OpenClaw Hardening
Secure your OpenClaw server in four layers: host, commands, secrets, awareness.
Prerequisites
- - OpenClaw installed and running
- Root/sudo access
- Linux (amd64)
Layer 1: Host Hardening (2 min)
CODEBLOCK0
Layer 2: Chainwatch — Command Safety (5 min)
Chainwatch blocks destructive commands (rm -rf /, sudo su, curl|sh, fork bombs) and routes all LLM API traffic through an intercept proxy.
Install
CODEBLOCK1
This one-liner does everything: installs chainwatch, creates clawbot profile, sets up intercept proxy as systemd service, configures ANTHROPICBASEURL, hardens the host.
Manual install
CODEBLOCK2
Then set the env var so OpenClaw routes through the proxy:
CODEBLOCK3
For other providers, change --upstream:
- - OpenAI:
--upstream https://api.openai.com + set �INLINECODE1 - Custom: �INLINECODE2
Usage
Route risky commands through chainwatch:
CODEBLOCK4
Safe read-only commands (ls, cat, grep, git status) don't need the wrapper.
What gets blocked
| Blocked | Allowed |
|---|
| INLINECODE3�, �INLINECODE4 | INLINECODE5 |
| INLINECODE6�, �INLINECODE7 |
mkdir,
cp,
mv |
|
dd if=/dev/zero |
curl https://safe-url |
|
curl \| sh |
apt install,
npm install |
|
chmod -R 777 / |
chmod 600 specific-file |
| Fork bombs |
systemctl status |
Key lesson
INLINECODE19� mode is too aggressive for agents — it blocks mkdir, cp, touch. Use advisory mode with the denylist. The denylist catches catastrophic commands, advisory logs everything else.
Layer 3: Pastewatch — Secret Redaction (3 min)
Pastewatch prevents secrets (API keys, DB credentials, SSH keys, emails, IPs) from reaching the LLM API. The agent works with placeholders, secrets stay local.
Install
CODEBLOCK5
MCP server setup
CODEBLOCK6
MCP tools
| Tool | Purpose |
|---|
| INLINECODE21 | Read file, secrets → __PW{TYPE_N}__ placeholders |
| INLINECODE23 |
Write file, placeholders → real values restored locally |
|
pastewatch_check_output | Verify text has no raw secrets before returning |
|
pastewatch_scan | Scan text for sensitive data |
|
pastewatch_scan_file | Scan a file |
|
pastewatch_scan_dir | Scan directory recursively |
How it works
CODEBLOCK7
What it detects
29 types: AWS keys, Anthropic keys, OpenAI keys, DB connections, SSH keys, JWTs, emails, IPs, credit cards, Slack/Discord webhooks, Azure connections, GCP service accounts, npm/PyPI/RubyGems tokens, Telegram bot tokens, and more.
Deterministic regex. No ML. No API calls. Microseconds per scan.
Audit log
CODEBLOCK8
Logs timestamps, tool calls, file paths, redaction counts. Never logs secret values.
Layer 4: News Intelligence (10 min)
Stay informed without doomscrolling. noisepan scores RSS feeds by relevance, entropia verifies source quality.
Install
CODEBLOCK9
Configure feeds
Edit ~/.noisepan/config.yaml — add RSS feeds relevant to your work. Example categories:
- - Security: r/netsec, Krebs, BleepingComputer, CISA advisories, NVD
- DevOps: r/devops, r/kubernetes, Cloudflare blog, AWS status
- AI/LLM: r/LocalLLaMA, r/ClaudeAI, Simon Willison, arXiv cs.AI
- World: BBC, r/worldnews, r/geopolitics, EFF
- HN: Built-in via �INLINECODE29
Reddit rate limiting
With 15+ Reddit feeds, parallel fetching triggers 429s. Create a wrapper:
CODEBLOCK10
Daily digest cron
Set up two cron jobs in OpenClaw:
- - Morning (07:00):
noisepan pull → noisepan digest --format json → entropia scan top items → send table - Afternoon (18:00): Same with �INLINECODE32
Format:
CODEBLOCK11
Key lessons
- -
noisepan doctor catches stale feeds and all-ignored channels - INLINECODE34� shows signal-to-noise per channel — prune after 30 days
- INLINECODE35� recomputes scores after taste profile changes
- entropia Support Index < 40 = don't trust it
- HN RSS is too shallow — use native
sources.hn or hn-top script for blind spot detection - Add policy/sovereignty/antitrust/AI safety keywords to taste profile or real stories get buried under security noise
Layer 5: eBPF Enforce — Kernel-Level Containment (3 min)
Chainwatch enforce applies seccomp-bpf filters to OpenClaw's process tree. Blocked syscalls (privilege escalation, kernel manipulation) return EPERM at kernel level — no userspace bypass possible.
