{"id":44494233,"url":"https://github.com/centminmod/explain-openclaw","last_synced_at":"2026-06-16T03:04:29.681Z","repository":{"id":335909080,"uuid":"1147414325","full_name":"centminmod/explain-openclaw","owner":"centminmod","description":"Multi-AI documentation for OpenClaw: architecture, security audits, deployment guide","archived":false,"fork":false,"pushed_at":"2026-04-05T04:46:45.000Z","size":7194,"stargazers_count":184,"open_issues_count":31,"forks_count":24,"subscribers_count":2,"default_branch":"master","last_synced_at":"2026-04-05T06:29:36.945Z","etag":null,"topics":["clawdbot","clawdbot-security","clawhub","moltbolt-security","moltbook","moltbook-security","moltbot","openclaw","openclaw-security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/centminmod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-01T17:54:54.000Z","updated_at":"2026-04-05T04:46:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/centminmod/explain-openclaw","commit_stats":null,"previous_names":["centminmod/explain-openclaw"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/centminmod/explain-openclaw","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fexplain-openclaw","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fexplain-openclaw/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fexplain-openclaw/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fexplain-openclaw/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/centminmod","download_url":"https://codeload.github.com/centminmod/explain-openclaw/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/centminmod%2Fexplain-openclaw/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34388677,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-16T02:00:06.860Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clawdbot","clawdbot-security","clawhub","moltbolt-security","moltbook","moltbook-security","moltbot","openclaw","openclaw-security"],"created_at":"2026-02-13T05:00:20.134Z","updated_at":"2026-06-16T03:04:29.671Z","avatar_url":"https://github.com/centminmod.png","language":null,"funding_links":[],"categories":["Security","Security \u0026 Hardening","🎓 Learning Resources"],"sub_categories":["Security Research","Security Resources"],"readme":"\u003cp align=\"center\"\u003e\n    \u003cpicture\u003e\n        \u003cimg src=\"logo3a.png\" srcset=\"logo3a.png 1x, logo3.png 2x\" alt=\"OpenClaw\" width=\"440\"\u003e\n    \u003c/picture\u003e\n\u003c/p\u003e\n\n# Explain OpenClaw (formerly Moltbot/Clawdbot) - Integrated Beginner + Technical Guide\n\n\n## Table of contents\n\n- [What is OpenClaw? (plain English)](./01-plain-english/what-is-clawdbot.md)\n- [Glossary](./01-plain-english/glossary.md)\n- [CLI commands (plain English)](./01-plain-english/cli-commands.md)\n- [What is Moltbook?](./07-moltbook/what-is-moltbook.md)\n- [Threat model](./04-privacy-safety/threat-model.md)\n- [Hardening checklist](./04-privacy-safety/hardening-checklist.md)\n- [High privacy config example](./04-privacy-safety/high-privacy-config.example.json5.md)\n- [Detecting OpenClaw requests (for hosting services)](./04-privacy-safety/detecting-openclaw-requests.md)\n- [Architecture (technical)](./02-technical/architecture.md)\n- [Repo map](./02-technical/repo-map.md)\n- [Deployment: Standalone Mac mini](./03-deploy/standalone-mac-mini.md)\n- [Deployment: Isolated VPS](./03-deploy/isolated-vps.md)\n- [Deployment: Cloudflare Moltworker](./03-deploy/cloudflare-moltworker.md)\n- [Deployment: Docker Model Runner](./03-deploy/docker-model-runner.md)\n- [Commands + troubleshooting](./99-reference/commands-and-troubleshooting.md)\n- **Optimizations:**\n  - [Overview](./06-optimizations/README.md)\n  - [Resource usage analysis (CPU, memory, disk)](./06-optimizations/resource-usage.md)\n  - [Cost + token optimization](./06-optimizations/cost-token-optimization.md)\n  - [Model recommendations by function](./06-optimizations/cost-token-optimization.md#model-recommendations-by-function)\n- **Security