Skip to content

Instantly share code, notes, and snippets.

@jordanlyall

jordanlyall/openclaw-security-setup.md

Created February 6, 2026 01:44
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jordanlyall/8b9e566c1ee0b74db05e43f119ef4df4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jordanlyall/8b9e566c1ee0b74db05e43f119ef4df4 to your computer and use it in GitHub Desktop.
Download ZIP
OpenClaw Security-First Setup Commands - Companion to my X article on hardening your AI agent setup
Raw
openclaw-security-setup.md

OpenClaw Security-First Setup Commands

Companion to: "How I Set Up OpenClaw Without Giving It the Keys to My Life"

Phase 1: Harden the Machine

Create Dedicated User

sudo sysadminctl -addUser openclaw -password - -home /Users/openclaw

Enable Firewall with Stealth Mode

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

SSH Hardening (/etc/ssh/sshd_config)

PasswordAuthentication no
PermitRootLogin no
MaxAuthTries 3
AllowUsers openclaw

After editing, restart SSH:

sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd

Install Tailscale

# Download from https://tailscale.com/download/mac
# Or via Homebrew:
brew install --cask tailscale

# Enable Tailscale SSH (do this BEFORE you leave the house)
tailscale up --ssh

Disable Unnecessary Services

System Settings > General > Sharing > Turn OFF:

  • Remote Management
  • Screen Sharing
  • File Sharing
  • AirDrop

Phase 2: Install OpenClaw

Prerequisites

# Homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Node.js 22+
brew install node@22

Install OpenClaw

npm install -g clawdbot
clawdbot init

Lock Down API Key Permissions

chmod 700 ~/clawd/config/
chmod 600 ~/clawd/config/*.json

Command Allowlist (in OpenClaw config)

{
  "allowedCommands": [
    "curl",
    "cat",
    "ls",
    "echo",
    "node",
    "npx"
  ]
}

Phase 3: SOUL File Template

# SOUL.md

**Name:** [YOUR_AGENT_NAME]
**Role:** Research Monitor

## What You Do
- Monitor Twitter/X for keywords and accounts
- Track news in [YOUR_SPACE]
- Surface relevant opportunities, events, and discussions
- Send daily summaries and real-time alerts

## What You Don't Do
- Post, reply, or engage on any platform
- Send emails or messages to anyone other than me
- Make purchases or financial transactions
- Modify files outside your workspace
- Install new skills without approval

Phase 4: Security Verification

# Run security audit
clawdbot security audit

# Test from outside tailnet (should fail)
# 1. Disconnect from Tailscale on another device
# 2. Try to ping/SSH the machine's public IP
# 3. Both should fail

Emergency Commands

Kill Switch

# Stop immediately
clawdbot gateway stop

# Or via Tailscale SSH from your laptop
ssh openclaw@[TAILSCALE_IP] 'clawdbot gateway stop'

Session Reset (for context overflow)

clawdbot sessions reset

Reminders

  • Rotate API keys monthly (set calendar reminder)
  • Document all tokens, scopes, and expiration dates
  • Enable Tailscale SSH before traveling
  • Run security audit after any config changes

Questions? @jordanlyall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment