The Hardening Guide: Secure `clawdbot.json` Configuration
The definitive guide to running OpenClaw without giving it the keys to your kingdom.
Docker Isolation: gVisor and runsc
Use an additional sandbox boundary for untrusted agent workflows. Configuring Docker with `runsc` (gVisor) materially limits kernel attack surface compared with default runtimes.
Treat this as mandatory for internet-connected deployments processing third-party prompts or skill packages.
API Limits: provider_settings Budget Caps
Set explicit per-day and per-task spending ceilings in `provider_settings`. Security incidents frequently include cost abuse, not just data theft, so billing controls are part of defense-in-depth.
Filesystem Whitelist: Scope to /app/workspace
Constrain read/write access to `/app/workspace` only. Avoid mounting host root paths, SSH directories, or CI secrets into the container where the agent can touch them.
json
{
"permissions": {
"filesystem": ["/app/workspace"],
"shell_execute": false
},
"provider_settings": {
"monthly_usd_limit": 25,
"per_task_usd_limit": 2
}
}No-Go Zone: Disable shell_execute by Default
Keep `shell_execute` disabled unless a controlled workflow absolutely requires it. If enabled for a narrow task, isolate the environment and enforce command allowlists with audited logging.
Temporary enablement should be treated as a change-controlled event with rollback and key rotation procedures.