The most common OpenClaw (formerly ClawdBot / MoltBot) setup mistakes are: exposing the gateway to the public internet without authentication, running the bot as root, giving it access to your primary email account, skipping the security audit, installing unvetted community skills, using weak or default gateway tokens, and not configuring execution approval for shell commands. Each of these mistakes has led to real-world data exposure or security incidents.
We have deployed OpenClaw remotely for 30+ teams since the project went viral in late January 2026. These are the seven mistakes we see most often when auditing existing installations — and how to fix each one.
Mistake 1: Leaving the Gateway Exposed to the Internet
How common: Found in roughly 80% of self-managed VPS installations we audit.
What happens: OpenClaw's gateway binds to 0.0.0.0 by default, which means it accepts connections from every IP address on the internet. If your VPS has a public IP and no firewall (which is the default on most cloud providers), anyone can access your OpenClaw dashboard and send commands to your bot.
This is not a theoretical risk. In February 2026, security researchers at Bitdefender found over 135,000 OpenClaw instances exposed to the internet with no authentication. Many of these had access to personal files, email accounts, and messaging platforms.
How to fix it:
Change the gateway bind address in your openclaw.json:
{
"gateway": {
"host": "127.0.0.1",
"port": 18789
}
}Then configure a firewall to deny incoming connections on port 18789:
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw enableIf you need remote access to the dashboard, use an SSH tunnel or Tailscale — never expose the port directly.
Mistake 2: Running OpenClaw as Root
How common: Found in roughly 40% of Linux/VPS installations we audit.
What happens: When OpenClaw runs as root, the AI has unrestricted access to every file on the system, including other users' data, system configuration files, and SSH keys. A single prompt injection or hallucination can escalate into a full system compromise.
How to fix it:
Create a dedicated user with limited permissions:
sudo adduser openclaw
su - openclaw
# Install and run OpenClaw under this userAfter initial setup, consider removing sudo access from this user entirely. OpenClaw does not need root privileges for normal operation.
Mistake 3: Connecting Your Primary Email and Accounts
How common: Found in roughly 65% of installations we audit.
What happens: Many users connect OpenClaw directly to their main Gmail account with full read/write access. This means the bot can read every email, access every file in Google Drive, and send messages on your behalf. If the bot is compromised through prompt injection, all of that data is exposed.
How to fix it:
Create a dedicated email account for your OpenClaw instance. Then share only the specific resources it needs:
- Share your calendar with "view only" access to the bot's email
- Share specific Google Docs and Sheets individually (not entire folders)
- Use OAuth scopes that restrict API access to only the services needed
In our deployments, we set up a dedicated Google Cloud project with minimal OAuth scopes for each client. This takes an extra 15-20 minutes during setup but dramatically reduces the attack surface.
Mistake 4: Skipping the Security Audit
How common: Found in roughly 90% of installations we audit (most people do not know this command exists).
What happens: OpenClaw ships with a built-in security audit tool that checks for common misconfigurations. Skipping this means you are likely running with at least 2-3 security issues that are easily fixable.
How to fix it:
Run the audit immediately after setup, and again after any configuration changes:
openclaw security audit --deepFor automatic fixes to common issues:
openclaw security audit --fixThe --fix flag tightens group policies, re-enables log redaction for sensitive data, and corrects file permissions. We run this audit as the final step in every deployment and include it in the client's weekly maintenance checklist.
Mistake 5: Installing Community Skills Without Vetting
How common: Affects roughly 30% of users who install third-party skills.
What happens: OpenClaw's skill system allows community-contributed plugins that extend the bot's capabilities. Some of these skills contain malicious code — they may exfiltrate data, create backdoors, or modify your bot's behavior in ways you did not authorize.
How to fix it:
Before installing any community skill:
1. Read the source code (or have someone review it for you) 2. Scan it with Cisco's open-source skill scanner:
npx @cisco-ai-defense/skill-scanner scan ./skill-folder3. Check if the skill requires suspicious permissions (network access to unknown domains, filesystem writes outside its own directory, or shell execution)
We maintain a vetted skill list for our clients. If a skill is not on that list, we manually review the source before approving installation.
