OpenClaw Configuration Details: A Complete Guide to openclaw.json & Best Practices
At 10 PM on a Friday, staring at the OpenClaw service just starting up in my terminal, I breathed a sigh of relief. Then I opened ~/.openclaw/openclaw.json, looking at the screen full of configuration parameters—gateway, channel, skills, provider… with a bunch of nested options under each field.
To be honest, I was a bit confused at that moment.
Although the installation went smoothly, facing this configuration file, I suddenly realized: I didn’t really know what these parameters were for. Should dmPolicy be set to pairing or allowlist? Is gateway.auth.token just a password? Should I enable all skills?
What’s even more concerning is that in late January 2026, OpenClaw just fixed a critical security vulnerability (CVE-2026-25253, CVSS score 8.8), where attackers could steal authentication tokens via URL parameters and execute arbitrary commands. With improper configuration, your AI assistant could become someone else’s backdoor.
This article is the guide I most wanted to see at that time. I will systematically break down all configuration modules of openclaw.json, telling you what each parameter means, why you need it, and how to set it up in a production environment. I’ll also share some pitfalls I’ve stepped into and a checklist for security configuration.
Basic Understanding of the Configuration File
Where it is, what it looks like
OpenClaw’s configuration file is saved at ~/.openclaw/openclaw.json by default. If you configured it via the installation wizard, this file is generated automatically; if installed manually, you might need to create it yourself.
Open it, and you’ll see five major modules:
- Gateway: Settings for gateway service port, authentication, logging, etc.
- Channel: Configuration for communication channels (WhatsApp, Telegram, etc.)
- Skills: Management and permissions for skill modules
- Provider: AI model providers (Anthropic, OpenAI, local models, etc.)
- Security: Security policies and access control
This structure is actually quite logical—Gateway manages entry, Channel manages communication, Skills manage capabilities, Provider manages the brain, and Security manages protection.
Configuration Methods and Priority
OpenClaw supports four configuration methods:
- Interactive Wizard: Step-by-step selection during installation, suitable for beginners
- Direct JSON Editing: Use vim or nano to modify the file directly, suitable for those familiar with config
- Environment Variables: Suitable for containerized deployment or temporarily overriding a parameter
- Script Automation: Generate configuration via scripts for batch deployment
Here’s the key: these methods have priorities. Environment Variables > Configuration File > Default Values.
What does this mean? For example, if you set gateway.port: 18789 in the config file, but also set the environment variable OPENCLAW_GATEWAY_PORT=9000, the distinct 9000 takes effect. This design is particularly useful during debugging—you can test by setting a temporary env var without modifying the config file.
The 2026 version also added support for MCP Servers (Model Context Protocol), allowing unified access to multiple search engines and tools. Additionally, the openclaw doctor command can now automatically check configuration status and offer fix suggestions for discovered issues.
Gateway Configuration Details
Gateway is the entry point for OpenClaw, responsible for Web interface access and remote client connections.
Basic Configuration: Port and Authentication
{
"gateway": {
"port": 18789,
"auth": {
"token": "your-secret-token-here"
},
"remote": {
"token": "your-remote-token-here"
}
}
}port: The access port for the Web interface, default is 18789. Accessinghttp://localhost:18789brings up the OpenClaw control panel. If this port is occupied, just change it (e.g., to 19000).auth.token: This is the gateway’s authentication token, equivalent to a password. Anyone with this token can fully control your OpenClaw instance. The CVE-2026-25253 vulnerability was due to the token being leakable via URL parameters.remote.token: The token used when remote clients (like mobile Apps or desktop clients) connect. It’s separate fromauth.tokenso it can be rotated independently.
Security Tip: The version from January 29, 2026, removed the "auth: none" option. Previously you could turn off auth for easier development, now using a token or password is mandatory. This is a hard fix for the security vulnerability.
Advanced Configuration: Logging and WebSocket
{
"gateway": {
"logging": {
"redactSensitive": true
}
}
}With redactSensitive set to true, logs are automatically redacted—sensitive info like API keys and tokens are replaced with ***. You don’t have to worry about accidentally copying keys into public issues when checking logs for errors.
The command to start the gateway service is openclaw gateway. Once the service is running, you’ll see output like this:
[Gateway] Listening on http://localhost:18789
[Gateway] Authentication: Token-basedChannel Configuration Strategy
The Channel module determines which platforms OpenClaw can use to talk to you.
