OpenClaw Security Checklist: Protecting Your AI Workflows

This is a practical checklist — not theory. Every item is a concrete action you can take right now to improve security. For the foundational concepts behind these items, see our security model guide.

Work through it top to bottom for new deployments. For existing ones, use as a quarterly review. Items marked ★ are critical. Items marked (managed) are handled automatically on Ampere.sh.

How to Use This Checklist

Each section covers a security domain. Critical items (★) should never be skipped. Non-starred items depend on your threat model and deployment type (personal vs production vs enterprise).

Pre-Deployment Hardening

★ Update your OS — install all security patches (managed)
★ Create a non-root user — dedicated service account (managed)
★ Enable firewall — deny all inbound except SSH (managed)
★ Disable SSH password auth — key-based only (managed)
Install fail2ban — auto-ban failed logins (managed)
Enable auto security updates — unattended-upgrades (managed)
Full disk encryption — LUKS on Linux, FileVault on macOS

# Quick pre-deployment hardening
$ sudo adduser --system --group openclaw
$ sudo ufw default deny incoming
$ sudo ufw allow 22/tcp
$ sudo ufw enable
$ sudo apt install fail2ban unattended-upgrades

Credential Security

★ Environment variables for secrets — never hardcode tokens
★ Config permissions to 600 — chmod 600 ~/.openclaw/openclaw.yaml
★ Add config to .gitignore — never commit secrets
★ Set API spending limits — cap LLM provider to prevent runaway costs
Password manager backup — store token copies securely
Document rotation schedule — bot tokens 90 days, API keys 90 days, SSH annually

# Credential lockdown
$ export DISCORD_TOKEN="your-token"
$ chmod 600 ~/.openclaw/openclaw.yaml

# Verify permissions
$ ls -la ~/.openclaw/openclaw.yaml
-rw------- 1 openclaw openclaw 1234 Mar 12 openclaw.yaml

Agent Configuration

★ Mention-only mode — respond only when @mentioned
★ Channel allowlists — restrict bot to specific channels
★ groupPolicy: allowlist — prevent joining unknown channels
★ SOUL.md security rules — red lines and approval requirements
Disable unused tools — no shell/browser needed? Turn off
autoApprove: false — manual device approval (default)

# Secure agent config
channels:
  discord:
    token: "${DISCORD_TOKEN}"
    mentionOnly: true
    groupPolicy: "allowlist"

nodes:
  autoApprove: false

Network Security

★ TLS for all connections — HTTPS/WSS by default (managed)
★ No unnecessary inbound ports — Discord/Telegram connect outbound
VPN for gateway — encrypt node connections across networks
DNS filtering — restrict outbound in high-security environments

Runtime Protection

★ Non-root execution — never run as root (managed)
Container isolation — Docker or similar (managed)
Resource limits — CPU/memory caps (managed)
Process monitoring — systemd auto-restart (managed)
Shell execution policy — approval required for sensitive commands

Monitoring & Logging

★ Review agent logs daily — unexpected tool calls or messages
★ Monitor API spending — alerts on LLM provider dashboard
Review memory weekly — check for unexpected content
Monitor SSH access — auth.log review
Uptime monitoring — UptimeRobot or Healthchecks.io
90-day log retention — for compliance and forensics

# Daily monitoring
$ journalctl -u openclaw --since "24 hours ago" | tail -50
$ grep "Failed" /var/log/auth.log | tail -10

Ongoing Maintenance

Weekly: Review logs and memory files
Monthly: Update OpenClaw and OS. Review connected devices.
Quarterly: Rotate tokens and API keys. Audit channel permissions. Review SOUL.md.
Annually: Rotate SSH keys. Update this checklist. Test incident response.

Incident Readiness

★ Document rotation procedures — know how to rotate each credential fast
★ Keep backups — workspace, config, memory backed up regularly
Know the stop command — openclaw gateway stop
Know how to unpair all devices
Notification plan — who to contact on unauthorized agent behavior
Test recovery — practice restoring from backup at least once

Compliance Readiness

Data residency — server location meets jurisdiction requirements
Access logging — all agent actions logged and exportable
Retention policy — defined lifespan for memory and log files
Deletion procedure — documented full data removal process
Third-party processing — document which LLM provider and their terms
Encryption at rest — disk encryption + encrypted config

Frequently Asked Questions

How long does the full checklist take?

2-3 hours for a new deployment. Most items are config changes. Ongoing maintenance is 15-30 minutes per week.

Do I need every item?

Pre-deployment and credential sections are essential for everyone. Network and compliance depend on your threat model. Personal agents need less hardening than production business agents.

Does Ampere.sh handle any items automatically?

Yes. Server hardening, firewall, TLS, container isolation, auto-updates, and infrastructure monitoring are managed. You handle: credentials, channels, SOUL.md rules, device pairing.

Should I review this periodically?

Yes. Quarterly for running deployments, or before every new agent. Security drifts — regular reviews catch misconfigurations.

What's the single most impactful item?

Credential security — environment variables + chmod 600. Prevents the most common class of incidents: exposed bot tokens.

Is this sufficient for enterprise?

It covers fundamentals for all deployments. Enterprise should add: centralized logging, SIEM integration, change management, pen testing, and formal AI agent security policies.

Your Security Baseline

This checklist is your complete security baseline. Critical items (★) cover the most common attack vectors and apply to everyone.

Security drifts over time. Use this as a recurring review — quarterly minimum, or before every new deployment. Bookmark this page.

Skip the server hardening

On Ampere.sh, infrastructure security is handled — isolated containers, AES-256 encryption, automatic updates, zero server management.

Get Started with Ampere →