Your Agent Has Access to Everything on That Server — Act Accordingly
March 2026

🦞
Securing Your Secrets
API Keys, Passwords & PII

OpenClaw can read files, run commands, and talk to the internet. If your API keys, passwords, or personal data are sitting on that server unprotected, they're one bad prompt away from being somewhere you never intended. This guide covers what actually goes wrong and how to prevent it.

Let's Lock It Down
01 / Why This Matters

This Is Not Theoretical

OpenClaw is powerful because it can read files, execute commands, and interact with external services on your behalf. That same power means anything stored on your server — API keys, passwords, personal documents — is accessible to the agent. And if the agent can access it, so can anyone who finds a way to manipulate it.

This isn't a hypothetical risk. In the first few months of 2026, thousands of real people lost real credentials because they treated their OpenClaw server like a personal laptop instead of what it actually is: an internet-connected machine running an autonomous AI agent.

What's Already Gone Wrong

These are not scare stories. These are documented incidents from early 2026, all involving OpenClaw or its predecessors (ClawdBot / MoltBot):

CVE-202625253
A critical vulnerability (CVSS 8.8) in the OpenClaw gateway that allowed remote code execution through a leaked gateway token. One click, full server access. Patched, but only if you updated.
ClawHavoc341 skills
Security researchers found 341 malicious skills in the ClawHub marketplace designed to silently exfiltrate API keys and credentials. Some had thousands of installs before they were caught.
Moltbook1.5M keys
A public database exposure leaked 1.5 million API keys from MoltBot users. Keys for OpenAI, Anthropic, AWS, Stripe, and other services — all in plaintext, all usable by anyone who found them.
Exposed42,665
A scan in early 2026 found 42,665 OpenClaw instances exposed to the public internet. Of those, 93.4% had authentication bypassed entirely. Anyone could send commands to those agents as if they were the owner.
The pattern is always the same. Someone gets OpenClaw running, it works, they're excited, and they never go back to lock things down. The credentials sit in plaintext config files. The server is exposed. A skill or prompt injection reads the files and sends them somewhere else. By the time you notice, someone has been running workloads on your OpenAI key for weeks.

Why You Should Care — Even If You're "Just Testing"

Your OpenAI API key has a credit card behind it. Your AWS credentials can spin up instances that cost real money. Your email credentials can send messages as you. Even a "test" server with "just one API key" is a financial liability if that key leaks.

The good news: securing your secrets is not complicated. It takes maybe 15 minutes to do it right, and once it's done, you don't have to think about it again. The rest of this guide shows you exactly how.

02 / How Secrets Leak

The Three Ways Your Credentials Get Stolen

Understanding how secrets actually leak helps you understand why the fixes work. There are three main attack vectors, and they're all straightforward once you see them.

1. Prompt Injection

This is the big one. Your agent reads content from the web, from files, from messages. If an attacker embeds instructions in that content — a webpage, a document, even a cleverly worded Discord message — your agent might follow those instructions instead of yours.

A prompt injection can tell your agent to read ~/.openclaw/openclaw.json, extract the API keys, and send them to an external URL. If your keys are sitting in that file in plaintext, they're gone. The agent doesn't know it's being manipulated — it just follows instructions.

📝 What the attacker sees in your config
# This is what you do NOT want in plaintext:
"openai_api_key": "sk-proj-abc123...",
"discord_token": "MTI2NTk4...",
"aws_access_key": "AKIA..."
If the agent can read it, an injection can exfiltrate it. The only real defense is making sure the secrets aren't readable in the first place — or at least aren't stored as plaintext strings in files the agent has access to.

2. Malicious Skills

Skills are code that runs on your server with the same permissions as OpenClaw itself. A malicious skill can read any file OpenClaw can read, make network requests, and quietly send your credentials to an external server without you ever seeing it happen.

The ClawHavoc report found that 7.1% of skills audited were leaking credentials — some intentionally, some through sloppy code that logged secrets to files or sent them in error reports. Either way, your keys end up somewhere you didn't put them.

Checkfirst
Only install skills with high install counts, recent updates, and visible source code on GitHub. If you can't read the code, don't install it.
Watchnetwork
A skill that needs to "phone home" to a random domain is a red flag. Legitimate skills call well-known APIs — not data-collect.sketchy-domain.io.

3. Exposed Instances

If your OpenClaw dashboard or gateway is accessible from the public internet without authentication, anyone can talk to your agent. They don't need to hack anything — they just visit the URL and start sending commands. Automated scanners find these instances within hours of them going live.