Supported Channel Types
Currently supports four main channels:
- WhatsApp: Scan QR code to pair, most commonly used
- Telegram: Bot API, suitable for group scenarios
- Discord: Suitable for technical communities
- Mattermost: Enterprise team collaboration
Each channel is configured differently. WhatsApp uses a QR code pairing process, Telegram needs a Bot Token, and Discord requires creating an Application.
DM (Direct Message) Policy Configuration
This part is where many people get confused. dmPolicy decides whether strangers can send messages to your AI assistant.
There are four modes:
1. pairing (Default Mode)
{
"channel": {
"dmPolicy": "pairing"
}
}Unknown senders need to verify pairing first. OpenClaw generates a 6-digit pairing code, valid for 1 hour. You need to verify manually:
openclaw pairing approve whatsapp ABC123This mode balances security and usability—when a friend contacts your AI assistant for the first time, you approve it, and then it’s smooth sailing.
2. allowlist (Allowlist Mode)
{
"channel": {
"dmPolicy": "allowlist",
"allowFrom": [
"+1234567890",
"telegram:@username"
]
}
}Only people on the allowlist can send messages; others are blocked directly. Suitable for scenarios where you clearly know who will use it.
3. open (Open Mode)
{
"channel": {
"dmPolicy": "open",
"allowFrom": ["*"]
}
}Anyone can send messages. Honestly, this mode is very risky. Unless you are doing a public demo or testing, it is not recommended.
4. disabled (Disabled Mode)
Completely disable private messaging function, only accept group messages.
Session Isolation for Multi-user Scenarios
If your OpenClaw service is used by multiple people (e.g., team sharing), session isolation is important:
{
"channel": {
"session": {
"dmScope": "per-channel-peer"
}
}
}This way everyone’s conversation history is independent and won’t get mixed up.
Group Policy Configuration
Group configuration is relatively simple, but there’s a key setting: mentionGating (@mention gating).
{
"channel": {
"groupPolicy": "mention",
"mentionGating": true
}
}When enabled, the AI assistant will only reply to messages that @mention it, instead of listening to every message in the group. Avoids becoming an “always-on” bot—you know, the kind that spams the group like crazy.
Skills Module Configuration
Skills is the most interesting part of OpenClaw—it decides what the AI assistant can do.
Skills Basic Concepts
Skills are modular capability extensions. OpenClaw comes with some built-in skills, and the ClawHub Skill Store has 700+ available skills:
- Calendar Management (Google Calendar, Outlook)
- Web Browsing (browser skill)
- File Management (file_manager)
- Terminal Commands (exec skill)
- Code Execution (python, node)
The installation path for skills is ~/.openclaw/skills/. Priority rule: Workspace Skills > User Skills > Built-in Skills.
What does this mean? If you put a custom browser skill in your project directory, it overrides the globally installed version. This design allows you to customize capabilities for specific projects.
Skill Configuration and Management
Each skill has a SKILL.md file defining metadata in YAML format:
---
name: google-calendar
description: Manage Google Calendar events
requirements:
bins:
- gcalcli
env:
- GOOGLE_CALENDAR_API_KEY
---The bins field lists dependent binary programs. For example, this calendar skill needs the gcalcli command-line tool. If not installed on the system, the skill will fail to load.
Three installation methods:
- GUI Installation: Click “Add Skill” in Web interface, search and install
- CLI Installation:
openclaw skill install google-calendar - Manual Installation: Copy skill directory to
~/.openclaw/skills/
Skill Troubleshooting
Skill load failure is a common issue. Check dependencies with this command:
openclaw skill check google-calendarIt will tell you what dependencies are missing, if env vars are set, and if OS config matches.
If problems persist, check Gateway logs:
openclaw gateway --verboseLogs will show the detailed skill loading process, making it clear where it went wrong.
Optimization for Small Model Scenarios
If you’re using a local model with a small context window (like a 7B parameter quantized model), you might need to disable some skills to control context size. The more skills, the longer the system prompt, leaving less space for dialogue.
Restrictions on High-Risk Skills
Some skills have high privileges and need to be used with caution:
exec: Execute arbitrary shell commandsbrowser: Access any webpageweb_fetch: Fetch external contentweb_search: Search engine queries
These skills can be abused if malicious input is provided. If not necessary, it’s recommended to disable them.
Provider Model Configuration
Provider decides which AI brain OpenClaw uses.
Supported AI Providers
- Anthropic (Claude): Officially recommended, stable API, robust security features
- OpenAI: Support coming soon (GPT-4 logic)
- Local Models: LM Studio, Ollama, etc.
