Course 02: Going DeeperModule 8 of 9

MODULE 08 · COURSE 02: GOING DEEPER

Module 8: Security — Locking Down Your Setup

Your agent has access to your email, your calendar, your files, and the internet. That's exactly what makes it useful — and exactly what makes security matter.

This isn't a lecture. These are the things that will actually bite you if you ignore them.

The non-negotiables

Lock the allowlist

The allowFrom setting controls who can send messages that your agent treats as instructions. If this is empty or set to *, anyone who finds your bot can talk to it with whatever access you've granted.

Set it to your identifiers and nobody else's:

{
  "channels": {
    "telegram": {
      "token": "YOUR_TOKEN",
      "allowFrom": ["your_username"]
    },
    "discord": {
      "token": "YOUR_TOKEN",
      "allowFrom": ["YOURUSERID_NUMBER"]
    }
  }
}

Done. Now only you can give your agent instructions.

Keep your API keys out of Git

If you ever commit openclaw.json to a public repo with your API key in it, rotate that key immediately. It will be found and used.

The right way to handle secrets: 

openclaw secrets set ANTHROPICAPIKEY "sk-ant-..."

Reference it in your config with a variable instead of hardcoding the value.

Keep the Control UI off the public internet

The Control UI at port 18789 has admin access to your agent. Don't expose it publicly. Access it through:

  • SSH tunnel: ssh -L 18789:localhost:18789 user@your-server
  • Tailscale: private network, no exposed ports
If you're running on a cloud server, your firewall should block port 18789 from external access: 
# UFW (Ubuntu)
ufw allow 22/tcp     # SSH
ufw allow 18789/tcp  # Only needed if you have specific trusted IPs
ufw enable

For Hetzner specifically, use their Firewall feature in the Cloud Console — block everything except SSH (22) and whatever ports you actually need.

Pairing mode

OpenClaw has a pairing mode that requires new users to go through a one-time authorization before they can interact with your agent. This adds a layer on top of allowFrom.

Check your current pairing config: 

openclaw gateway status

Leave pairing mode on by default. Don't turn it to "open" unless you have a specific reason and understand what it means (anyone can talk to your agent).

Tool permissions

Your agent has tools available to it — file access, code execution, web browsing, and more. You can control which of these are enabled.

Think about what your agent actually needs:

  • For a personal assistant: web search, calendar/email access, file read/write in its workspace — yes. System-wide file access — probably not.
  • For a business automation agent: depends entirely on the job.
In your config, you can restrict tool access. This is in the gateway.sandbox and tools config sections — see the OpenClaw docs on sandboxing for the full reference.

The principle: start minimal, add access when you need it. Much easier to grant more permission later than to deal with the consequences of something going wrong with too much access.

Set explicit rules in SOUL.md

The technical controls above protect against outside threats. Your SOUL.md protects against your own agent making mistakes.

Add a section like this:

## What You Will Never Do Without Explicit Confirmation

  • Send any email, message, or communication on my behalf
  • Delete any file, email, or calendar event
  • Make any financial transaction
  • Share information about me with anyone else
  • Take any irreversible action

When in doubt, ask first. Doing nothing is better than doing the wrong thing.

This doesn't replace technical controls — it supplements them. An agent that's been told to always confirm before acting will ask you before doing something irreversible. Combined with restricted tool access, that's a solid safety layer.

If someone else uses your bot

If you add family members, teammates, or anyone else to your agent's allowlist:

  • Tell your agent who they are and what they're allowed to ask for
  • Add them to SOUL.md with context
  • Consider what level of access is appropriate — reading vs. writing, personal vs. work stuff
Example in SOUL.md: 
## Trusted People

  • @sarah_jones (Telegram) — my business partner. She can ask you about business-related things. Don't share personal information with her.
  • @mike_chen (Discord) — my developer. He can ask technical questions and request logs. He cannot access my email or calendar.

Your agent will use this context to decide how to handle requests from those people.

Keep OpenClaw updated

npm install -g openclaw@latest
openclaw gateway restart

OpenClaw is actively developed. Security fixes, bug fixes, and new features ship regularly. Running a months-old version means missing all of that. Check the GitHub releases to see what's changed.

A good habit: check for updates once a month. If you're running the daemon on a server, you can ask your agent to do this check and alert you when there's a new version.

Quick security checklist

  • [ ] allowFrom is set to only your identifiers
  • [ ] API keys are in secrets, not hardcoded in config
  • [ ] Control UI port is not publicly exposed
  • [ ] Pairing mode is on
  • [ ] SOUL.md has explicit confirmation requirements for destructive actions
  • [ ] OpenClaw is up to date
  • [ ] Server firewall is configured (if on cloud)
  • [ ] Workspace has backups
You don't need all of this on day one. But if your agent has access to your email and you run it on a server — most of this list should be checked within your first week.

Next up

Module 9: Monitoring and Maintenance →