Network Lockdown

Bind the gateway strictly to 127.0.0.1:18789. Access it remotely via SSH tunnel or Tailscale mesh VPN. Never expose port 18789 to the public internet — over 42,000 instances were found publicly exposed in early 2026.

# Access gateway securely via SSH tunnel
ssh -L 18789:127.0.0.1:18789 user@your-vps

# Or use Tailscale for persistent mesh VPN access
tailscale up --accept-routes

The Skill Supply Chain Threat

Research OrganizationSkills AnalyzedMalicious / Flawed

Koi Security2,857341 malicious (12%)

Snyk (ToxicSkills)3,9841,467 flawed (36.8%)

Bitdefender Labs~400 deep-dive800+ malicious identified

Bitsight (Exposed Instances)30,000+ scanned21,639 exposed (Jan 31)

Default deny all third-party skills. The ClawHavoc campaign delivered 335+ coordinated malicious packages delivering Atomic Stealer (AMOS) malware. Audit source code before enabling any skill, and use Repello's SkillCheck scanner.