- OpenRouter: Unified multi-model access interface, use all models with one API Key
- MCP Servers: 2026 new feature, supporting Model Context Protocol
Provider Configuration Parameters
Simplest configuration (Using Anthropic):
{
"provider": {
"type": "anthropic",
"apiKey": "sk-ant-..."
}
}But I suggest not writing the API Key directly in the config file, use environment variables:
export ANTHROPIC_API_KEY="sk-ant-..."This allows the config file to be safely committed to version control without leaking the API Key.
Local Model Configuration
{
"provider": {
"type": "openai-compatible",
"baseURL": "http://localhost:1234/v1",
"modelId": "kimi-k2.5-chat"
}
}baseURL: Local model server address (LM Studio defaults to port 1234)modelId: Specify the model name to use
MCP Server Configuration (New Feature)
{
"provider": {
"mcpServers": {
"onesearch": {
"command": "npx",
"args": ["-y", "@onesearch/mcp-server"]
}
}
}
}OneSearch MCP lets you access multiple search engines (Google, Bing, Brave, etc.) via a unified interface, without configuring API Keys for each one separately.
Notes on Local Models
Honestly, local models have their advantages—privacy, cost, offline availability. But security features are indeed weaker than commercial models:
- Higher Prompt Injection Risk: Small models are easier to trick with malicious input
- Small Context Window: Security features need more system prompts, but small models can’t fit them
- Limitations of Quantized Models: After 4-bit quantization, instruction following capability drops
If you must use local models, typical suggestions:
- Strictly limit skill permissions
- Enable sandbox mode
- Do not run on machines with sensitive data
Security Configuration Best Practices
Security configuration is always priority number one. The lesson from CVE-2026-25253 tells us that improper configuration consequences can be severe.
Security Configuration Checklist
Basic Security (Must Do)
- ✅ Never share gateway token—like your house key, never give it to others
- ✅ Use firewall, expose only necessary ports (18789)
- ✅ Use key authentication for SSH instead of password
- ✅ Limit Web interface access (VPN or IP allowlist)
- ✅ DM Policy: Prioritize
pairingorallowlist - ✅ Group Policy: Enable mention gating
Advanced Security (Highly Recommended)
- ✅ Rotate tokens regularly (at least once a quarter)
- ✅ Enable log sensitive info redaction
- ✅ Restrict high-risk skills (exec, browser)
- ✅ Use dedicated server (don’t mix with main workstation)
Input Security and Sandbox
There is an iron rule: Treat all external input as malicious.
Links, attachments, pasted instructions—all could be carefully crafted attacks. OpenClaw’s sandbox function (opt-in) can isolate high-risk operations:
{
"security": {
"sandbox": {
"enabled": true,
"skills": ["exec", "browser"]
}
}
}This way exec and browser skills run in an isolated environment, affecting nothing on the main system even if compromised.
Secrets Management
Management of API Keys, tokens, and other sensitive info:
- Basic Solution: Transfer
.envfile to server via SCP, avoid pasting in chat - Advanced Solution: Use Doppler, HashiCorp Vault, etc. professional secrets managers
Things you should NEVER do:
- ❌ Send API Keys in Telegram messages
- ❌ Commit secrets to Git repository
- ❌ Paste logs in public issues (might contain token)
Security Audit and Maintenance
OpenClaw has built-in security audit commands:
# Basic Check
openclaw security audit
# Deep Check
openclaw security audit --deep
# Auto-apply Security Fixes
openclaw security audit --fixThis command checks:
- Is Token strength sufficient
- Is port exposed to public internet
- Are file permissions correct (
~/.openclawshould be 700, config file 600) - Are high-risk skills enabled
- Is DM policy safe
Local File Permissions
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.jsonThis ensures only you can read/write the config file; other users can’t even see it.
Things You Should NEVER Do
- ❌ Expose port 18789 to public internet
- ❌ Grant shell access without understanding risks
- ❌ Install skills from unverified sources
- ❌ Use
dmPolicy: "open"without an allowlist - ❌ Run OpenClaw on machines storing primary email/banking info
Practical Configuration Examples
Theory covered, let’s look at complete configs for some real scenarios.