The 42,665 exposed instances found in early 2026 weren't all misconfigured by amateurs. Many were experienced developers who simply forgot to lock down one port, skipped the auth setup, or assumed their obscure IP address was "security enough." It's not. Scanners don't care how obscure your IP is.

The EC2 tutorial covers this. If you followed the AWS EC2 Setup guide, your firewall rules and SSH hardening are already in place. This section is about the layer on top of that — making sure that even if someone gets through, there's nothing valuable to steal.
03 / Environment Variables

Stop Putting Secrets in Config Files

The single most impactful thing you can do right now is move your secrets out of openclaw.json and into environment variables. It takes five minutes and it eliminates the most common way credentials get leaked.

Why Environment Variables?

When a secret is in a config file, it can be read by anything that can read files — including your agent, any skill you install, and anyone who gains access to your server. Environment variables live in process memory instead. They're available to OpenClaw at runtime but they're not sitting in a file waiting to be read, copied, or accidentally committed to Git.

This isn't perfect security — a determined attacker with shell access can still read environment variables. But it eliminates the casual, accidental, and automated ways secrets get exposed, which is where the vast majority of real-world leaks come from.

How to Do It

Create a file that sets your secrets as environment variables, then tell OpenClaw to read them from the environment instead of the config file.

☁️ AWS EC2
# Create an environment file (restricted permissions)
sudo nano /etc/openclaw/secrets.env

Add your secrets in KEY=value format:

📝 /etc/openclaw/secrets.env
OPENAI_API_KEY=sk-proj-your-actual-key-here
DISCORD_BOT_TOKEN=MTI2NTk4your-actual-token-here
ANTHROPIC_API_KEY=sk-ant-your-key-here

Lock down the file immediately:

☁️ AWS EC2
# Only root can read this file
sudo chmod 600 /etc/openclaw/secrets.env
sudo chown root:root /etc/openclaw/secrets.env

Now update your OpenClaw config to reference environment variables instead of hardcoded values. In openclaw.json, replace the actual keys with environment variable references:

📝 openclaw.json — before (bad)
"openai_api_key": "sk-proj-abc123def456..."
📝 openclaw.json — after (good)
"openai_api_key": "${OPENAI_API_KEY}"

If you're running OpenClaw via systemd (which the EC2 tutorial sets up), add the environment file to your service:

☁️ AWS EC2
# Edit the systemd service file
sudo systemctl edit openclaw

# Add this line under [Service]:
EnvironmentFile=/etc/openclaw/secrets.env

# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart openclaw
Done. Your secrets are now loaded from a root-owned file that OpenClaw's process can read at startup, but that isn't sitting in a config file for anyone (or any skill) to casually browse. This alone prevents the most common credential leak scenarios.

What About .env Files in the OpenClaw Directory?

You'll see some guides suggest putting a .env file in ~/.openclaw/. That's better than hardcoding secrets in the config, but it's still in a directory the agent can read. Putting the secrets file in /etc/openclaw/ with root-only permissions keeps it outside the agent's normal reach.

04 / File Permissions

Lock Down What's Already There

Environment variables handle your main secrets. But your OpenClaw directory still contains config files, memory files, and logs that shouldn't be world-readable. A few quick permission changes close that gap.

The Permissions That Matter

Linux file permissions control who can read, write, and execute files. The numbers work like this: 700 means only the owner can do anything. 600 means only the owner can read and write (no execute). These are what you want for anything sensitive.

☁️ AWS EC2
# Lock down the entire OpenClaw config directory
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/*.json
chmod 600 ~/.openclaw/*.md

# Lock down any key files
chmod 600 ~/.openclaw/*.pem 2>/dev/null
chmod 600 ~/.openclaw/*.key 2>/dev/null
700dirs
Directories should be 700 — only the owner can list contents, enter the directory, or create files inside it.
600files
Sensitive files should be 600 — only the owner can read or write them. No one else on the system can even see their contents.
Never777
777 means everyone can do everything. If you see this on any file related to OpenClaw, fix it immediately. There is no legitimate reason for it.

Check What You Have Right Now

Run this to see the current permissions on your OpenClaw files:

☁️ AWS EC2
ls -la ~/.openclaw/

You're looking at the left column. You want to see -rw------- for files (that's 600) and drwx------ for directories (that's 700). If you see -rw-r--r-- or worse, other users on the system can read those files.

