Security Model 🔴

As an AI Agent platform, OpenClaw faces multi-layer security threats: external attacks, prompt injection, tool abuse, data leakage. This chapter systematically covers OpenClaw's security defense architecture.

I. 5-Layer Defense Architecture

Layer 1: Network Authentication (Gateway Auth)

6 authentication methods (see the Auth System chapter). Production recommendation:

gateway:
  auth:
    mode: token
    token: "${env:GATEWAY_TOKEN}"
  allowTailscale: true  # Network-level isolation via Tailscale

Layer 2: Rate Limiting

const RATE_LIMIT = { maxAttempts: 20, windowMs: 60_000 };
// IP blocked after 20 failed auth attempts in 60 seconds

Layer 3: Tool Execution Security

Mechanism	Description
Approval Policy	bash and dangerous tools require user approval by default
Allowlist Mode	only permit pre-defined commands
Docker Sandbox	isolate execution in a container
Tool Enable/Disable	configure which tools an agent can use

agents:
  default:
    allowedTools:
      - read_file
      - write_file
      # bash not in list = not available
    settings:
      bashApprovalPolicy: approve-all  # require approval for every bash execution
      docker:
        enabled: true
        image: alpine:latest

Layer 4: Prompt Injection Protection

External content is wrapped with random-ID boundary markers (see Auth System chapter). The random ID in each wrapper prevents attackers from injecting fake boundary markers to escape the wrapper.

External content sources that trigger wrapping:

email — Gmail/email hooks
webhook — Webhook triggers
web_search — search results
web_fetch — URL-fetched content
browser — browser-scraped content

Layer 5: Secret Protection

Timing-safe comparison (security/secret-equal.ts):

// Uses crypto.timingSafeEqual — prevents timing attacks

Log sanitization: known secret values are automatically replaced with [REDACTED] before logging.

SecretRef memory protection: Secret values exist as sealed objects in memory, cannot be serialized by JSON.stringify.

II. Docker Sandbox (Advanced Security)

For high-security environments, enable Docker sandbox to isolate all bash execution:

agents:
  default:
    settings:
      docker:
        enabled: true
        image: 'ubuntu:22.04'
        workspaceMount: '/workspace'
        resourceLimits:
          memory: '512m'
          cpus: '1.0'

III. Channel-Level Security

Channel plugins implement ChannelSecurityAdapter for platform-specific access control:

channels:
  telegram:
    allowlist:
      userIds: ["123456789", "987654321"]  # only these users

Key Source Files

File	Size	Role
`src/gateway/auth.ts`	18KB	Gateway authentication
`src/security/external-content.ts`	364 lines	Prompt injection protection
`src/security/secret-equal.ts`	-	Timing-safe secret comparison
`src/agents/bash-tools.exec-approval-request.ts`	7.5KB	Tool execution approval

Summary

5-layer defense: network auth → rate limiting → tool security → prompt injection → secret protection.
Out-of-box security: auth, rate limiting, tool approval work with default configuration.
Prompt injection core defense: random-ID boundary markers prevent fake boundary injection.
Docker sandbox is strongest: complete isolation from host system for high-security deployments.
Multi-layer secret protection: SecretRef syntax + memory sealing + log sanitization + timing-safe comparison.

← Memory & MCP | → Skill System