Scenario 1: Personal Use, WhatsApp Only, Pairing Mode
{
"gateway": {
"port": 18789,
"auth": {
"token": "generate-a-strong-random-token"
},
"logging": {
"redactSensitive": true
}
},
"channel": {
"type": "whatsapp",
"dmPolicy": "pairing",
"session": {
"dmScope": "per-channel-peer"
}
},
"skills": {
"enabled": [
"calendar",
"web_search",
"file_manager"
],
"disabled": [
"exec",
"browser"
]
},
"provider": {
"type": "anthropic"
},
"security": {
"sandbox": {
"enabled": true
}
}
}This config is suitable for typical personal users—good security, enough features, high-risk skills disabled.
Scenario 2: Team Collaboration, Multi-Channel, Allowlist Mode
{
"gateway": {
"port": 18789,
"auth": {
"token": "team-gateway-token"
},
"remote": {
"token": "team-remote-token"
}
},
"channel": [
{
"type": "telegram",
"dmPolicy": "allowlist",
"allowFrom": [
"telegram:@alice",
"telegram:@bob",
"telegram:@carol"
],
"groupPolicy": "mention",
"mentionGating": true
},
{
"type": "discord",
"dmPolicy": "allowlist",
"allowFrom": [
"discord:123456789"
]
}
],
"skills": {
"enabled": [
"calendar",
"web_search",
"github",
"jira"
]
},
"provider": {
"type": "anthropic"
}
}Multi-channel config uses an array format, each channel managing its allowlist independently. Groups enable mention gating to avoid spam.
Scenario 3: Local Model, Offline Use, Lean Skills
{
"gateway": {
"port": 19000
},
"channel": {
"type": "whatsapp",
"dmPolicy": "allowlist",
"allowFrom": ["+1234567890"]
},
"skills": {
"enabled": [
"calculator",
"file_manager"
]
},
"provider": {
"type": "openai-compatible",
"baseURL": "http://localhost:1234/v1",
"modelId": "llama-3.1-8b"
}
}In local model scenarios, try to keep skills as lean as possible—small models’ context windows can’t hold too many system prompts.
Common Configuration Errors and Solutions
Error 1: Token mismatch causing connection failure
Symptom: Web interface shows “Authentication failed”
Solution: Check if gateway.auth.token exactly matches the token you entered (watch for spaces, newlines)
Error 2: Skill dependency missing causing load failure
Symptom: Log shows “Skill ‘google-calendar’ failed to load”
Solution: Run openclaw skill check google-calendar, follow prompts to install missing dependencies
Error 3: Port conflict causing Gateway failed start
Symptom: Error: listen EADDRINUSE :::18789
Solution: Change to another port, or find the process occupying 18789 and kill it
Error 4: Configuration file format error
Symptom: SyntaxError: Unexpected token } in JSON
Solution: Use JSON validator tool to check format, common issues are extra commas or mismatched quotes
Troubleshooting Commands
# Check service status
openclaw status
# Health check
openclaw doctor
# Verbose logs
openclaw gateway --verboseConclusion
Having said so much, the core points are just three:
First, the configuration file is the heart of OpenClaw. Understanding every parameter is worthwhile—not to show off, but to quickly pinpoint issues when they arise.
Second, security configuration is always the top priority. CVE-2026-25253 proves the risk of improper configuration is real. Tokens must be secret, ports restricted, DM policies tightened, high-risk skills cautiously enabled.
Third, configuration is not a one-time job. As usage scenarios change, team members come and go, new skills launch, configuration needs continuous optimization. Review your config every once in a while, run openclaw security audit once, ensure everything is under control.
Now, do three things immediately:
- Run
openclaw security audit --deepto check current config - Optimize your config item by item against the best practices checklist in this article
- Backup the optimized config to a safe place (but don’t backup the token with it)
If you encounter problems during configuration, the OpenClaw community is very active, people on GitHub Discussions and Discord channels are helpful. Also welcome to share your configuration experience—everyone fumbles their way through like this.