Quick reference:
-rw------- = 600 (owner read/write only) ✔
-rw-r--r-- = 644 (everyone can read) ✘
-rwxrwxrwx = 777 (everyone can do everything) ✘✘✘

SSH Keys Deserve Special Attention

If you have SSH keys on this server (you probably do if you followed the EC2 tutorial), make sure they're locked down too:

☁️ AWS EC2
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_* 2>/dev/null

SSH actually refuses to use key files with loose permissions — but it's good practice to verify this rather than discover it when you can't log in.

05 / Secret Managers

When Environment Variables Aren't Enough

Environment variables are a great first step. But if you're running OpenClaw in a business context, managing multiple agents, or just want proper secrets infrastructure, a dedicated secret manager is the next level. Here's when and why to use one.

What a Secret Manager Does

A secret manager stores your credentials in an encrypted vault, controls who can access them, logs every access, and can rotate them automatically. Instead of your application knowing the secret, it knows how to ask for the secret — and that request is authenticated, logged, and revocable.

AWSSecrets
AWS Secrets Manager — if you're already on AWS (and you are if you followed the EC2 tutorial), this is the natural choice. Integrates with IAM roles so your EC2 instance can retrieve secrets without storing credentials locally at all. About $0.40/secret/month.
AWSSSM
AWS Systems Manager Parameter Store — free for standard parameters, and simpler than Secrets Manager if you don't need rotation. Good for smaller setups.
HashiVault
HashiCorp Vault — the industry standard for self-hosted secrets management. Powerful but more complex to set up. Worth it if you're managing multiple servers or services.
1PassCLI
1Password CLI (op) — if you already use 1Password, their CLI tool can inject secrets into environment variables at runtime. Surprisingly practical for personal setups.

AWS Parameter Store — Quick Setup

Since you're already on AWS, here's the fastest path to proper secrets management using the free Parameter Store:

☁️ AWS EC2
# Store a secret in Parameter Store (run from your EC2 instance)
aws ssm put-parameter \
  --name "/openclaw/openai-api-key" \
  --value "sk-proj-your-key-here" \
  --type SecureString

# Retrieve it later
aws ssm get-parameter \
  --name "/openclaw/openai-api-key" \
  --with-decryption \
  --query "Parameter.Value" \
  --output text
This requires an IAM role. Your EC2 instance needs an IAM role with ssm:GetParameter permission. If you haven't set one up, the environment variable approach from the previous section is perfectly fine for personal use. Parameter Store is a "level up" for when you're ready.

Do You Need This?

For a personal OpenClaw instance with a few API keys, environment variables in a root-owned file are genuinely sufficient. A secret manager becomes worth the setup when:

  • You're running OpenClaw for a business or team
  • You have more than a handful of secrets to manage
  • You need audit logs of who accessed which secret and when
  • You want automatic key rotation
  • Multiple services or servers need the same credentials

If none of those apply to you right now, skip this section and come back when they do. The environment variable approach is solid.

06 / OpenClaw Security Audit

Let OpenClaw Check Itself

OpenClaw ships with a built-in security audit tool that checks for common misconfigurations — exposed credentials, weak permissions, risky settings, and known vulnerabilities. Run it. It takes seconds and it might catch something you missed.

Running the Audit

☁️ AWS EC2
# Run the full security audit
openclaw security audit

The audit checks for:

Credscheck
Scans config files for plaintext API keys, tokens, and passwords. Flags anything that looks like a hardcoded secret.
Permscheck
Verifies file and directory permissions on the OpenClaw directory and config files. Warns about anything too permissive.
Networkcheck
Checks whether the gateway or dashboard is exposed to the public internet without authentication.
Skillscheck
Reviews installed skills for known malicious packages and flags any with suspicious network behavior or file access patterns.

What to Do With the Results

The audit outputs findings in three categories:

🔴Critical
Fix immediately. These are active vulnerabilities — plaintext credentials, exposed endpoints, or known-malicious skills.
🟡Warning
Fix soon. These are misconfigurations that increase your risk — loose file permissions, deprecated settings, unpatched versions.
🟢Info
Good to know. Suggestions for improvement that aren't urgent but are worth considering.
Run this regularly. Make it a habit — once a week, or after installing any new skill. You can also add it to a cron job:
openclaw cron add → schedule openclaw security audit weekly

Other Useful Security Commands

☁️ AWS EC2
# Check OpenClaw version (keep it current)
openclaw version

# Update to the latest version
openclaw update

# Check system health
openclaw doctor

# Review installed skills
openclaw skills list

Keeping OpenClaw updated is security. The CVE-2026-25253 vulnerability was patched quickly, but only helped people who actually ran the update. A quick openclaw update once a week keeps you covered.