Setup
Create the openclaw profile:
CODEBLOCK12
Verify profile
CODEBLOCK13
Launch OpenClaw under enforce
CODEBLOCK14
Systemd service
CODEBLOCK15
CODEBLOCK16
eBPF observe (audit companion)
CODEBLOCK17
Observe logs every syscall (execve, openat, connect, etc.) to journald without blocking.
What gets blocked at kernel level
| Blocked (EPERM) | Why |
|---|
| setuid, setgid, setresuid, capset | No privilege escalation |
| mount, umount2, pivot_root |
No filesystem remounting |
| ptrace, process
vmreadv | No debug/memory inspection |
| reboot, kexec_load | No system shutdown |
| init
module, deletemodule | No kernel modules |
Key lesson
INLINECODE39� breaks under enforce (it needs setresuid). Use direct root commands or run the service as root. This is a feature, not a bug — if the agent can't sudo, neither can an attacker who compromises it.
Recovery
CODEBLOCK18
Architecture
CODEBLOCK19
What this protects
| Layer | Protects against |
|---|
| Host hardening | Brute force, unauthorized SSH, open ports |
| Chainwatch denylist |
rm -rf, sudo escalation, fork bombs, curl\|sh |
| Chainwatch intercept | Non-bypassable API audit, tool call inspection |
| ContextSpectre proxy | Thinking blocks, duplicate system reminders, oversized content — stripped before billing |
| Pastewatch proxy + MCP | API keys, DB creds, SSH keys, emails, IPs leaking to LLM provider |
| eBPF enforce (seccomp) | Privilege escalation, kernel manipulation, ptrace — blocked at kernel level |
| eBPF observe | Full syscall audit trail for forensics |
| noisepan + entropia | Information blind spots, low-quality sources, missing critical news |
What this does NOT protect
- - Prompt content, business logic, and ideas still reach the LLM provider
- Provider policy changes are out of your control
- For full privacy: run a local model (Ollama) for sensitive workloads
Verify
CODEBLOCK20�
OpenClaw Hardening Guide v1.0
Author: ppiankov
Copyright © 2026 ppiankov
Canonical source: https://clawhub.com/skills/openclaw-hardening
License: MIT
This tool follows the Agent-Native CLI Convention. Validate with: �INLINECODE40
If this document appears elsewhere, the link above is the authoritative version.
OpenClaw 加固
在四个层面保护您的 OpenClaw 服务器:主机、命令、机密、感知。
前置条件
- - 已安装并运行 OpenClaw
- 拥有 root/sudo 访问权限
- Linux (amd64)
第1层:主机加固(2分钟)
bash
SSH:仅密钥登录,禁止root密码登录
sed -i s/^#
PermitRootLogin./PermitRootLogin prohibit-password/ /etc/ssh/sshd_config
sed -i s/^#
PasswordAuthentication./PasswordAuthentication no/ /etc/ssh/sshd_config
systemctl restart ssh
防火墙:除SSH外拒绝所有连接
ufw default deny incoming && ufw default allow outgoing && ufw allow ssh && yes | ufw enable
暴力破解防护
apt-get install -y fail2ban && systemctl enable --now fail2ban
锁定凭据
chmod 700 ~/.openclaw/credentials
第2层:Chainwatch — 命令安全(5分钟)
Chainwatch 可拦截破坏性命令(rm -rf /、sudo su、curl|sh、fork炸弹),并通过拦截代理路由所有 LLM API 流量。
安装
bash
curl -fsSL https://raw.githubusercontent.com/ppiankov/chainwatch/main/scripts/install-openclaw.sh | sudo bash
这一行命令完成所有操作:安装 chainwatch、创建 clawbot 配置文件、将拦截代理设置为 systemd 服务、配置 ANTHROPICBASEURL、加固主机。
手动安装
bash
二进制文件
curl -sL https://github.com/ppiankov/chainwatch/releases/latest/download/chainwatch-linux-amd64 \
-o /usr/local/bin/chainwatch && chmod +x /usr/local/bin/chainwatch
使用建议模式初始化(黑名单拦截危险操作,记录其他所有操作)
chainwatch init --profile clawbot
sed -i s/^enforcement
mode: guarded/enforcementmode: advisory/ ~/.chainwatch/policy.yaml
安装技能
mkdir -p ~/.openclaw/skills/chainwatch
curl -fsSL https://raw.githubusercontent.com/ppiankov/chainwatch/main/integrations/openclaw/skill/SKILL.md \
