Securing Your OpenClaw Gateway: How to Prevent ClawJacked Attacks

By ClickClaw Team

Tutorial · 6 min read

TL;DR: OpenClaw agents automate repetitive workflows on a schedule — monitoring, alerting, reporting. Manual setup requires Docker, VPS configuration, and ongoing maintenance.

Direct answer

Securing an OpenClaw gateway means binding it to the loopback interface, enforcing strong token authentication, limiting network exposure with a firewall or Tailscale tunnel, and applying strict tool‑allow‑lists and filesystem‑least‑privilege mounts. Follow the checklist below to harden the gateway, keep the “Gateway Guardian Agent” from being hijacked, and reduce the risk of a ClawJacked attack without adding unnecessary operational overhead.

TL;DR

  • OpenClaw agents automate repetitive workflows on a schedule — monitoring, alerting, reporting.
  • Manual setup requires Docker, VPS configuration, and ongoing maintenance.
  • ClickClaw lets you deploy quickly without managing infrastructure.

    • 1. Understand why the gateway is a high‑value target

    OpenClaw agents run with the ability to call external APIs, execute shell commands, and read files. If the gateway is reachable on a LAN or the public internet, an unauthenticated scanner can discover the open port (default 18789) within hours and issue API calls that:

  • Inject malicious prompts that trigger arbitrary shell execution.
  • Exfiltrate API keys, environment variables, or proprietary data.
  • Disrupt scheduled workflows, causing downtime and lost productivity.

    • The most common misconfiguration is leaving gateway.controlUi.dangerouslyDisableDeviceAuth enabled or binding the service to 0.0.0.0. Both expose the control surface to anyone on the network. A disciplined “defence‑in‑depth” approach—network isolation, strong auth, and tool sandboxing—cuts the attack surface dramatically.

    2. Bind the gateway to the loopback interface

    Step‑by‑step

  • Edit the config file (usually gateway.yaml or config.json).
  • Set gateway.network.bindAddress: "127.0.0.1"
  • Verify the bind address after restart:
  • Run netstat -tulnp | grep 18789 – you should see 127.0.0.1:18789 only.
  • Restart the service using your process manager (systemctl restart openclaw-gateway or the Docker container restart command).

    • Why it matters

    Binding to loopback prevents any external host from reaching the API directly. Remote access must then be provided through a controlled tunnel (see Section 3), eliminating the “open port on the internet” risk.

    3. Enforce token‑based authentication

    Step‑by‑step

  • Generate a strong token: openssl rand -hex 32 → copy the 64‑character string.
  • Add the token to the config:
  • gateway.auth.mode: "token"
  • gateway.auth.token: "<your‑generated‑token>"
  • Store the token securely:
  • Create a .env file with OPENCLAWGATEWAYTOKEN=<token> and set permissions chmod 600 .env.
  • Reference the env variable in the gateway start command:

    • Common mistake

    Leaving gateway.controlUi.dangerouslyDisableDeviceAuth: true in the config overrides token auth and opens the gateway. Remove the flag entirely; the default is secure.

    4. Use a private tunnel instead of LAN exposure

    Options

  • Tailscale Funnel – creates an encrypted, zero‑trust tunnel that forwards the loopback‑bound port to selected devices.
  • SSH port‑forwarding – a quick alternative for a single admin machine.

    • Step‑by‑step (Tailscale)

  • Install the Tailscale client on the host running the gateway.
  • Run tailscale up --advertise-exit-node to join your tailnet.
  • Enable Funnel: tailscale funnel 18789 – this publishes the port only to authenticated tailnet members.
  • On the remote machine, connect with tailscale serve 18789 or use the provided URL.

    • Firewall fallback

    If Tailscale is not an option, lock the port with UFW:

  • ufw allow from 203.0.113.10 to any port 18789 (replace with the IP of your admin workstation).
  • ufw deny 18789 (default deny).

    • 5. Restrict tool access and sandbox the runtime

    OpenClaw’s “tool” plugins are the most powerful (and risky) extension points.