OpenClaw Configuration Complete Setup Flow
Detailed steps to configure openclaw.json from scratch, including Gateway, Channel, Skills, Provider, and Security modules
⏱️ Estimated time: 30 min
- 1
Step1: Step 1: Create and Locate Configuration File
Config file location: ~/.openclaw/openclaw.json
Creation methods:
• Auto-generate: Automatically created when running installation wizard
• Manual creation: mkdir -p ~/.openclaw && touch ~/.openclaw/openclaw.json
• File permissions: chmod 600 ~/.openclaw/openclaw.json (Only owner readable/writable)
Configuration Priority Rule:
Environment Variables > Configuration File > Default Values
Debugging Tip: Use environment variables to temporarily override parameters without modifying the config file - 2
Step2: Step 2: Configure Gateway Module
Basic Configuration Parameters:
Port Settings:
• "port": 18789 (Default port, can be changed to other unoccupied ports)
• Access URL: http://localhost:18789
Authentication Configuration:
• "auth.token": Gateway auth token (equivalent to password, must be kept secret)
• "remote.token": Remote client connection token (can be rotated separately)
• 2026 version mandates authentication, "auth: none" is not supported
Security Enhancement:
• "logging.redactSensitive": true (Auto-redact logs, hiding API keys and tokens)
Start Command:
openclaw gateway
Verification: Browser visit http://localhost:18789, enter token to login - 3
Step3: Step 3: Configure Channel Module
Supported Channel Types:
• WhatsApp (QR Code Pairing)
• Telegram (Requires Bot Token)
• Discord (Requires Creating Application)
• Mattermost (Enterprise Collaboration)
DM Policy Configuration (4 Modes):
1. pairing mode (Recommended):
"dmPolicy": "pairing"
Unknown senders need pairing code verification, approval command:
openclaw pairing approve whatsapp ABC123
2. allowlist mode (Secure):
"dmPolicy": "allowlist"
"allowFrom": ["+1234567890", "telegram:@username"]
Only allowlist users can send messages
3. open mode (High Risk):
"dmPolicy": "open"
"allowFrom": ["*"]
Anyone can send messages, not recommended for production
4. disabled mode:
Completely disable private messages, only accept group messages
Group Configuration:
"groupPolicy": "mention"
"mentionGating": true
AI only replies to @mentioned messages, avoiding spam
Session Isolation (Multi-user Scenario):
"session.dmScope": "per-channel-peer"
Each user's conversation history is independent, no cross-talk - 4
Step4: Step 4: Configure Skills Module
Skill Installation Path: ~/.openclaw/skills/
Priority Rule: Workspace Skills > User Skills > Built-in Skills
Three Installation Methods:
1. GUI Install: Search and install in Web interface "Add Skill"
2. CLI Install: openclaw skill install google-calendar
3. Manual Install: Copy skill directory to ~/.openclaw/skills/
Configuration Example:
"skills": {
"enabled": ["calendar", "web_search", "file_manager"],
"disabled": ["exec", "browser"]
}
High-Risk Skills (Use with Caution):
• exec: Execute arbitrary shell commands
• browser: Access any webpage
• web_fetch: Fetch external content
• web_search: Search engine query
Troubleshooting Commands:
openclaw skill check google-calendar
Check missing dependencies, env var config, OS compatibility
Detailed Logs:
openclaw gateway --verbose
Show detailed skill loading process
Small Model Optimization:
Disable some skills to reduce context usage, more skills mean longer system prompts - 5
Step5: Step 5: Configure Provider Module
Supported Provider Types:
1. Anthropic (Claude) - Officially Recommended
2. OpenAI (GPT-4 etc.) - Coming Soon
3. Local Models (LM Studio, Ollama)
4. OpenRouter (Multi-model Unified Interface)
5. MCP Servers (Model Context Protocol)
Anthropic Configuration (Recommended):
"provider": {
"type": "anthropic",
"apiKey": "sk-ant-..."
}
Secure Practice: Use Environment Variables for API Key
export ANTHROPIC_API_KEY="sk-ant-..."