documentation:**\n  - [`openclaw security audit` command reference](./08-security-analysis/security-audit-command-reference.md)\n  - [Official security advisories (CVEs/GHSAs)](./08-security-analysis/official-security-advisories.md)\n  - [Security audit analysis (Issue #1796)](./08-security-analysis/issue-1796-argus-audit.md)\n  - [Second security audit (Medium article)](./08-security-analysis/medium-article-audit.md)\n  - [Third security audit (ZeroLeeks AI Red Team)](./08-security-analysis/zeroleeks-audit.md)\n  - [Post-merge security hardening](./08-security-analysis/post-merge-hardening.md)\n  - [Open upstream security issues](./08-security-analysis/open-upstream-issues.md)\n  - [Open upstream security PRs](./08-security-analysis/open-upstream-prs.md)\n  - [Ecosystem security threats](./08-security-analysis/ecosystem-security-threats.md)\n  - [SecurityScorecard STRIKE report analysis](./08-security-analysis/securityscorecard-strike-report.md) *(Feb 2026, 28k+ exposed instances)*\n  - [Model poisoning and sleeper agent backdoors](./08-security-analysis/model-poisoning-sleeper-agents.md) *(Feb 2026 Microsoft research)*\n  - [Cisco AI Defense skill scanner analysis](./08-security-analysis/cisco-ai-defense-skill-scanner.md) *(Feb 2026, blog post + tool evaluation)*\n  - [Hudson Rock infostealer analysis](./08-security-analysis/hudson-rock-infostealer-analysis.md) *(Feb 2026, first confirmed config theft)*\n  - [Cline CLI supply chain attack (\"Clinejection\")](./08-security-analysis/cline-supply-chain-attack.md) *(Feb 2026, GHSA-9ppg-jx86-fqw7)*\n  - [ClawJacked attack (cross-origin WebSocket hijack)](./08-security-analysis/clawjacked-attack.md) *(Feb 2026, fixed in 2026.2.26)*\n- [AI model analysis comparison](./08-security-analysis/ai-model-analysis-comparison.md)\n- **Worst-case security scenarios:**\n  - [Overview](./05-worst-case-security/README.md)\n  - [Mac Mini risks](./05-worst-case-security/mac-mini-risks.md)\n  - [VPS risks](./05-worst-case-security/vps-risks.md)\n  - [Moltworker risks](./05-worst-case-security/moltworker-risks.md)\n  - [Cross-cutting vulnerabilities](./05-worst-case-security/cross-cutting.md)\n  - [ClawHub marketplace risks](./05-worst-case-security/clawhub-marketplace-risks.md) *(Feb 2026 campaign)*\n  - [Skills.sh risks](./05-worst-case-security/skills-sh-risks.md) *(supply chain)*\n  - [Prompt injection attacks](./05-worst-case-security/prompt-injection-attacks.md) *(30 examples + scope analysis)*\n  - [Misconfiguration examples](./05-worst-case-security/misconfiguration-examples.md)\n  - [Operational gotchas](./05-worst-case-security/operational-gotchas.md) *(Real-world usage patterns)*\n  - [AI self-misconfiguration](./05-worst-case-security/ai-self-misconfiguration.md)\n- **Social media coverage:**\n  - [Overview](./09-social-media-coverage/README.md)\n  - [Lex Fridman Podcast #491 — Peter Steinberger interview](./09-social-media-coverage/lex-fridman-interview.md)\n  - [Matthew Berman — Autonomous OpenClaw Workflow (16 chapters)](./09-social-media-coverage/matthew-berman-workflow.md)\n\n---\n\nThis folder is a **living knowledge base** for the OpenClaw framework — actively maintained documentation that has grown from an initial multi-model AI analysis into a broad reference covering security audits, deployment operations, threat intelligence, and beginner-friendly explanations.