“Can OpenClaw access my files?” “Is it safe to give an AI agent access to my accounts?” “How do I know it won’t leak my data?”
These are the right questions to ask. Any AI agent that runs on your machine with access to your tools deserves serious scrutiny. Here’s everything you need to know about OpenClaw’s security model.
How OpenClaw Works (The Short Version)
OpenClaw is a self-hosted AI agent framework. Unlike cloud AI assistants, it runs on your hardware — your laptop, Mac Mini, Raspberry Pi, or VPS.
Your Device ← OpenClaw Gateway → AI Provider API (Claude, GPT, etc.)
↓ ↓
Your Files Your Channels (Telegram, Discord, etc.)Key distinction: Your conversations, files, and data stay on your device. Only the messages you send to the AI model leave your machine — and those go directly to the API provider you chose.
What OpenClaw Can and Cannot Access
What it CAN access (by default):
- Files in its workspace directory (
~/.openclaw/workspace/) - Shell commands (with configurable restrictions)
- Configured messaging channels
- Web browsing (if browser tools are enabled)
- Any skills you’ve installed
What it CANNOT access (without explicit config):
- Files outside its workspace (unless you grant broader access)
- Your email (until you set up the himalaya/gog skill)
- Your social media (until you configure credentials)
- Other users’ machines
- Anything you haven’t explicitly connected
The principle: OpenClaw does nothing until you enable it. Every capability requires explicit configuration.
The Data Flow
Understanding where your data goes:
1. Local Processing (stays on your machine)
- File reading and writing
- Shell command execution
- Memory files (MEMORY.md, daily notes)
- Skill execution
- Message routing logic
2. Sent to AI Provider (leaves your machine)
- Your messages and the agent’s system prompt
- Tool call results (file contents, command output)
- Conversation history within the context window
3. Sent to Messaging Platforms (if configured)
- Agent responses routed to Telegram, Discord, etc.
- Only the response text — not your files or memory
Important: The AI provider (Anthropic, OpenAI, etc.) receives the most data. Review their data retention policies:
- Anthropic API: Does not train on API data, 30-day retention for trust & safety
- OpenAI API: Does not train on API data by default, configurable retention
- Local models (Ollama): Nothing leaves your machine at all
Security Hardening Checklist
Level 1: Basic (Everyone Should Do This)
1. Set a gateway token
{
"gateway": {
"token": "your-secure-random-token"
}
}Without this, anyone on your network can talk to your agent.
2. Restrict shell access
{
"security": {
"exec": "allowlist"
}
}Limit which commands the agent can run.
3. Use API keys, not passwords Never put account passwords in your config. Use API keys and tokens that can be revoked.
4. Review installed skills Each skill is code that runs on your machine. Only install skills from trusted sources. Check the SKILL.md before installing.
Level 2: Intermediate
5. Limit file system access Configure workspace boundaries so the agent can’t read sensitive directories.
6. Enable DM restrictions
{
"channels": {
"dmPolicy": "owner-only"
}
}Prevent strangers from messaging your agent.
7. Separate credentials Use environment variables or a secrets manager (1Password CLI) instead of hardcoding credentials in config files.
8. Monitor costs
Set spending alerts to catch runaway automations. Use /status to check daily spend.
Level 3: Advanced
9. Network isolation Run OpenClaw in a Docker container or VM with restricted network access.
10. Audit logging Enable logging to track all tool calls, file accesses, and external communications.
11. Use local models for sensitive work Run Ollama for tasks involving private data. Nothing leaves your machine.
12. Regular security audits
Use the healthcheck or clawdbot-self-security-audit skills to scan your configuration.
Common Concerns Addressed
”What if the AI goes rogue?”
OpenClaw follows its system prompt strictly. It has built-in safety constraints:
- No independent goal-seeking
- Asks before destructive operations
- Respects stop/pause commands
- No self-replication or resource acquisition
But ultimately, you control what tools and permissions it has. A well-configured agent with restricted permissions can’t do much damage even if the model behaves unexpectedly.
”Can someone hack my agent?”
The main attack vectors:
- Exposed gateway — Always set a gateway token
- Prompt injection via group chats — Be careful about which group chats your agent joins
- Malicious skills — Only install skills you’ve reviewed (see how MCP supply chain attacks work)
- Compromised API keys — Rotate keys regularly
”What about my privacy?”
Your conversation data goes to the AI provider you choose. To maximize privacy:
- Use local models via Ollama for sensitive topics
- Review provider data policies
- Don’t put sensitive information in the system prompt unnecessarily
- Use the memory system selectively
”Is it safe for a team?”
OpenClaw supports multiple agents with separate configurations. Each agent can have:
- Its own API keys and model access
- Restricted tool permissions
- Separate workspace directories
- Channel-specific access controls
The Bottom Line
OpenClaw is as secure as you configure it. The self-hosted model means you have full control — but that also means security is your responsibility.
Start secure:
- Set a gateway token
- Restrict shell access
- Review skills before installing
- Monitor your agent’s activity (see our guardrails guide for step-by-step instructions)
Stay secure:
- Keep OpenClaw updated
- Rotate API keys periodically
- Audit your config quarterly
- Follow the principle of least privilege
The fact that OpenClaw is self-hosted is itself a security feature. Your data doesn’t sit on someone else’s server. Your agent doesn’t phone home. You own everything.
Have security questions? Ask on r/openclaw or our Discord. Found a vulnerability? Report it on GitHub.