Mistake 6: Using Weak or Default Gateway Tokens
How common: Found in roughly 50% of installations, especially one-click deployments.
What happens: The gateway token is the password that protects access to your OpenClaw instance. Some one-click deployment platforms auto-generate tokens that are short or predictable. Some users set simple tokens like "password" or "openclaw123" because they assume only they will ever access the dashboard.
How to fix it:
Generate a cryptographically random token:
openssl rand -hex 32This produces a 64-character hexadecimal string that is practically impossible to guess. Set this as your OPENCLAW_GATEWAY_TOKEN and store it in a password manager.
Mistake 7: Not Enabling Execution Approval
How common: Disabled by default. Roughly 75% of users never enable it.
What happens: Without execution approval, OpenClaw can run shell commands, delete files, and push code to Git repositories without asking for your confirmation. If the AI hallucinates a destructive command (or is tricked by prompt injection), it executes immediately with no safety net.
How to fix it:
Enable approval gates for high-risk tools in your configuration:
{
"tools": {
"terminal": { "exec_approval": true },
"filesystem_delete": { "exec_approval": true },
"git_push": { "exec_approval": true }
}
}With this enabled, OpenClaw will send you a confirmation message before executing any of these actions. You approve or reject each one individually. This adds a few seconds per action but prevents irreversible mistakes.
Quick Self-Audit Checklist
Run through this list right now to check your installation:
| Check | Status |
|---|---|
Gateway bound to 127.0.0.1 (not 0.0.0.0)? | ☐ |
| Running as non-root user? | ☐ |
| Using dedicated email/accounts (not personal)? | ☐ |
openclaw security audit --deep passes cleanly? | ☐ |
| All community skills vetted before installation? | ☐ |
| Gateway token is 32+ random characters? | ☐ |
| Execution approval enabled for terminal/delete/git? | ☐ |
| Firewall configured (ufw or equivalent)? | ☐ |
| DM policy set to "pairing" (not "open")? | ☐ |
File permissions locked (chmod 700 ~/.openclaw)? | ☐ |
If you checked fewer than 7 of these, your installation has meaningful security gaps.
FAQ
Is OpenClaw dangerous to use?
OpenClaw is not inherently dangerous, but it requires deliberate security configuration. The default settings prioritize ease of setup over security. With proper hardening — which takes about 15-20 minutes — it is suitable for daily business use.
What is the "find ~" incident in OpenClaw?
The "find ~" incident is documented in OpenClaw's official security page. It refers to a case where the AI executed a find ~ command that traversed an entire home directory, exposing personal files. This is why running OpenClaw on a dedicated device (not your personal laptop) is strongly recommended.
Can someone hack my OpenClaw bot?
If your gateway is exposed to the internet without authentication, yes — anyone can access and control your bot. If you follow the hardening steps in this guide (binding to localhost, firewall, strong token, execution approval), the risk drops significantly. The main remaining attack vector is prompt injection through messages, which is why DM pairing mode is important.
How do I know if my OpenClaw instance is exposed?
Run openclaw security audit --deep to check. You can also test externally by trying to access http://your-server-ip:18789 from a different network. If the dashboard loads, your gateway is exposed.
Are ClawdBot and MoltBot still supported?
ClawdBot and MoltBot were earlier names for the same project, now called OpenClaw. There are no separate codebases — updating to the latest version of OpenClaw gives you all the latest features and security patches regardless of which name you originally installed under.
Want a Professional Security Audit for Your OpenClaw Instance?
We audit and harden existing OpenClaw installations remotely. If you set up OpenClaw yourself and want someone to verify it is production-safe, we can run through the full 12-step checklist and fix any issues in a single session.
Book a free 15 minute call to review your setup →
*Last updated: February 2026. Based on real audit findings from 30+ remote OpenClaw deployments by the Remote OpenClaw team at remoteopenclaw.com.*