\n\n**What you'll find here:**\n\n| Section | What it covers |\n|---------|---------------|\n| **Plain English** | What OpenClaw is, glossary, \"explain it like I'm new\" |\n| **Technical** | Architecture deep-dive, repo map for contributors |\n| **Deployment** | **Mac mini** (local-first), **Isolated VPS** (remote + hardened), **Cloudflare Moltworker** (serverless), **Docker Model Runner** (local AI, zero API cost) |\n| **Privacy \u0026 Safety** | Threat model, hardening checklist, request fingerprint detection |\n| **Security Audits** | Independently verified audit analyses, CVE/GHSA tracking, upstream issue monitoring |\n| **Worst-Case Scenarios** | Attack catalogs, prompt injection examples, supply chain threats, incident response |\n| **Optimizations** | Resource usage analysis (CPU/memory/disk), cost/token reduction, model routing |\n| **AI Model Comparison** | Accuracy benchmarks across five AI models' analyses |\n| **Social Media Coverage** | YouTube interviews, podcasts, notable community content |\n\n**What started as** a synthesis of five AI models' analyses has expanded through continuous upstream tracking and independent code verification. It reconciles analyses from [Copilot GPT-5.2](./explain-clawdbot-copilot-gpt-5.2/), [Gemini 3.0 Pro](./explain-clawdbot-gemini-3.0-pro/), [GLM 4.7](./explain-clawdbot-glm-4.7/), [Opus 4.5](./explain-clawdbot-opus-4.5/), and [Kimi K2.5](./explain-clawdbot-kilocode-kimi-k2.5/) — with an [accuracy comparison](./08-security-analysis/ai-model-analysis-comparison.md) showing which models verified claims against source code and which accepted them at face value.\n\n\u003e **Repo docs + code win.** Model summaries are supporting material.\n\n---\n\n## What is OpenClaw? (30-second version)\n\nOpenClaw is a **self-hosted AI assistant platform**. You run an always-on process called the **Gateway** on a machine you control (a Mac mini at home or an isolated VPS). The Gateway connects to messaging apps (WhatsApp/Telegram/Discord/iMessage/… via built-in channels + plugins), receives messages, runs an agent turn (the “brain”), optionally invokes tools/devices, and sends responses back.\n\n**Key idea:** your **Gateway host** is the trust boundary. If it’s compromised (or configured too openly), your assistant can be turned into a data-exfil / automation engine.\n\nOfficial docs starting point:\n- https://docs.openclaw.ai/start/getting-started\n- https://docs.openclaw.ai/gateway\n- https://docs.openclaw.ai/gateway/security\n\n---\n\n## The four deployment scenarios this guide focuses on\n\n1) **Standalone Mac mini (local-first, high privacy)**\n- The Gateway runs on a Mac mini you own.\n- Default best practice: keep it **loopback-only** (`gateway.bind: \"loopback\"`) and access it locally.\n- Optional remote access should be via **SSH tunnels** or **Tailscale Serve**, not public ports.\n\n2) **Isolated VPS server (remote, locked down)**\n- The Gateway runs on a small Linux VPS.\n- **Fastest path:** [DigitalOcean 1-Click Deploy](./03-deploy/isolated-vps.md#11-digitalocean-1-click-deploy) pre-configures security hardening automatically.\n- Default best practice: keep it **loopback-only** and access it via **SSH tunnel** or **tailnet**.\n- Harden the host like any admin system (dedicated user, firewall, patching, log hygiene).\n\n3) **Cloudflare Moltworker (serverless, managed infrastructure)**\n- The Gateway runs inside Cloudflare's Sandbox SDK container on their global edge network.\n- No hardware to manage; automatic scaling and isolation.\n- Uses R2 for persistence, AI Gateway for model routing, Browser Rendering for web automation.\n- Proof-of-concept; requires Cloudflare Workers paid plan ($5/month minimum).\n\n4) **Docker Model Runner (local AI, zero API cost)**\n- Run LLMs locally via Docker Desktop's Model Runner.\n- Zero API costs after initial model download.\n- Complete privacy — no data leaves your machine.\n- Requires Docker Desktop 4.40+ and compatible hardware (Apple Silicon, NVIDIA GPU, or AMD GPU).\n\n---\n\n## Start here (recommended reading order)\n\n### 1) Plain English\n- [What is OpenClaw?](./01-plain-english/what-is-clawdbot.md)\n- [What is Moltbook?](./07-moltbook/what-is-moltbook.md)\n- [Glossary](./01-plain-english/glossary.md)\n\n### 2) Privacy + safety first (highly recommended)\n- [Threat model (beginner-friendly)](./04-privacy-safety/threat-model.md)\n- [Hardening checklist (high privacy)](./04-privacy-safety/hardening-checklist.md)\n- [High privacy config example](./04-privacy-safety/high-privacy-config.example.json5.md)\n- [Detecting OpenClaw requests (for hosting services)](./04-privacy-safety/detecting-openclaw-requests.md)\n\n---\n\n## Detecting OpenClaw Requests (for hosting services)\n\n\u003e **Purpose:** Documents how third-party services can identify HTTP requests originating from OpenClaw, and what OpenClaw users should know about their request fingerprint.