What a safe OpenClaw hosting setup should include
A plain-language checklist for hosting an autonomous agent safely: private gateway, one agent per machine, pairing, pinned versions, backups, and audits.
Hosting an autonomous agent safely comes down to eight habits: keep the gateway off the open internet, give the agent a machine of its own, control who can message it, run it as an unprivileged user, pin your versions, guard your keys, back up (and practice restoring), and audit after every change. None are exotic — the discipline is doing all eight, permanently.
The checklist
This is the standard we’d want any OpenClaw setup held to — self-hosted or managed. It’s drawn from OpenClaw’s own security documentation and from operating pods ourselves; nothing here is theoretical.
1. The gateway is never on the open internet
The Gateway stays bound to loopback or a private network, with no public port. Remote access goes through something that authenticates you first — chat channels for daily use, an SSH tunnel or an identity-checking proxy for the dashboard. Why this rule is absolute.
2. One agent, one machine, one trust boundary
OpenClaw’s docs recommend one user and one trust boundary per gateway — preferably its own host. In practice: the agent gets a dedicated machine (VPS, spare box, or pod) that contains the agent and nothing else. Don’t share one gateway between people who shouldn’t read each other’s mail, and don’t make your personal laptop the boundary.
3. Whoever messages it is someone you chose
Inbound access is an allowlist question. Keep DM policy on pairing (unknown senders must present a time-limited code you approve) or allowlist (unknowns blocked outright), and in group channels require an explicit mention before the agent responds. An agent that answers anyone is an agent anyone can steer.
4. The agent doesn’t run as root
Run OpenClaw as an ordinary, unprivileged user — its own OS account, with file permissions locked down (OpenClaw’s guidance: config at 600, directories at 700). If the agent is manipulated into doing something destructive, the damage stops at that user’s edges. On a VPS, the same spirit applies to the machine: SSH by key only, password logins disabled.
5. Versions are pinned, upgrades are deliberate
Know exactly which OpenClaw version you run, upgrade on purpose (not whenever a “latest” tag moves), and keep plugins pinned too — the security audit specifically flags unpinned plugin installs. Agents are long-running and stateful; “surprise upgrade at midnight” is how a working setup becomes a mystery.
6. Keys and secrets stay out of reach
Your model key is money; channel tokens are identity. Keep secrets out of the agent’s reachable filesystem where possible, out of Git always, and set a spending cap with your model provider. Remember that the agent’s own memory and config are sensitive too — they travel with every copy of the state directory.
7. Backups exist, and you’ve restored one
Everything your agent is lives in its state directory — one folder, easy to back up. Turn on your host’s backups and do one practice restore; a backup you’ve never restored is a guess. Since backups contain the agent’s memory and secrets, deleting an agent properly means deleting its backups as well.
8. You audit after every change
OpenClaw ships the tool for this: openclaw security audit --deep checks exposure, access policies, dangerous flags, permissions, and more. Run it after setup, after any config or networking change, and before connecting anything new. Fix what it flags, or be able to say precisely why a finding is acceptable in your setup — “I don’t remember why that warning is there” is the answer that eventually costs you.
The honest meta-point
Reading this list once is easy. The actual security of a self-hosted agent is this list maintained — every upgrade, every config change, every new channel, for as long as the agent runs. That ongoing discipline is the real product of managed hosting: at Everpod, this checklist is our job, verified on every pod, so the part you hold is just the two things only you can hold — your model key and your conversations.