GuidesSecurity

How to run OpenClaw's security audit (and read the results)

OpenClaw ships a built-in security audit. When to run it, what --deep and --fix do, and how to make sense of the findings.

July 17, 2026The Everpod team
The short answer

OpenClaw ships a built-in checkup: openclaw security audit. Run it with --deep after initial setup and again after any config or networking change. It inspects your real, running setup — exposure, access policies, permissions, risky flags — and reports findings by severity. Fix the criticals, understand the warnings, and rerun until the output holds no surprises.

Running it

openclaw security audit          # standard checkup
openclaw security audit --deep   # + probes the live Gateway
openclaw security audit --fix    # applies safe remediations
openclaw security audit --json   # machine-readable output

--deep is the one to make a habit of: beyond reading your config, it probes the running Gateway, so it can catch the gap between what you think is configured and what’s actually live — drift between config and runtime is one of the specific things the audit looks for. If OpenClaw runs in Docker, run the command inside the container (for example with docker compose exec), so it audits the environment the Gateway actually lives in.

--fix applies the safe subset of remediations automatically — tightening file permissions, restoring log redaction, flipping open policies to allowlists. It won’t redesign your setup, but it cleans up the mechanical findings in one move.

What it checks

Reading the results like an operator

Findings arrive with a severity and a structured check ID (things like gateway.trusted_proxies_missing). Three habits turn the output from noise into an actual security practice:

What a healthy result looks like

Not necessarily zero findings — a real setup often carries a couple of understood, documented notes. Healthy means: no criticals you haven’t fixed, no warnings you can’t explain in one sentence, and no drift between the config you wrote and the Gateway that’s running. That’s the bar we hold Everpod pods to — every pod is audited after provisioning, with any accepted finding justified in writing before handover — and it’s a perfectly achievable bar for a careful self-hoster too.

Don’t want to run it yourself?

Everpod hosts OpenClaw for you: a private, always-on cloud computer of your agent’s own — set up, secured, and backed up, with its software kept up to date. You bring your model key and say hello.

Request early access
$29/mo · your own model key · cancel anytime