\n\u003e\n\u003e **Read this if:** You run a hosting service/API and want to identify OpenClaw traffic, or you're an OpenClaw user who wants to understand what your instance reveals about itself.\n\n### Quick Reference: Identifiable Headers\n\n| Request type | Header | Value | Detectable? |\n|---|---|---|---|\n| Media file fetches | `User-Agent` | `OpenClaw-Gateway/1.0` | Yes — explicitly names OpenClaw |\n| GitHub API (signal-cli install) | `User-Agent` | `openclaw` | Yes — explicitly names OpenClaw |\n| Anthropic OAuth API | `User-Agent` | `openclaw` | Yes — explicitly names OpenClaw |\n| Perplexity/OpenRouter API | `HTTP-Referer` | `https://openclaw.ai` | Yes — domain identifies OpenClaw |\n| Perplexity/OpenRouter API | `X-Title` | `OpenClaw` / `OpenClaw Web Search` | Yes — explicitly names OpenClaw |\n| MiniMax VLM API | `MM-API-Source` | `OpenClaw` | Yes — custom header |\n| ACP protocol | `clientInfo.name` | `openclaw-acp-client` | Yes — protocol-level identification |\n| WebFetch (browsing websites) | `User-Agent` | Chrome browser string | No — indistinguishable from real browser |\n| Brave Search API | *(no custom UA)* | Default fetch UA | Weak — Node.js fetch fingerprint only |\n| xAI Grok API | *(no custom UA)* | Default fetch UA | Weak — Node.js fetch fingerprint only |\n\nThe full analysis includes source code references, Cloudflare WAF rules (with regex examples for Business/Enterprise), and a guide for placing Cloudflare as a reverse proxy in front of your Gateway with inbound header protection: [Detecting OpenClaw Requests](./04-privacy-safety/detecting-openclaw-requests.md)\n\n---\n\n### 3) Technical overview (how it works)\n- [Architecture (Gateway → channels → agent → tools)](./02-technical/architecture.md)\n- [Repo map (where to look in code)](./02-technical/repo-map.md)\n\n### 4) Deployment runbooks\n- [Standalone Mac mini (local-first)](./03-deploy/standalone-mac-mini.md)\n- [Isolated VPS (remote + locked down)](./03-deploy/isolated-vps.md)\n  - [DigitalOcean 1-Click Deploy](./03-deploy/isolated-vps.md#11-digitalocean-1-click-deploy) *(recommended)*\n- [Cloudflare Moltworker (serverless)](./03-deploy/cloudflare-moltworker.md)\n- [Docker Model Runner (local AI, zero cost)](./03-deploy/docker-model-runner.md)\n\n### 5) Reference\n- [Commands + troubleshooting quick reference](./99-reference/commands-and-troubleshooting.md)\n\n---\n\n## Quick start (safe-ish defaults)\n\nThe repo strongly recommends using the onboarding wizard; it sets up:\n- a working Gateway service (launchd/systemd)\n- auth/provider credentials\n- safe access defaults (pairing, token)\n\n### Install\n\nRecommended installer:\n\n```bash\ncurl -fsSL https://openclaw.ai/install.sh | bash\n```\n\nAlternative:\n\n```bash\nnpm install -g openclaw@latest\n```\n\n### Onboard + install background service\n\n```bash\nopenclaw onboard --install-daemon\n```\n\n### Verify\n\n```bash\nopenclaw gateway status\nopenclaw status\nopenclaw health\n```\n\n### Security audit\n\nThree levels of security auditing:\n\n```bash\n# Read-only scan of config + filesystem permissions (no network calls)\nopenclaw security audit\n\n# Everything above + live WebSocket probe of the running gateway\nopenclaw security audit --deep\n\n# Apply safe auto-fixes first, then run full audit to show remaining issues\nopenclaw security audit --fix\n```\n\n| Flag | What it adds | Modifies system? |\n| ------ | ------------- | ----------------- |\n| *(none)* | Scans config, filesystem permissions, channel policies, model hygiene, plugin trust, attack surface summary (50+ check IDs across 12 categories) | No — read-only |\n| `--deep` | All base checks + live WebSocket probe of running gateway (5 s timeout), verifies auth handshake | No — read-only probe |\n| `--fix` | Applies safe fixes **before** running the full audit: `chmod 600/700` on state/config/credentials, flips `groupPolicy open→allowlist`, sets `logging.redactSensitive off→\"tools\"`. Report shows remaining issues post-fix | Yes — safe defaults only; no destructive changes |\n\n\u003e **Note:** `--fix` runs the fix pass **before** the audit (`src/cli/security-cli.ts:46`), so the report you see reflects the hardened state. Any findings that remain are issues `--fix` cannot auto-resolve.\n\nIf you only do one security thing, do this:\n\n```bash\nopenclaw security audit --fix\n```\n\nSee the [full command reference](./08-security-analysis/security-audit-command-reference.md) for what each check covers, what `--fix` changes, and which documented issues the audit can and cannot detect.\n\n(Security audit docs: \u003chttps://docs.openclaw.ai/gateway/security\u003e)\n\n---\n\n## How to think about OpenClaw (beginner mental model)\n\nOpenClaw is easiest to understand as 6 layers:\n\n1. **Gateway (control plane)** — one long-running process that owns:\n   - message ingress/egress\n   - sessions + transcripts\n   - routing rules\n   - plugin loading\n   - tool execution policy + sandboxing\n   - node/device pairing and invocations\n\n2. **Channels** — adapters from Telegram/WhatsApp/etc. into a normalized message/event shape.\n\n3. **Routing + sessions** — decides which “agent/session” handles which chat.\n\n4. **Agent runtime** — takes context (system prompt + history + attachments), calls your chosen model provider, streams responses, and can request tools.\n\n5. **Tools** — optional capabilities beyond text (web fetch/search, browser control, exec, cron, nodes/devices).\n\n6. **Surfaces** — where you interact:\n   - chat apps (WhatsApp/Telegram/…)\n   - Control UI dashboard (web)\n   - macOS menu bar app\n\nThis matters because your security choices mostly reduce to:\n- **Who can trigger the agent?** (pairing + allowlists + group policies)\n- **What can the agent do once triggered?** (tools/sandboxing/nodes)\n- **What can the agent reach?** (network exposure, filesystem access, accounts)\n\n---\n\n## FAQ (Beginner → Intermediate → Advanced)\n\nThis FAQ is intentionally long and practical; it’s the “things you’ll actually Google at 2am.”\n\n### Beginner FAQ\n\n#### Q: What should I install this on: my laptop, a Mac mini, a VPS, or Cloudflare?\n- **Mac mini (recommended for most privacy-first users):** always-on, easy local access, no cloud exposure by default.\n- **VPS (recommended for always-on + remote access):** great uptime, but higher security responsibility. [DigitalOcean 1-Click](./03-deploy/isolated-vps.md#11-digitalocean-1-click-deploy) handles hardening automatically.\n- **Cloudflare Moltworker (low-maintenance serverless):** no hardware to manage, pay-as-you-go, but proof-of-concept status.\n- **Docker Model Runner (maximum privacy + zero cost):** run local LLMs via Docker Desktop for complete privacy and no API fees. Requires Apple Silicon, NVIDIA, or AMD GPU.\n- **Laptop (okay for learning/dev):** simplest to start, but sleeps often and you may be tempted to expose it.\n\nSee runbooks:\n- [Mac mini](./03-deploy/standalone-mac-mini.md)\n- [VPS](./03-deploy/isolated-vps.md)\n- [Cloudflare Moltworker](./03-deploy/cloudflare-moltworker.md)\n- [Docker Model Runner](./03-deploy/docker-model-runner.md)\n\n#### Q: Is OpenClaw \"an AI model\" like ChatGPT?\nNo. OpenClaw is a **self-hosted assistant platform** that *talks to* models (Anthropic/OpenAI/etc.) and *wraps them* with routing, sessions, tools, and chat integrations.\n\n#### Q: What runs on my machine?\nThe main always-on process is the **Gateway** (default port **18789**) which multiplexes:\n- a WebSocket control plane\n- the dashboard/control UI (HTTP)\n- optional HTTP endpoints (OpenAI-compatible APIs)\n\nSee: https://docs.openclaw.ai/gateway\n\n#### Q: Where is my data stored?