OpenClaw Hardening

Secure your OpenClaw server in four layers: host, commands, secrets, awareness.

Prerequisites

• OpenClaw installed and running
• Root/sudo access
• Linux (amd64)

Layer 1: Host Hardening (2 min)

# SSH: key-only, no root password
sed -i 's/^#*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart ssh

# Firewall: deny all except SSH
ufw default deny incoming && ufw default allow outgoing && ufw allow ssh && yes | ufw enable

# Brute-force protection
apt-get install -y fail2ban && systemctl enable --now fail2ban

# Lock credentials
chmod 700 ~/.openclaw/credentials

Layer 2: Chainwatch — Command Safety (5 min)

Chainwatch blocks destructive commands (rm -rf /, sudo su, curl|sh, fork bombs) and routes all LLM API traffic through an intercept proxy.

Install

curl -fsSL https://raw.githubusercontent.com/ppiankov/chainwatch/main/scripts/install-openclaw.sh | sudo bash

This one-liner does everything: installs chainwatch, creates clawbot profile, sets up intercept proxy as systemd service, configures ANTHROPIC_BASE_URL, hardens the host.

Manual install

# Binary
curl -sL https://github.com/ppiankov/chainwatch/releases/latest/download/chainwatch-linux-amd64 \
  -o /usr/local/bin/chainwatch && chmod +x /usr/local/bin/chainwatch

# Init with advisory mode (denylist blocks dangerous, logs everything else)
chainwatch init --profile clawbot
sed -i 's/^enforcement_mode: guarded/enforcement_mode: advisory/' ~/.chainwatch/policy.yaml

# Install skill
mkdir -p ~/.openclaw/skills/chainwatch
curl -fsSL https://raw.githubusercontent.com/ppiankov/chainwatch/main/integrations/openclaw/skill/SKILL.md \
  -o ~/.openclaw/skills/chainwatch/SKILL.md

# Intercept proxy (non-bypassable — sits between OpenClaw and the LLM API)
cat > /etc/systemd/system/chainwatch-intercept.service << 'EOF'
[Unit]
Description=Chainwatch Intercept Proxy
After=network-online.target
Before=openclaw-gateway.service
[Service]
Type=simple
ExecStart=/usr/local/bin/chainwatch intercept --port 9999 --upstream https://api.anthropic.com --profile clawbot --audit-log /var/log/chainwatch/intercept-audit.jsonl
Restart=always
RestartSec=3
User=root
Environment=HOME=/root
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/var/log/chainwatch
MemoryMax=256M
[Install]
WantedBy=multi-user.target
EOF
mkdir -p /var/log/chainwatch
systemctl daemon-reload && systemctl enable --now chainwatch-intercept

Then set the env var so OpenClaw routes through the proxy:

# Add to openclaw config:
# "env": { "vars": { "ANTHROPIC_BASE_URL": "http://localhost:9999" } }
# Then restart gateway

For other providers, change --upstream:

• OpenAI: --upstream https://api.openai.com + set OPENAI_BASE_URL
• Custom: --upstream https://your-provider.com

Usage

Route risky commands through chainwatch:

chainwatch exec --profile clawbot -- rm -rf /tmp/old-data     # checked
chainwatch exec --profile clawbot -- git push --force          # checked

Safe read-only commands (ls, cat, grep, git status) don't need the wrapper.

What gets blocked

Blocked	Allowed
rm -rf /, rm -rf ~	rm -f /tmp/file
sudo su, sudo -i	mkdir, cp, mv
dd if=/dev/zero	curl https://safe-url
curl | sh	apt install, npm install
chmod -R 777 /	chmod 600 specific-file
Fork bombs	systemctl status

Key lesson

guarded mode is too aggressive for agents — it blocks mkdir, cp, touch. Use advisory mode with the denylist. The denylist catches catastrophic commands, advisory logs everything else.

Layer 3: Pastewatch — Secret Redaction (3 min)

Pastewatch prevents secrets (API keys, DB credentials, SSH keys, emails, IPs) from reaching the LLM API. The agent works with placeholders, secrets stay local.

