🦞AIClawGuide
Community Guide

OpenClaw Security & Cost Control

The practical security and cost-control guide for OpenClaw, covering auth, incidents, exposed gateways, skill risk, fallback chains, and budgets.

Mar 13, 2026

Read this before you scale anything

The Orange Paper is unusually blunt: OpenClaw is powerful, but it is not a product you should treat casually. Security and cost control are not polish topics. They are operating basics.

The security model starts with distrust

The core baseline is:

  • pair unknown users before trusting them
  • isolate group sessions from private memory
  • keep the gateway local by default
  • require authentication when access leaves the local machine
  • restrict or disable tools when they are not needed

This is the mindset to keep even when the UI feels friendly.

Incidents you should actually know

The Orange Paper highlights several concrete events:

  • CVE-2026-25253: a serious remote code execution path on exposed, unauthenticated instances
  • ClawHavoc: a major skills supply-chain attack
  • large numbers of publicly exposed, unauthenticated gateways
  • Google account bans tied to some OpenClaw usage patterns
  • malicious npm packages pretending to be official installers

The correct response is not panic. It is to stop pretending this is a toy.

What to do first

For a new operator, the safest baseline is simple:

  1. Stay local first.
  2. Use explicit gateway auth.
  3. Keep one model path and one channel path at first.
  4. Review every third-party skill before installation.
  5. Make a backup before risky changes.

Skills are trusted code

This is the right mental model:

  • a skill is not a decorative extension
  • a skill inherits the trust of your instance
  • a bad skill can influence files, behavior, and future actions

That is why AIClawGuide’s marketplace is manually curated and limited to free or open-source entries in phase one.

Cost gets out of hand in predictable ways

The Orange Paper’s warning is concrete: users have reported waking up to very large bills after an agent loop or scheduled task kept calling premium models overnight.

That usually happens when all of these are true:

  • no fallback chain
  • no daily budget limit
  • no distinction between high-value and low-value tasks
  • no local or free-tier capacity for background work

The best default control pattern is:

  • strong primary model for difficult tasks
  • cheaper fallback for everyday traffic
  • free or local model for cron and heartbeat work
  • hard daily budget ceiling

This is why the Sonnet → Haiku → DeepSeek pattern appears so often in community recommendations.

Practical starting checklist

  • Enable gateway auth.
  • Do not expose raw ports casually.
  • Prefer Tailscale or SSH forwarding over open internet exposure.
  • Keep a backup before upgrades.
  • Set a daily budget limit.
  • Audit skills before install.
  • Keep the gateway updated.

If you do only those things, you will already be operating far more safely than many of the publicly documented bad examples.

Where to go next