\nBy default, OpenClaw stores state under `~/.openclaw/` (or `~/.openclaw-\u003cprofile\u003e/` for profiles). This includes config, credentials, and session transcripts.\n\nSee: https://docs.openclaw.ai/gateway/security (\"Credential storage map\")\n\n#### Q: Does OpenClaw have telemetry?\nThis repo's positioning is local-first control. Still, your chosen **model provider** will receive whatever text/media is sent to it for inference, unless you run a local model.\n\n#### Q: What’s the safest first setup?\n- Run on a **single-user machine** you control (Mac mini).\n- Keep the Gateway **loopback-only**.\n- Use **pairing/allowlists** so only you can talk to it.\n- Don’t enable powerful tools until you understand the blast radius.\n\nUse the wizard:\n\n```bash\nopenclaw onboard --install-daemon\n```\n\n#### Q: I opened the dashboard and it says \"unauthorized\" or keeps reconnecting\nThe Gateway likely has auth enabled and the UI is missing the token/password.\n\nFast fixes:\n- Run `openclaw dashboard` (it prints a tokenized URL).\n- If remote: bring up an SSH tunnel first:\n  ```bash\n  ssh -N -L 18789:127.0.0.1:18789 user@gateway-host\n  ```\n  then open `http://127.0.0.1:18789/?token=...`.\n\nSee: https://docs.openclaw.ai/help/faq (Control UI unauthorized)\n\n#### Q: What does “pairing” mean?\nPairing is owner approval for:\n- **DM pairing** (who can message the bot)\n- **device/node pairing** (which devices can connect)\n\nSee: https://docs.openclaw.ai/start/pairing\n\n---\n\n### Intermediate FAQ\n\n#### Q: What's the difference between `openclaw gateway` and `openclaw gateway restart`?\n- `openclaw gateway` runs the Gateway in the **foreground** in your terminal.\n- `openclaw gateway restart` restarts the **background service** (launchd/systemd).\n\nSee: https://docs.openclaw.ai/help/faq\n\n#### Q: What port does OpenClaw use?\n`gateway.port` controls the single multiplexed port for WebSocket + HTTP. Precedence is:\n\n```text\n--port \u003e OPENCLAW_GATEWAY_PORT \u003e gateway.port \u003e default 18789\n```\n\nSee: https://docs.openclaw.ai/help/faq\n\n#### Q: I want remote access. Should I set `gateway.bind: \"lan\"`?\nUsually no.\n\nPreferred patterns:\n- **Loopback + SSH tunnel** (universal)\n- **Loopback + Tailscale Serve** (best UX)\n\nOnly bind to LAN/tailnet when you understand the auth requirements.\n\nSee: https://docs.openclaw.ai/gateway/remote and https://docs.openclaw.ai/gateway/tailscale\n\n#### Q: Can I run multiple Gateways on one host?\nYes, but it’s usually unnecessary; one Gateway can run multiple channels and agents.\n\nIf you do, you must isolate:\n- config path (`OPENCLAW_CONFIG_PATH`)\n- state dir (`OPENCLAW_STATE_DIR`)\n- workspace (`agents.defaults.workspace`)\n- port (`gateway.port`)\n\nSee: https://docs.openclaw.ai/gateway/multiple-gateways\n\n#### Q: How do I see what OpenClaw is doing?\nUse:\n\n```bash\nopenclaw status --all\nopenclaw logs --follow\n```\n\nSee: https://docs.openclaw.ai/help/faq (log locations)\n\n---\n\n### Advanced FAQ\n\n#### Q: What’s the real security risk: “public bot”, prompt injection, or host compromise?\nAll three matter, but the practical order is:\n1) **Inbound access** (DM/group policies)\n2) **Tool blast radius** (exec/browser/web)\n3) **Network exposure** (bind modes, proxies, auth)\n4) **Host compromise** (OS hardening, keys, patching)\n\nSee: https://docs.openclaw.ai/gateway/security\n\n#### Q: How do plugins/extensions affect my threat model?\nPlugins run **in-process** with the Gateway. Treat them like installing arbitrary code.\n\nRecommendation:\n- only install plugins you trust\n- prefer pinned versions\n- keep an explicit allowlist if supported\n\nSee: https://docs.openclaw.ai/gateway/security (\"Plugins/extensions\")\n\n#### Q: If I want “maximum privacy”, do I need a local model?