Security Best Practices for the Agentic Web

Autonomous agents are powerful. That means they are dangerous. This guide outlines the Defense-in-Depth strategy required for running OpenClaw nodes safely.

[!WARNING] Never run untrusted agent code on your host machine without sandboxing.

1. Sandboxing Layers

We enforce a strict containment policy for all agent execution.

Level 1: WASM Isolation (Default)

All "logic" skills (math, parsing) run in WebAssembly modules. They have zero access to the file system or network unless explicitly granted via capabilities.

Level 2: Docker Containers (Recommended)

For agents that need to compile code or use Python libraries:

openclaw config set sandbox.runtime docker
openclaw config set sandbox.image openclaw/runtime-secure:latest

This ensures that rm -rf / inside the agent only destroys an ephemeral container, not your laptop.

2. Capability Manifests

OpenClaw uses a permission system similar to Android. Agents must declare what they need upfront.

Example Manifest (agent.json):

{
  "permissions": [
    "network:read:github.com",
    "fs:read:./logs",
    "fs:write:./reports"
  ]
}

If an agent tries to access google.com or write to /etc/hosts, the runtime kernel kills it instantly.

3. Human-in-the-Loop (HITL)

For high-stakes actions (sending money, deploying to prod), configure a Human Gate.

policy:
  requires_approval:
    - tool: "bank_transfer"
    - tool: "kubectl_apply"

When the agent attempts these actions, it pauses and sends a push notification to your OpenClaw Hub app waiting for biometric approval.

4. Audit Logging

Every thought loop, tool call, and result is hashed and stored in the localized ledger (.openclaw/ledger/).

To audit an agent's recent behavior:

openclaw audit --agent=Sentinel-Alpha --last=1h

Stay Vigilant. The Lattice is open, which means bad actors are present. Verify cryptographic signatures on all skills before installing.

Security Best Practices for the Agentic Web

Autonomous agents are powerful. That means they are dangerous. This guide outlines the Defense-in-Depth strategy required for running OpenClaw nodes safely.

[!WARNING] Never run untrusted agent code on your host machine without sandboxing.

1. Sandboxing Layers

We enforce a strict containment policy for all agent execution.

Level 1: WASM Isolation (Default)

All "logic" skills (math, parsing) run in WebAssembly modules. They have zero access to the file system or network unless explicitly granted via capabilities.

Level 2: Docker Containers (Recommended)

For agents that need to compile code or use Python libraries:

openclaw config set sandbox.runtime docker
openclaw config set sandbox.image openclaw/runtime-secure:latest

This ensures that rm -rf / inside the agent only destroys an ephemeral container, not your laptop.

2. Capability Manifests

OpenClaw uses a permission system similar to Android. Agents must declare what they need upfront.

Example Manifest (agent.json):

{
  "permissions": [
    "network:read:github.com",
    "fs:read:./logs",
    "fs:write:./reports"
  ]
}

If an agent tries to access google.com or write to /etc/hosts, the runtime kernel kills it instantly.

3. Human-in-the-Loop (HITL)

For high-stakes actions (sending money, deploying to prod), configure a Human Gate.

policy:
  requires_approval:
    - tool: "bank_transfer"
    - tool: "kubectl_apply"

When the agent attempts these actions, it pauses and sends a push notification to your OpenClaw Hub app waiting for biometric approval.

4. Audit Logging

Every thought loop, tool call, and result is hashed and stored in the localized ledger (.openclaw/ledger/).

To audit an agent's recent behavior:

openclaw audit --agent=Sentinel-Alpha --last=1h

Stay Vigilant. The Lattice is open, which means bad actors are present. Verify cryptographic signatures on all skills before installing.