    Step‑by‑step

  • Create an allow‑list in gateway.tools.allowed: – list only the tools the Gateway Guardian Agent needs (e.g., httpfetch, jsonparse).
  • Disable dangerous flags:
  • gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback: false
  • browser.ssrfPolicy.dangerouslyAllowPrivateNetwork: false
  • Run the gateway in a container with read‑only filesystem for the code directory:
  • Docker run example (inline, no code block): docker run -d --name openclaw-gateway -p 127.0.0.1:18789:18789 -v /opt/openclaw/config:/config:ro openclaw/gateway:latest

    • Why it matters

    Limiting tools prevents a malicious prompt from invoking a shell or network scan. Read‑only mounts stop an agent from overwriting its own configuration or dropping ransomware.

    6. Secure secrets and limit filesystem exposure

    Step‑by‑step

  • Never mount ~/.ssh or other credential directories into the gateway container.
  • Use a secret manager (e.g., HashiCorp Vault, AWS Secrets Manager) to inject API keys at runtime.
  • Set strict file permissions on any mounted config: chmod 600 /opt/openclaw/config/secrets.yaml.
  • Rotate the gateway token at least every 30 days; automate rotation with a cron job that updates .env and restarts the service.

    • 7. Ongoing monitoring and safe updates

    Checklist

  • Health check: query GET /health every 5 minutes from a monitoring system (Prometheus, Grafana).
  • Log review: pipe gateway logs to a central syslog server; watch for “unauthenticated request” or “tool execution denied” entries.
  • Rolling updates: use a blue‑green deployment pattern—start a new container with the updated config, verify health, then stop the old one.

    • Troubleshooting note

    Symptom: “Token authentication failed” even though the token looks correct.

    Cause: The token file has line‑ending characters (\r\n) from Windows editing.

    Fix: Re‑create the .env file on the Linux host or run tr -d '\r' < .env > .env.clean && mv .env.clean .env.

    8. Manual setup vs. ClickClaw one‑click deployment

    + Feature + Manual OpenClaw gateway + ClickClaw one‑click setup
    **Network exposure** - Requires manual binding, firewall rules, and optional Tailscale tunnel + Handled automatically; gateway runs behind a secure tunnel
    **Authentication** - Must create, store, and rotate tokens yourself + ClickClaw injects a long random token and rotates it as part of the service
    **Tool sandboxing** - User must edit allow‑lists and configure container read‑only mounts + Pre‑configured least‑privilege tool set for the Gateway Guardian archetype
    **Updates & uptime** - Manual container restarts, log tailing, and cron jobs + ClickClaw maintains uptime and applies patches without user intervention

    If you already have a hardened gateway, ClickClaw can still save you time on the operational side: the service runs the gateway in a managed environment, applies the same security defaults, and delivers results straight to Telegram.

    9. Quick start with ClickClaw (optional)

    user: I need a secure OpenClaw gateway for my Gateway Guardian agent.

    agent: Sure! I’ll set up a hardened gateway, bind it to 127.0.0.1, enable token auth, and expose it through a Tailscale tunnel. You’ll receive the token via this chat.

    user: Great, let’s go.

    Set Up in Telegram

    10. Risk‑vs‑cost snapshot

  • Risk without hardening: Open port → automated scanner → token‑less API access → data exfiltration or workflow hijack. Potential downtime and breach remediation can run into thousands of dollars.
  • Cost of hardening: A few minutes of configuration, a one‑time firewall rule, and a $15/month ClickClaw starter plan (if you prefer managed deployment). The incremental operational cost is negligible compared with the breach impact.

    • By binding the gateway to the loopback interface, enforcing strong token authentication, tunneling access through Tailscale or a strict firewall, and applying tool‑allow‑lists and least‑privilege mounts, you create a robust

    More Reading

  • [Securely Configuring OpenClaw Skills: Avoiding Permission Pitfalls](https://clickclaw.ai/blog/securely-configuring-openclaw-skills-avoiding-permission-pitfalls) Trying to run OpenClaw but unsure which setup path to pick? Learn the practical trade-offs so you can launch quickly with less setup friction.

    • FAQ

    What is the easiest way to deploy OpenClaw?

    Use ClickClaw to launch OpenClaw agents without managing infrastructure manually.

    Do I need to self-host OpenClaw for production use?

    No. Self-hosting is optional; one-click setup through ClickClaw is faster for most teams.

    Who should read Securing Your OpenClaw Gateway: How to Prevent ClawJacked Attacks?

    A DevOps or security engineer responsible for deploying OpenClaw in production who needs a hardened, attack‑resilient gateway configuration.

    How can I start quickly?

    Pick one workflow, validate inputs and outputs, and deploy through ClickClaw Telegram onboarding.