Security Model

Edited by Lawrence Beckwith on February 22, 2026 at 4:44 AM UTC

Security Objectives

  • Keep execution local whenever feasible — no external API dependency for core operation
  • Minimize credential blast radius — scoped tokens per service, rotated as needed
  • Preserve operator authority over all high-impact actions
  • Maintain verifiable audit trails

Control Layers

High-Stakes Action Gates

The coordinator includes a HIGH_STAKES_TOOLS list and SUSPICIOUS_PATTERNS checks. Before executing any high-stakes tool call, check_action_purpose() validates that the action matches the stated goal. This prevents the AI from taking destructive or unintended actions even if instructed to.

Network Exposure

  • All coordinator and model ports are bound to 127.0.0.1 by default — not exposed to the network
  • Reverse proxy (e.g. Caddy) handles TLS termination and controlled external ingress for any public-facing services
  • Internal services communicate over isolated Docker bridge networks

OpenClaw Security

  • Config file should be chmod 600 — contains channel credentials
  • Tool policies are enforced by config and cannot be overridden by user messages
  • Private memory context is not exposed in shared or group chat sessions
  • No self-replication or safeguard-bypass behaviors are implemented

Operator Authority

  • Emergency stop: docker stop otheru-coordinator halts all AI-initiated tool actions immediately
  • Audit trail: coordinator logs every tool call with its arguments; daily memory files record decisions and outcomes
  • Review layer: external model (e.g. Claude) can be configured as a supervisor on critical channels

Incident Readiness

  • Fast triage via docker logs <container> + /dependencies/health endpoint
  • Emergency stop at the orchestration layer stops all actions without affecting running models
  • Runbook-driven recovery — see Operations Runbook

Deployment Hardening Checklist

  • [ ] All Docker ports bound to 127.0.0.1 (not 0.0.0.0)
  • [ ] OpenClaw config chmod 600
  • [ ] API keys and tokens stored in .env files, not in source code
  • [ ] hooks.defaultSessionKey configured in OpenClaw
  • [ ] Reverse proxy enforces HTTPS for any externally-accessible service
  • [ ] Monitoring (e.g. Uptime Kuma) covers all public endpoints