-o ~/.openclaw/skills/chainwatch/SKILL.md
拦截代理(不可绕过 — 位于 OpenClaw 和 LLM API 之间)
cat > /etc/systemd/system/chainwatch-intercept.service << EOF
[Unit]
Description=Chainwatch 拦截代理
After=network-online.target
Before=openclaw-gateway.service
[Service]
Type=simple
ExecStart=/usr/local/bin/chainwatch intercept --port 9999 --upstream https://api.anthropic.com --profile clawbot --audit-log /var/log/chainwatch/intercept-audit.jsonl
Restart=always
RestartSec=3
User=root
Environment=HOME=/root
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/var/log/chainwatch
MemoryMax=256M
[Install]
WantedBy=multi-user.target
EOF
mkdir -p /var/log/chainwatch
systemctl daemon-reload && systemctl enable --now chainwatch-intercept
然后设置环境变量,使 OpenClaw 通过代理路由:
bash
添加到 openclaw 配置:
env: { vars: { ANTHROPICBASEURL: http://localhost:9999 } }
然后重启网关
对于其他提供商,更改 --upstream:
- - OpenAI:--upstream https://api.openai.com + 设置 OPENAIBASEURL
- 自定义:--upstream https://your-provider.com
使用
通过 chainwatch 路由风险命令:
bash
chainwatch exec --profile clawbot -- rm -rf /tmp/old-data # 已检查
chainwatch exec --profile clawbot -- git push --force # 已检查
安全的只读命令(ls、cat、grep、git status)无需包装器。
拦截内容
| 已拦截 | 已允许 |
|---|
| rm -rf /、rm -rf ~ | rm -f /tmp/file |
| sudo su、sudo -i |
mkdir、cp、mv |
| dd if=/dev/zero | curl https://safe-url |
| curl \| sh | apt install、npm install |
| chmod -R 777 / | chmod 600 specific-file |
| Fork 炸弹 | systemctl status |
关键经验
guarded 模式对代理来说过于激进 — 它会拦截 mkdir、cp、touch。请使用带黑名单的 advisory 模式。黑名单可捕获灾难性命令,建议模式记录其他所有操作。
第3层:Pastewatch — 机密信息编辑(3分钟)
Pastewatch 可防止机密信息(API 密钥、数据库凭据、SSH 密钥、电子邮件、IP 地址)到达 LLM API。代理使用占位符工作,机密信息保留在本地。
安装
bash
二进制文件(Linux 上需要 Swift 5.9.2 运行时)
curl -fsSL https://github.com/ppiankov/pastewatch/releases/latest/download/pastewatch-cli-linux-amd64 \
-o /usr/local/bin/pastewatch-cli && chmod +x /usr/local/bin/pastewatch-cli
如果缺少 Swift 运行时:
cd /tmp
curl -fsSL https://download.swift.org/swift-5.9.2-release/ubuntu2204/swift-5.9.2-RELEASE/swift-5.9.2-RELEASE-ubuntu22.04.tar.gz -o swift.tar.gz
tar xzf swift.tar.gz --wildcards
/usr/lib/swift/linux/lib
cp -af swift-5.9.2-RELEASE-ubuntu22.04/usr/lib/swift/linux/lib* /usr/lib/
ldconfig
验证
pastewatch-cli version
MCP 服务器设置
bash
需要 mcporter
mcporter config add pastewatch --command pastewatch-cli mcp --audit-log /var/log/pastewatch-audit.log
验证工具
mcporter list pastewatch --schema
MCP 工具
| 工具 | 用途 |
|---|
| pastewatchreadfile | 读取文件,机密信息 → PW{TYPEN} 占位符 |
| pastewatchwrite_file |
写入文件,占位符 → 在本地恢复真实值 |
| pastewatch
checkoutput | 返回前验证文本中无原始机密信息 |
| pastewatch_scan | 扫描文本中的敏感数据 |
| pastewatch
scanfile | 扫描文件 |
| pastewatch
scandir | 递归扫描目录 |
工作原理
代理读取 config.env → pastewatch 拦截 → 代理看到 PW{AWSKEY1}
代理编辑并写入 → pastewatch 解析 → 磁盘上的真实值
机密信息永远不会离开您的机器。
检测内容
29 种类型:AWS 密钥、Anthropic 密钥、OpenAI 密钥、数据库连接、SSH 密钥、JWT、电子邮件、IP 地址、信用卡、Slack/Discord Webhook、Azure 连接、GCP 服务账号、npm/PyPI/RubyGems 令牌、Telegram 机器人令牌等。
确定性正则表达式。无需机器学习。无需 API 调用。每次扫描微秒级完成。
审计日志
bash
tail -f /var/log/pastewatch-audit.log
记录时间戳、工具调用、文件路径、编辑次数。从不记录机密值。
第4层:新闻情报(10分钟)
无需无休止刷屏即可了解信息。noisepan 按相关性对 RSS 源评分,entropia 验证来源质量。
安装
bash
noisepan
curl -fsSL https://github.com/ppiankov/noisepan/releases/latest/download/noisepan
$(curl -s https://api.github.com/repos/ppiankov/noisepan/releases/latest | grep tagname | cut -d -f4 | tr -d v)
linuxamd64.tar.gz | tar xz -C /usr/local/bin noisepan
entropia
curl -fsSL https://github.com/ppiankov/entropia/releases/latest/download/entropia
$(curl -s https://api.github.com/repos/ppiankov/entropia/releases/latest | grep tagname | cut -d -f4 | tr