07 / Protecting PII

Keep Personal Data Off the Server

API keys aren't the only thing worth protecting. If your OpenClaw server has access to personal information — names, addresses, financial records, health data, anything that identifies a real person — that data is at risk too. The simplest defense is also the most effective: don't put it there in the first place.

The Rule Is Simple

Your OpenClaw server should run OpenClaw. That's it. It should not also be your:

  • File server for personal documents
  • Backup location for tax returns or financial records
  • Storage for client databases or customer information
  • Home for password manager exports or credential dumps
  • Repository for personal photos, medical records, or legal documents

Every file on that server is potentially accessible to the agent and, by extension, to anything that can manipulate the agent. The less personal data on the machine, the less there is to steal.

What If OpenClaw Needs to Work With Personal Data?

Sometimes your agent genuinely needs access to information that's sensitive — customer names for a CRM workflow, addresses for shipping automation, that kind of thing. When that's the case:

UseAPIs
Access the data through an API rather than storing it locally. The agent calls the API when it needs the data and doesn't keep a local copy. This limits exposure to the moment of use.
Limitscope
Give the agent access only to the specific data it needs. If it's automating shipping, it needs addresses — not full customer profiles with payment information. Scope API permissions accordingly.
Cleanup
If the agent does create temporary files with personal data (exports, reports, cached results), make sure they're cleaned up automatically. Don't let PII accumulate in log files or temp directories.
Auditlogs
Know what data the agent is accessing and when. OpenClaw's logs can tell you what commands ran and what files were read. Review them periodically if you're working with sensitive data.

SOUL.md Is Your First Line of Defense

Your SOUL.md file can include explicit rules about handling personal data. These aren't bulletproof against prompt injection, but they set the baseline for how your agent behaves under normal operation:

📝 SOUL.md — PII rules
# Data Handling Rules
- Never store personal information in logs or memory files
- Never send PII (names, emails, addresses, phone numbers) to external services
  without explicit confirmation
- Never read files outside of ~/.openclaw/ unless specifically asked
- If you encounter what looks like credentials or personal data in a file,
  do NOT include it in your response — just note that the file contains
  sensitive content
Defense in depth. SOUL.md rules, file permissions, environment variables, and network hardening all work together. No single layer is perfect. The point is that an attacker has to get through all of them, not just one.
08 / Security Checklist

The Quick Version

Everything from this guide, condensed into a checklist you can run through in 15 minutes. If you do nothing else, do these.

The Non-Negotiables

Do it
Move secrets to environment variables. No API keys, tokens, or passwords in openclaw.json or any config file. Use /etc/openclaw/secrets.env with chmod 600.
Do it
Lock file permissions. chmod 700 on directories, chmod 600 on config files and keys. Run ls -la ~/.openclaw/ and fix anything that's not -rw-------.
Do it
Run openclaw security audit. Fix everything marked critical. Address warnings within a week.
Do it
Keep OpenClaw updated. Run openclaw update weekly. Security patches only help if you install them.
Do it
Keep personal data off the server. No tax returns, no password exports, no client databases. The server runs OpenClaw. That's it.

Worth Doing When You Have Time

Good
Vet every skill before installing. Check install counts, read the source code, and watch for suspicious network calls.
Good
Add PII rules to SOUL.md. Tell your agent to never store personal information in logs, never send PII to external services without confirmation.
Good
Schedule a weekly security audit. Use openclaw cron add to run openclaw security audit automatically and send results to Discord.
Good
Consider AWS Parameter Store or a secret manager if you're running this for a business or managing multiple secrets across services.

Further Reading

If you want to go deeper on any of these topics, these are worth your time:

15 minutes, seriously. If you've read this far, you can secure your setup in the time it takes to drink a cup of coffee. Move your secrets to env vars, lock your permissions, run the audit, and keep things updated. That puts you ahead of the vast majority of OpenClaw installations out there — and it means you can actually enjoy using your agent without worrying about what you've left exposed. 🦞

If this guide helped, share it with someone who's running OpenClaw without thinking about this stuff. And if you're feeling generous:

→ buymeacoffee.com/crosshilldesign