Config file contains no keys, safe to commit to version control
Local Model Configuration:
"provider": {
"type": "openai-compatible",
"baseURL": "http://localhost:1234/v1",
"modelId": "llama-3.1-8b"
}
MCP Server Configuration (2026 New Feature):
"provider": {
"mcpServers": {
"onesearch": {
"command": "npx",
"args": ["-y", "@onesearch/mcp-server"]
}
}
}
Local Model Notes:
• Higher prompt injection risk, small models easily tricked by malicious input
• Small context window, need to prune skills
• Quantized model (4-bit) instruction following capability drops
• Must strictly limit skill permissions
• Enable sandbox mode
• Do not run on sensitive data machines - 6
Step6: Step 6: Configure Security Module
Basic Security Configuration (Must Do):
• Never share gateway token
• Firewall expose only port 18789
• SSH use key authentication
• Limit Web interface access (VPN/IP Allowlist)
• DM Policy prioritize pairing or allowlist
• Group enable mention gating
Sandbox Configuration:
"security": {
"sandbox": {
"enabled": true,
"skills": ["exec", "browser"]
}
}
Isolate high-risk skills, compromised skills won't affect main system
File Permission Settings:
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
Only owner can access config file
Security Audit Commands:
openclaw security audit (Basic check)
openclaw security audit --deep (Deep check)
openclaw security audit --fix (Auto fix)
Check Items:
• Token strength
• Port exposure status
• File permissions
• High-risk skill status
• DM Policy security
Regular Maintenance:
• Rotate tokens at least quarterly
• Enable log sensitive info redaction
• Restrict high-risk skills
• Use dedicated server
Secrets Management:
• Basic solution: SCP transfer .env file
• Advanced solution: Doppler, HashiCorp Vault
• Never expose keys in message/Git/issue - 7
Step7: Step 7: Verification and Troubleshooting
Verify Configuration:
1. Check config file format:
Use JSON validator tool to check syntax errors
2. Health Check:
openclaw doctor
Automatically check config stats and give fix suggestions
3. View Service Status:
openclaw status
Show Gateway, Channel, Skills running status
4. Security Audit:
openclaw security audit --deep
Comprehensive security config check
Common Error Troubleshooting:
Error 1: Authentication failed
Cause: Token mismatch
Solution: Check gateway.auth.token for extra spaces or newlines
Error 2: Skill load failed
Cause: Missing dependencies
Solution: openclaw skill check [skill-name], install missing dependencies
Error 3: Port conflict (EADDRINUSE)
Cause: Port 18789 occupied
Solution: Change to another port or kill occupying process
Error 4: JSON Syntax Error
Cause: Config file format issue
Solution: Check for extra commas, mismatched quotes
Detailed Logs:
openclaw gateway --verbose
Show Gateway start, skill loading, auth detailed process
Config Backup:
Regularly backup config file to secure location
Note: Remove token and API key when backing up
FAQ
Should I choose pairing or allowlist for dmPolicy?
pairing mode (Recommended for most scenarios):
• Suitable for: Not sure who all users are, but need verification
• Pros: Flexible, friends clear to go after first pairing
• Process: Stranger sends message → Generate 6-digit code → You approve → Direct communication hereafter
• Command: openclaw pairing approve whatsapp ABC123
allowlist mode (Recommended for high security):
• Suitable for: Clearly know all users (family, team members)
• Pros: Most secure, non-whitelist blocked directly
• Config: "allowFrom": ["+1234567890", "telegram:@username"]
• Maintenance: New users need manual addition to allowlist
Selection Advice:
Personal use, unsure who will contact → pairing
Team fixed members use → allowlist
Public demo/testing → open (Temporary use, not recommended for long term)
What exactly is the CVE-2026-25253 vulnerability? How to protect?
• CVE ID: CVE-2026-25253
• CVSS Score: 8.8 (Critical)
• Discovery Time: Late January 2026
• Affected Versions: Versions before Jan 29, 2026
Attack Principle:
Attackers can steal auth tokens via URL parameters, e.g.:
http://victim.com:18789/?token=leaked-token
Once token is obtained, they can fully control OpenClaw instance, execute arbitrary commands
Official Fix Measures:
1. Removed "auth: none" option, forced authentication
2. URL parameters no longer pass token
3. All requests must pass auth info via Header
Protection Measures:
• Immediately update to latest version (After Jan 29, 2026)
• Rotate all existing tokens (old tokens might be leaked)
• Never include token in URL
• Limit Web interface access (VPN/IP Allowlist/Firewall)
• Do not expose port 18789 to public internet
• Regularly run openclaw security audit to check config
Check if affected:
openclaw --version
If version date is earlier than 2026-01-29, update needed
What is the security difference between Local Models and Anthropic API?
1. Prompt Injection Protection:
• Built-in security layer, identifies malicious prompts
• Refuses to execute dangerous instructions
• Regularly updates security rules
2. Instruction Following Capability:
• Strictly follows system prompts
• Not easily tricked by user input
3. Context Handling:
• Large window (200K tokens) can hold complete security prompts
Local Model Security Limitations:
1. High Prompt Injection Risk:
• Small models (7B-13B) easily bypassed by carefully crafted input
• Lacks dedicated security training
2. Quantized Model Issues:
• After 4-bit quantization, instruction following capability drops significantly
• Security features might fail
3. Context Limitations:
• Small window (4K-8K tokens) can't fit complete security prompts
• Must prune skills and system prompts
Local Model Safe Usage Advice:
• Strictly limit skill permissions (Enable only low-risk skills)
• Must enable sandbox mode for isolation
• Do not deploy on machines with sensitive data
• Use allowlist to restrict users
• Disable high-risk skills like exec, browser
• Regularly review logs, monitor abnormal behavior
Selection Advice:
Need high security (Handling sensitive data) → Anthropic API
Value privacy and offline availability → Local Model + Strict Security Config
Will too many skills affect performance? How many should I enable?
