This checklist builds off my writeup here.

This version is designed to improve security in minutes.
The more in-depth version is here.

Do not run npm start until you have verified these configurations. This checklist maps directly to OpenClaw’s documented security features and standard container hardening practices.

1. Configuration Hardening (openclaw.json)

• [ ] Enable Sandboxing: Ensure your configuration explicitly sets sandbox_mode: true. This restricts the agent's ability to execute arbitrary system binaries outside of its designated workspace.

• [ ] Strict DM Policy: In your config.yaml or openclaw.json, set your dm_policy to allowlist (never public or open). Explicitly list only your specific User ID for Telegram/Discord/Slack.

• [ ] Disable "Heartbeat" by Default: Unless you have a specific need for proactive behavior (the agent waking up on its own), disable the heartbeat or "autonomous loop" feature to prevent recursive spending loops or unprompted actions.

2. Infrastructure & Docker Flags

If you must use Docker (though a VM is safer), you must restrict the container's privileges.

• [ ] Drop Capabilities: Run the container with --cap-drop=ALL. Only add back specifically required capabilities (e.g., NET_BIND_SERVICE if it needs to serve a webhook).

• [ ] Read-Only Root: Use the --read-only flag for the container’s file system. Mount a specific, writable volume only for the agent’s workspace/ directory.

• [ ] No New Privileges: Always use --security-opt=no-new-privileges to prevent the agent from escalating its own permissions via setuid binaries.

3. MCP (Model Context Protocol) Hygiene

OpenClaw uses MCP to connect to tools. This is your primary attack surface.

• [ ] Tool Allow-listing: Do not install the "default" skill bundle. Audit your mcp_server configuration and enable only the specific tools required for the task (e.g., filesystem:read, browser:navigate).

• [ ] Block Dangerous Tools: Explicitly ensure the agent does not have access to filesystem:write on root directories or shell:execute unless absolutely necessary for a contained coding task.

4. Network & Identity

• [ ] Gateway Authentication: Ensure gateway.auth.token is set to a strong, high-entropy string. Never expose the control port (default 3000 or 8080) to the public internet; tunnel it via localhost or a VPN (Tailscale/WireGuard).

• [ ] Burner Keys Only: In your .env file, ensure OPENAI_API_KEY and ANTHROPIC_API_KEY are unique to this instance and have hard spend limits ($50/mo) set in the provider's console.