OpenClaw can do a lot, here's how to make it secure

OpenClaw can do a lot, here's how to make it secure

Mateo Torres's avatar
Mateo Torres
FEBRUARY 4, 2026
3 MIN READ
TUTORIALS
Rays decoration image
Ghost Icon

OpenClaw (a.k.a. Moltbot, a.k.a. ClawdBot) quickly became one of the most popular open-source agentic harnesses, gaining significant traction within days of release.

Its creator, Peter Steinberger known from PSPDFKit success, has been building relentlessly, channeling his energy into the potential of AI agents.

OpenClaw approaches the idea of an Personal AI agent as a harness that communicates with you (or multiple users) in any of the supported channels in multiple sessions connected to the underlying computer through a gateway, which is ultimately responsible for running and maintaining your personal AI.

A super entertaining narration of important events is available in OpenClaw's Lore doc page (worth a read!)

A security nightmare

As excitement grew around what could shape the future of personal AI assistants, many users began running OpenClaw without giving much thought to security. The consequences were predictable — and serious:

As this TechCrunch article points out:

Right now, running Moltbot safely means running it on a separate computer with throwaway accounts, which defeats the purpose of having a useful AI assistant. And fixing that security-versus-utility trade-off may require solutions that are beyond Steinberger’s control.

The root cause is what Simon Willison calls the lethal trifecta: the inherently dangerous combination of giving LLMs tools with the following characteristics:

  • Access to your private data
  • Exposure to untrusted content
  • The ability to externally communicate

As Simon explains:

LLMs are unable to reliably distinguish the importance of instructions based on where they came from. Everything eventually gets glued together into a sequence of tokens and fed to the model.

With "Full System Access" and "Browser Control" as flagship features, OpenClaw checks all three boxes.

Securing OpenClaw

OpenClaw doesn't have to be limited to throwaway accounts though. Since it blew up, security has been one of the main focus points of OpenClaw's development, and you can leverage some of that today to get a secure experience in the harness. While this still requires you to be technically savvy, you can:

  • Use OpenClaw's tool policies to control which user and/or agent gets access to specific tools
  • Run it in a Sandbox
  • Use exec approvals to implement human-in-the-loop for specific tools that may have undesired side-effects
  • Use a detached tool-calling runtime like Arcade. Credentials never touch the harness, so there's nothing to leak.

Here's how to setup that last point in your OpenClaw instance:

First, clone the Arcade plugin:

git clone --depth 1 https://github.com/ArcadeAI/openclaw-arcade-plugin /tmp/openclaw-arcade

Then, install it into your OpenClaw gateway:

openclaw plugins install /tmp/openclaw-arcade/arcade

Go to your Arcade Dashboard to get and API key
copy it, and run this command to configure your Arcade API key:

openclaw config set plugins.entries.arcade.config.apiKey "{your_arcade_api_key}"

And this one to configure your Arcade User ID (this is the email you used to
sign up to Arcade):

openclaw config set plugins.entries.arcade.config.user_id "{your_arcade_user_id}"

Once the Arcade plugin is configured, initialize it to load all the tools, and
restart the OpenClaw gateway

openclaw arcade init
openclaw gateway restart

Now OpenClaw has access to 7,000+ tools, with tokens handled outside the harness. Nothing to exfiltrate.

Here's a screenshot of how this works when I talk to the Telegram bot connected
to my OpenClaw instance:

Final tips

Even with these precautions, OpenClaw is still early-adopter territory. Make sure to run this in a sandbox, a VPS, or even a dedicated computer. If you're sharing files to OpenClaw, make sure to set up the guardrails around the tools it can use, and be mindful of the accounts you log into in the browser it can control.

Ready to secure your agent setup? 

Arcade handles just-in-time agent authorization so credentials never touch your harness → Get started

SHARE THIS POST

RECENT ARTICLES

PRODUCT RELEASE

Patterns for Agentic Tools: Your agents are only as good as your tools.

The Moment Every few years, a new pattern language emerges that changes how we build software. In 1994, the Gang of Four gave us Design Patterns. In 2003, Hohpe and Woolf gave us Enterprise Integration Patterns. Since then: Microservices Patterns, Cloud Patterns, and now Agent Patterns. But there's a gap. Agents can chat and reason on their own - but they can't ‘act’ without tools. Standards like MCP have unlocked how agents discover and call tools. The protocol layer is solved. What's missin

THOUGHT LEADERSHIP

Federation Over Embeddings: Let AI Agents Query Data Where It Lives

Before building vector infrastructure, consider federation: AI agents with tool access to your existing systems. For most enterprise use cases, that's all you need. Someone told you to pivot to AI. Add an AI layer. “We need to be AI-first.” Fair enough. So you start thinking: what does AI need? Data. Obviously. So the playbook writes itself: collect data in a central place, set up a vector database, do some chunking, build a RAG pipeline, maybe fine-tune a model. Then query it. Ship the chatb

Rays decoration image
MCP

The MCP Gateway Pattern: scaling agentic integrations without tool sprawl

MCP makes it easy to go from “agent” to “agent that takes action.” The trap is that success compounds: every new system becomes a new server, every team ships “just one more tool,” and soon your integration surface is too large to reason about, too inconsistent to secure, and too messy to operate. Meanwhile, the model gets blamed for failure modes that are actually integration design problems. Tool definitions balloon. Selection accuracy drops. Context gets eaten before anyone types a prompt. A

Blog CTA Icon

Get early access to Arcade, and start building now.

Sign up now
Docs