Security Guide

The "API Wallet Assassin" problem is real: uncontrolled loops can cost hundreds of euros per night. ALWAYS set a spending limit with your AI provider (e.g., OpenAI Dashboard → Billing → Usage Limits). Recommendation: Start with €20/month and increase as needed.

NEVER expose OpenClaw directly to the internet without a reverse proxy (Nginx). Use HTTPS/SSL for all connections. Keep the Docker container updated. Use strong, unique passwords. Store API keys as Docker secrets, not as environment variables in logs.

CVE-2026-25253 affected over 40,000 instances. The ClawHavoc supply chain attack compromised 9,000+ installations through 341 malicious skills. Only install skills from trusted sources. Regularly check OpenClaw security advisories on GitHub.

ALWAYS keep OpenClaw updated. Security patches are released regularly. Set up automatic updates (see Linux guide). With our managed hosting, we do this automatically for you — daily at 02:00 UTC.

If you use OpenClaw for business purposes, consider: data sent to AI models leaves your server. Review your AI provider's privacy policy. For GDPR-critical data: use EU-hosted models or anonymize data before sending.