Install

# Binary (needs Swift 5.9.2 runtime on Linux)
curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \
  -o /usr/local/bin/pastewatch-cli && chmod +x /usr/local/bin/pastewatch-cli

# If Swift runtime missing:
cd /tmp
curl -fsSL "https://download.swift.org/swift-5.9.2-release/ubuntu2204/swift-5.9.2-RELEASE/swift-5.9.2-RELEASE-ubuntu22.04.tar.gz" -o swift.tar.gz
tar xzf swift.tar.gz --wildcards "*/usr/lib/swift/linux/lib*"
cp -af swift-5.9.2-RELEASE-ubuntu22.04/usr/lib/swift/linux/lib* /usr/lib/
ldconfig

# Verify
pastewatch-cli version

MCP server setup

# Requires mcporter
mcporter config add pastewatch --command "pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log"

# Verify tools
mcporter list pastewatch --schema

MCP tools

Tool	Purpose
pastewatch_read_file	Read file, secrets → __PW{TYPE_N}__ placeholders
pastewatch_write_file	Write file, placeholders → real values restored locally
pastewatch_check_output	Verify text has no raw secrets before returning
pastewatch_scan	Scan text for sensitive data
pastewatch_scan_file	Scan a file
pastewatch_scan_dir	Scan directory recursively

How it works

Agent reads config.env → pastewatch intercepts → Agent sees __PW{AWS_KEY_1}__
Agent edits and writes → pastewatch resolves → Real values on disk
Secrets never leave your machine.

What it detects

29 types: AWS keys, Anthropic keys, OpenAI keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards, Slack/Discord webhooks, Azure connections, GCP service accounts, npm/PyPI/RubyGems tokens, Telegram bot tokens, and more.

Deterministic regex. No ML. No API calls. Microseconds per scan.

Audit log

tail -f /var/log/pastewatch-audit.log

Logs timestamps, tool calls, file paths, redaction counts. Never logs secret values.

Layer 4: News Intelligence (10 min)

Stay informed without doomscrolling. noisepan scores RSS feeds by relevance, entropia verifies source quality.

Install

# noisepan
curl -fsSL https://github.com/ppiankov/noisepan/releases/latest/download/noisepan_$(curl -s https://api.github.com/repos/ppiankov/noisepan/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d v)_linux_amd64.tar.gz | tar xz -C /usr/local/bin noisepan

# entropia
curl -fsSL https://github.com/ppiankov/entropia/releases/latest/download/entropia_$(curl -s https://api.github.com/repos/ppiankov/entropia/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d v)_linux_amd64.tar.gz | tar xz -C /usr/local/bin entropia

# Init
noisepan init --config ~/.noisepan

Configure feeds

Edit ~/.noisepan/config.yaml — add RSS feeds relevant to your work. Example categories:

• Security: r/netsec, Krebs, BleepingComputer, CISA advisories, NVD
• DevOps: r/devops, r/kubernetes, Cloudflare blog, AWS status
• AI/LLM: r/LocalLLaMA, r/ClaudeAI, Simon Willison, arXiv cs.AI
• World: BBC, r/worldnews, r/geopolitics, EFF
• HN: Built-in via sources.hn.min_points: 200

Reddit rate limiting

With 15+ Reddit feeds, parallel fetching triggers 429s. Create a wrapper:

# /usr/local/bin/noisepan-pull
# Prefetches Reddit sequentially (2s delay), caches locally, then runs noisepan pull
# See: https://github.com/ppiankov/noisepan (setup guide)

Daily digest cron

Set up two cron jobs in OpenClaw:

• Morning (07:00): noisepan pull → noisepan digest --format json → entropia scan top items → send table
• Afternoon (18:00): Same with --since 12h

Format:

🔥 Trending: keywords across 3+ channels
☀️ Morning Brief: top 3 verified items with entropia scores
💡 HN Blind Spot: high-engagement stories the taste profile missed
⚠️ Skipped: items filtered for low quality/conflicts

Key lessons

• noisepan doctor catches stale feeds and all-ignored channels
• noisepan stats shows signal-to-noise per channel — prune after 30 days
• noisepan rescore recomputes scores after taste profile changes
• entropia Support Index < 40 = don't trust it
• HN RSS is too shallow — use native sources.hn or hn-top script for blind spot detection
• Add policy/sovereignty/antitrust/AI safety keywords to taste profile or real stories get buried under security noise

Layer 5: eBPF Enforce — Kernel-Level Containment (3 min)

Chainwatch enforce applies seccomp-bpf filters to OpenClaw's process tree. Blocked syscalls (privilege escalation, kernel manipulation) return EPERM at kernel level — no userspace bypass possible.

