OpenClaw safety checklist (plain English)

A plain-English checklist to reduce inbox-agent risk.

Written by Shai Cohen

Edited by Sue Jutkowitz
2 min read
Qwayk

Disclaimer: OpenClaw is a trademark of its owners. Qwayk is not affiliated with OpenClaw.

The quick version

OpenClaw is powerful because it can put an agent inside real inboxes (Slack/Discord/WhatsApp/etc.).

That’s also why it’s risky.

This is a simple checklist to reduce “I accidentally gave the internet a shell” outcomes.

If you’re about to connect OpenClaw to real tools, I’d run this checklist first.

What’s actually dangerous here

When you connect: - untrusted inbound messages - to an agent - that can run tools (shell, browser automation, device actions)

…you have to assume someone will try to trick it.

The goal is not “perfect security”. The goal is to reduce the blast radius so one bad message can’t become an irreversible incident.

Checklist (do this in order)

1) Install from official sources only

Viral projects attract typosquats and clones.

  • Only use official domains and the official GitHub org.
  • Avoid random “installers”, forks, or extensions you don’t fully trust.

2) Keep the dashboard private (localhost by default)

If the web UI binds to the public internet, treat it like an incident.

  • Bind to localhost unless you fully understand the auth model.
  • If you need remote access, use a private tunnel (Tailscale / SSH), not public exposure.

3) Lock down who can talk to the agent

Default rule: unknown senders are untrusted.

  • Use allowlists/pairing for DMs.
  • Require mentions in group chats.
  • Only allow a small number of groups at first.

4) Don’t allow “host shell from the inbox”

If someone can DM your bot and it can run arbitrary shell commands on the host, you’re one prompt-injection away from a bad day.

  • Disable host shell execution for non-owner sessions.
  • Prefer sandboxed execution for anything triggered by channels/groups.
  • Keep “elevated” or approval-bypass modes off.

5) Start with “read-only” behavior

Until you have real confidence: - use the agent to observe and summarize, - avoid writes, - avoid automation that can spend money, publish content, or delete anything.

6) Assume secrets will leak if you paste them into chat

  • Never paste API keys, OAuth tokens, cookies, or auth headers into any chat.
  • Store secrets locally in .env files (or equivalent) and keep them out of git.

7) Treat browser automation as high risk

Browser tools can: - click the wrong button - exfiltrate data from a logged-in session

If you enable browser automation: - start on throwaway accounts or test environments, - keep a human watching until you trust it.

8) Keep receipts and logs (so you can prove what happened)

You want an audit trail for: - what the agent attempted - what actually changed - what you verified afterwards

How Qwayk fits (if you want to do real API work safely)

OpenClaw is a runtime. Qwayk is a deterministic tool layer for APIs.

If you’re using an inbox-connected agent, Qwayk’s workflow is intentionally boring: 1) dry-run plan 2) review the plan 3) apply with explicit flags 4) verify and keep a receipt

Start here: - Safety model - Docs - Tools library

Read more