1. Context Usage:
Each skill increases system prompt length
• Single Skill: Average 200-500 tokens
• 10 Skills: Approx 2000-5000 tokens
• Space left for dialogue decreases properly
2. Model Type Decides Strategy:
Large Model (Anthropic Claude):
• Context Window: 200K tokens
• Advice: Can enable 10-20 common skills
• Impact: Almost negligible, performance unaffected
Medium Model (Local 13B-30B):
• Context Window: 8K-32K tokens
• Advice: Enable 5-10 essential skills
• Impact: Need to balance functionality and context space
Small Model (Local 7B Quantized):
• Context Window: 4K-8K tokens
• Advice: Only enable 2-5 core skills
• Impact: Must be lean, otherwise cannot converse
3. On-Demand Enable Strategy:
Personal Assistant Scenario (Recommended):
• calendar (Calendar Mgmt)
• web_search (Web Search)
• file_manager (File Mgmt)
• calculator (Calculator)
Dev Scenario (Recommended):
• github (Code Repo)
• web_search (Tech Search)
• exec (Command Exec, need sandbox)
Enterprise Scenario (Recommended):
• calendar (Calendar)
• jira (Project Mgmt)
• slack (Team Collab)
• web_search (Search)
Dynamic Adjustment:
• Workspace skill priority > Global
• Create different configs for different projects
• Disable unused skills timely
Performance Optimization Advice:
openclaw skill list
View enabled skills and their context usage
Disable unused skills:
"skills": {"disabled": ["skill-name"]}
How to safely manage configs for multiple environments (Dev/Test/Prod)?
Method 1: Environment Variable Override (Recommended)
Base Config File (~/.openclaw/openclaw.json):
Contains generic config, no sensitive info
Dev Environment (.env.development):
export OPENCLAW_GATEWAY_PORT=18789
export OPENCLAW_DM_POLICY=open
export ANTHROPIC_API_KEY=sk-ant-dev-key
Prod Environment (.env.production):
export OPENCLAW_GATEWAY_PORT=18789
export OPENCLAW_DM_POLICY=allowlist
export ANTHROPIC_API_KEY=sk-ant-prod-key
Switch Env:
source .env.development
openclaw gateway
Priority: Env Vars > Config File > Default Values
Method 2: Multiple Config Files
Create Different Configs:
~/.openclaw/openclaw.dev.json
~/.openclaw/openclaw.prod.json
Start with Specific Config:
openclaw gateway --config ~/.openclaw/openclaw.prod.json
Method 3: Git Management (Recommended for Teams)
Version Control:
openclaw.json.template (Template, commit to Git)
openclaw.json (Actual config, add to .gitignore)
.env.example (Env var example)
.gitignore Config:
openclaw.json
.env
.env.local
.env.*.local
Team Collab Flow:
1. Copy template: cp openclaw.json.template openclaw.json
2. Fill in local config
3. Use env vars for sensitive info
Method 4: Secrets Manager (Enterprise Recommended)
Doppler Example:
doppler secrets set GATEWAY_TOKEN xxx
doppler run -- openclaw gateway
HashiCorp Vault Example:
vault kv get -field=token secret/openclaw/gateway
Security Checklist:
✅ Config file contains no API keys or tokens
✅ Use env vars for sensitive info
✅ .gitignore includes all config files
✅ Prod token different from Dev
✅ Rotate Prod token regularly
✅ Config file permissions correct (600)
✅ Do not share config in chat/issue
Backup Strategy:
Dev Config: Commit to Git (No sensitive info)
Prod Config: Encrypted backup to safe location (1Password/Bitwarden)
What if AI assistant spams replies in group?