\nA local model is the strongest privacy posture because it avoids sending content to a third-party provider. However, it changes the safety profile: smaller/weak local models can be easier to prompt-inject and may handle tool policies worse.\n\nSee: https://docs.openclaw.ai/gateway/local-models\n\n#### Q: How do I make sure different people’s DMs don’t leak context to each other?\nConsider DM session isolation (multi-user mode) so each peer gets an isolated DM session, and use identity linking only where appropriate.\n\nFor multi-agent setups, each agent can also be scoped independently: per-agent sandbox isolation, tool allow/deny policies, and workspace access controls prevent one agent's context from leaking into another. See [per-agent access scoping](./04-privacy-safety/threat-model.md#per-agent-access-scoping-multi-agent-setups) for details.\n\nSee: https://docs.openclaw.ai/gateway/security (\"DM session isolation\") and https://docs.openclaw.ai/concepts/session\n\n---\n\n\u003e **See:** [`openclaw security audit` command reference](./08-security-analysis/security-audit-command-reference.md)\n\n---\n\n\u003e **See:** [Official Security Advisories (CVEs/GHSAs)](./08-security-analysis/official-security-advisories.md)\n\n---\n\n\u003e **See:** [Security audit analysis (Issue #1796)](./08-security-analysis/issue-1796-argus-audit.md)\n\n---\n\n\u003e **See:** [Second security audit (Medium article)](./08-security-analysis/medium-article-audit.md)\n\n---\n\n\u003e **See:** [Post-Merge Security Hardening](./08-security-analysis/post-merge-hardening.md)\n\n---\n\n\u003e **See:** [Open Upstream Security Issues](./08-security-analysis/open-upstream-issues.md)\n\n---\n\n\u003e **See:** [Open Upstream Security PRs](./08-security-analysis/open-upstream-prs.md)\n\n---\n\n\u003e **See:** [Ecosystem Security Threats](./08-security-analysis/ecosystem-security-threats.md)\n\n---\n\n\u003e **See:** [Cisco AI Defense Skill Scanner Analysis](./08-security-analysis/cisco-ai-defense-skill-scanner.md)\n\n---\n\n\u003e **See:** [Hudson Rock Infostealer Analysis](./08-security-analysis/hudson-rock-infostealer-analysis.md) — First confirmed case of commodity malware stealing OpenClaw config files (Feb 2026)\n\n---\n\n\u003e **See:** [Cline CLI Supply Chain Attack (\"Clinejection\")](./08-security-analysis/cline-supply-chain-attack.md) — Compromised Cline CLI v2.3.0 installed OpenClaw via postinstall hook; first real-world prompt injection → supply chain compromise (Feb 2026, GHSA-9ppg-jx86-fqw7)\n\n---\n\n\u003e **See:** [ClawJacked Attack](./08-security-analysis/clawjacked-attack.md) — Malicious websites brute-forced the local OpenClaw WebSocket by exploiting the loopback rate-limit exemption; gained admin access and silent device pairing in seconds. Fixed in 2026.2.26 (Feb 2026, Oasis Security)\n\n---\n\n## Worst-Case Security Scenarios\n\n\u003e **Purpose:** This section documents what can go wrong in the worst possible misconfiguration or compromise scenarios for each deployment type.\n\u003e\n\u003e **Read this if:** You're evaluating OpenClaw for sensitive use cases, want to understand the blast radius of potential failures, or need to build a threat model for your organization.\n\nSee the detailed breakdown in [05-worst-case-security/](./05-worst-case-security/).\n\n### Quick Reference: Deployment Risk Profiles\n\n| Deployment | Trust Boundary | Biggest Risk | Recovery Complexity |\n|------------|----------------|--------------|---------------------|\n| **Mac Mini** | Your hardware | Physical access, cloud sync | Medium (rotate keys) |\n| **VPS/1-Click** | Shared infra | Internet exposure, root compromise | High (rebuild VPS) |\n| **Moltworker** | Cloudflare | No egress filtering, R2 breach | Very High (no local control) |\n\n### Key Findings from Code Analysis\n\nBased on source code review of:\n- `src/gateway/net.ts` - Network binding with fallback chains\n- `src/gateway/auth.ts` - Authentication mechanisms\n- `src/agents/bash-tools.exec.ts` - Shell execution\n- `src/pairing/pairing-store.ts` - Credential