Setup

Create the openclaw profile:

# ~/.chainwatch/profiles/openclaw.yaml
name: openclaw
description: OpenClaw gateway — allows networking + file I/O, blocks privilege escalation + kernel ops

seccomp:
  groups:
    baseline: deny          # mount, ptrace, reboot, umount2
    privilege_escalation: deny  # setuid, setgid, capset, etc.
    file_mutation: allow    # OpenClaw needs file I/O
    network_egress: allow   # OpenClaw needs HTTP

Verify profile

# Generate OCI JSON to inspect what gets blocked
chainwatch enforce --oci --profile openclaw --output /tmp/seccomp.json
cat /tmp/seccomp.json | jq '.syscalls[] | select(.action == "SCMP_ACT_ERRNO") | .names'
# Should show: mount, ptrace, reboot, umount2, setuid, setgid, capset, etc.
# Should NOT show: connect, socket, mkdir, rename, openat

Launch OpenClaw under enforce

# One-liner (foreground for systemd)
chainwatch enforce --profile openclaw --fallback -- openclaw gateway run

# --fallback: if seccomp fails, falls back to observe-only (no crash)

Systemd service

# /etc/systemd/system/openclaw.service
[Unit]
Description=OpenClaw Gateway under Chainwatch enforce
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/chainwatch enforce --profile openclaw --fallback -- openclaw gateway run
Restart=on-failure
RestartSec=5
Environment=HOME=/root

[Install]
WantedBy=multi-user.target

systemctl daemon-reload && systemctl enable openclaw

eBPF observe (audit companion)

# Systemd service for continuous eBPF observation
# /etc/systemd/system/chainwatch-observe-openclaw.service
[Unit]
Description=Chainwatch eBPF observer for OpenClaw gateway
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'PID=$(pgrep -f openclaw-gateway); [ -z "$PID" ] && exit 1; exec /usr/local/bin/chainwatch observe --pid $PID'
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Observe logs every syscall (execve, openat, connect, etc.) to journald without blocking.

What gets blocked at kernel level

Blocked (EPERM)	Why
setuid, setgid, setresuid, capset	No privilege escalation
mount, umount2, pivot_root	No filesystem remounting
ptrace, process_vm_readv	No debug/memory inspection
reboot, kexec_load	No system shutdown
init_module, delete_module	No kernel modules

Key lesson

sudo breaks under enforce (it needs setresuid). Use direct root commands or run the service as root. This is a feature, not a bug — if the agent can't sudo, neither can an attacker who compromises it.

Recovery

# /tmp/openclaw-recover.sh — if enforce breaks OpenClaw
pkill -f "chainwatch enforce"
pkill -f "openclaw-gateway"
sleep 3
nohup openclaw gateway run > /tmp/openclaw-recovery.log 2>&1 &
disown

Architecture

User ──► Telegram/Web
            │
            ▼
   chainwatch enforce (seccomp)
            │
            ▼
     OpenClaw Gateway
            │
            ├──► chainwatch intercept (:9999) ──► contextspectre proxy (:9997) ──► pastewatch proxy (:9998) ──► Anthropic API
            │         │                                  │                                  │
            │         └─ Tool call policy                └─ Noise stripping                 └─ Secret redaction
            │
            ├──► Agent shell ──► chainwatch exec (denylist)
            │
            ├──► File read/write ──► pastewatch MCP (secret redaction)
            │
            └──► Cron ──► noisepan pull + digest + entropia verify

   chainwatch observe (eBPF) ──► journald (audit trail)

What this protects

Layer	Protects against
Host hardening	Brute force, unauthorized SSH, open ports
Chainwatch denylist	rm -rf, sudo escalation, fork bombs, curl|sh
Chainwatch intercept	Non-bypassable API audit, tool call inspection
ContextSpectre proxy	Thinking blocks, duplicate system reminders, oversized content — stripped before billing
Pastewatch proxy + MCP	API keys, DB creds, SSH keys, emails, IPs leaking to LLM provider
eBPF enforce (seccomp)	Privilege escalation, kernel manipulation, ptrace — blocked at kernel level
eBPF observe	Full syscall audit trail for forensics
noisepan + entropia	Information blind spots, low-quality sources, missing critical news

What this does NOT protect

• Prompt content, business logic, and ideas still reach the LLM provider
• Provider policy changes are out of your control
• For full privacy: run a local model (Ollama) for sensitive workloads

Verify

# Host
ufw status && systemctl is-active fail2ban && grep PasswordAuthentication /etc/ssh/sshd_config

# Chainwatch
chainwatch doctor
chainwatch exec --profile clawbot -- echo "safe"    # ✅
chainwatch exec --profile clawbot -- rm -rf /       # ❌ blocked
systemctl status chainwatch-intercept

# Pastewatch
echo "sk-ant-api03-test" | pastewatch-cli scan      # should detect
mcporter list pastewatch --schema                    # 6 tools

# Noisepan
noisepan doctor --config ~/.noisepan
noisepan stats --config ~/.noisepan

---

OpenClaw Hardening Guide v1.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://clawhub.com/skills/openclaw-hardening License: MIT

This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .

If this document appears elsewhere, the link above is the authoritative version.