Mention gating not enabled, AI listens to and replies to all group messages
Solution:
1. Enable Mention Gating (Recommended)
Config:
"channel": {
"groupPolicy": "mention",
"mentionGating": true
}
Effect: AI only replies to @mentioned messages
Usage:
Member sends "@OpenClaw How is the weather today"
AI responds
2. Keyword Trigger (Alternative)
Config:
"channel": {
"groupPolicy": "keyword",
"keywords": ["openclaw", "assistant"]
}
Effect: Only messages containing keywords trigger reply
3. Completely Disable Group
Config:
"channel": {
"groupPolicy": "disabled"
}
Effect: AI ignores all group messages, only handles DMs
4. Message Rate Limit
Config:
"channel": {
"rateLimit": {
"maxMessages": 10,
"perMinutes": 1
}
}
Effect: Limit max 10 replies per minute
Temporary Emergency Handling:
Immediately disable group response:
openclaw channel disable --group
Remove AI from group:
Remove OpenClaw from WhatsApp/Telegram group
Restart Gateway:
openclaw gateway restart
Best Practice Config:
"channel": {
"groupPolicy": "mention",
"mentionGating": true,
"rateLimit": {
"maxMessages": 5,
"perMinutes": 1
}
}
This config:
• AI only responds to @mentions
• Max 5 replies per minute
• Avoids spam and abuse
Config file suddenly fails, Gateway won't start, how to troubleshoot?
Step 1: Check Config File Format
Verify JSON Format:
cat ~/.openclaw/openclaw.json | python -m json.tool
Common Format Errors:
• Extra comma: {"key": "value",}
• Mismatched quotes: "key: "value"
• Comments (JSON doesn't support): // this is wrong
Online Validator: jsonlint.com
Step 2: Check File Permissions
View Permissions:
ls -la ~/.openclaw/openclaw.json
Correct Permissions:
-rw------- (600) Only owner readable/writable
Fix Permissions:
chmod 600 ~/.openclaw/openclaw.json
chmod 700 ~/.openclaw
Step 3: View Detailed Error Logs
Start Verbose Mode:
openclaw gateway --verbose
Log Location:
~/.openclaw/logs/gateway.log
View Recent Errors:
tail -n 50 ~/.openclaw/logs/gateway.log
Step 4: Run Health Check
Basic Check:
openclaw doctor
Output shows:
• Is config readable
• Are required fields present
• Are dependencies met
• Is port available
Deep Check:
openclaw security audit --deep
Step 5: Common Failures and Solutions
Failure 1: Port Occupied
Error: Error: listen EADDRINUSE :::18789
Solution:
Find occupying process: lsof -i :18789
Kill process: kill -9 [PID]
Or change port: "port": 19000
Failure 2: Token Format Error
Error: Invalid authentication token
Solution:
Check token for newlines: cat -A ~/.openclaw/openclaw.json
Regenerate token: openssl rand -hex 32
Failure 3: Environment Variable Conflict
Error: Config unexpectedly overridden
Solution:
View env vars: env | grep OPENCLAW
Clear conflicting var: unset OPENCLAW_GATEWAY_PORT
Failure 4: Config File Corrupted
Error: SyntaxError or Unexpected token
Solution:
Restore backup: cp ~/.openclaw/openclaw.json.backup ~/.openclaw/openclaw.json
Or use template: cp openclaw.json.template ~/.openclaw/openclaw.json
Step 6: Reset Config (Last Resort)
Backup Current Config:
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.broken
Delete Config:
rm ~/.openclaw/openclaw.json
Rerun Wizard:
openclaw init
Verify Start:
openclaw gateway --verbose
Preventive Measures:
1. Regularly Backup Config:
crontab -e
Add: 0 0 * * * cp ~/.openclaw/openclaw.json ~/.openclaw/backup/openclaw-$(date +%Y%m%d).json
2. Version Control (Template without sensitive info):
git init ~/.openclaw
git add openclaw.json.template
3. Test Before Modify:
cp openclaw.json openclaw.json.test
# Modify test file
openclaw gateway --config openclaw.json.test --dry-run
4. Use Config Validation Script:
openclaw config validate
13 min read · Published on: Feb 5, 2026 · Modified on: Feb 5, 2026
Related Posts
Deep Dive into OpenClaw Architecture: Technical Principles and Extension Practices of the Three-Layer Design
Deep Dive into OpenClaw Architecture: Technical Principles and Extension Practices of the Three-Layer Design
Let AI Read Documentation for You: OpenClaw Browser Automation Practical Guide
Let AI Read Documentation for You: OpenClaw Browser Automation Practical Guide
OpenClaw Cron Job Configuration - Make Your AI Assistant Proactively Execute Scheduled Tasks
Comments
Sign in with GitHub to leave a comment