storage\n- `src/security/audit.ts` - Security audit checks\n\n**Critical vulnerabilities if misconfigured:**\n\n1. **Silent binding fallback** - Loopback failure → 0.0.0.0 exposure (`src/gateway/net.ts:243-249`)\n2. **Dangerous auth flags** - `dangerouslyDisableDeviceAuth` bypasses device verification (`src/config/types.gateway.ts:120`)\n3. **No encryption at rest** - Credentials protected only by file permissions (0o600/0o700)\n4. **Egress-free Moltworker** - Sandbox can exfiltrate to any server\n\n### Scenario Documentation\n\n| Document | Coverage |\n|----------|----------|\n| [Overview](./05-worst-case-security/README.md) | Attack surface comparison, decision guide, severity levels |\n| [Mac Mini Risks](./05-worst-case-security/mac-mini-risks.md) | Physical access, cloud sync trap, silent network exposure |\n| [VPS Risks](./05-worst-case-security/vps-risks.md) | Internet exposure, multi-tenant risks, credential storage |\n| [Moltworker Risks](./05-worst-case-security/moltworker-risks.md) | Trust boundaries, egress filtering, R2 single point of failure |\n| [Cross-Cutting](./05-worst-case-security/cross-cutting.md) | Prompt injection, tool execution, channel tokens, supply chain |\n| [ClawHub Marketplace Risks](./05-worst-case-security/clawhub-marketplace-risks.md) | Skills marketplace supply chain, ClawHavoc campaign, social engineering |\n| [Prompt Injection Attacks](./05-worst-case-security/prompt-injection-attacks.md) | 30 attack examples with data exfiltration scenarios |\n| [Misconfiguration Examples](./05-worst-case-security/misconfiguration-examples.md) | 10 real mistakes with step-by-step fixes |\n| [Incident Response](./05-worst-case-security/incident-response.md) | Containment, credential rotation, recovery procedures |\n\n📚 **Key resource:** The [Prompt Injection Attacks](./05-worst-case-security/prompt-injection-attacks.md) guide (30 examples with defenses) is referenced throughout this documentation. If you read one security document beyond the threat model, read that one.\n\n---\n\n## Social Media OpenClaw Coverage\n\n\u003e **See:** [Social Media Coverage overview](./09-social-media-coverage/README.md)\n\n---\n\n\u003e **See:** [AI Model Analysis Comparison](./08-security-analysis/ai-model-analysis-comparison.md)\n\n---\n\n## Reporting Security Issues\n\nIf you discover a security vulnerability in OpenClaw:\n\n\u003e **Email:** security@openclaw.ai\n\u003e\n\u003e **Do NOT** post security vulnerabilities publicly (GitHub issues, Discord, social media) until the maintainers have had a reasonable window to respond.\n\u003e\n\u003e **What to include:**\n\u003e - OpenClaw version (`openclaw --version`)\n\u003e - Description of the vulnerability\n\u003e - Steps to reproduce\n\u003e - Logs or proof-of-concept (with secrets redacted)\n\u003e\n\u003e **Credit:** Responsible disclosures are credited in security advisories unless you request anonymity.\n\nSee the [Official Security Advisories](./08-security-analysis/official-security-advisories.md) page for previously disclosed CVEs/GHSAs.\n\n---\n\n## Official docs (high-signal links)\n\n- Getting started: https://docs.openclaw.ai/start/getting-started\n- Install: https://docs.openclaw.ai/install\n- Gateway (runbook): https://docs.openclaw.ai/gateway\n- Gateway security: https://docs.openclaw.ai/gateway/security\n- Remote access: https://docs.openclaw.ai/gateway/remote\n- Tailscale: https://docs.openclaw.ai/gateway/tailscale\n- Pairing: https://docs.openclaw.ai/start/pairing\n- Help / FAQ: https://docs.openclaw.ai/help/faq\n- Troubleshooting: https://docs.openclaw.ai/gateway/troubleshooting\n- External security guide: https://vibeproof.dev/blog/moltbot-security-setup-guide\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fexplain-openclaw","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcentminmod%2Fexplain-openclaw","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcentminmod%2Fexplain-openclaw/lists"}