Is OpenClaw Secure? What You Need to Know

Is OpenClaw secure? A technical breakdown of OpenClaw's security model, what data it processes, where it goes, and how to harden a production deployment.

Mark Rachapoom

March 26, 2026·5 min read

Is OpenClaw Secure? What You Need to Know

Security questions about AI agents are important and underasked. An AI agent with access to your files, browser, and messaging channels is a significant trust surface. Here's what you should actually know about OpenClaw and DenchClaw's security model.

What Data OpenClaw Touches#

OpenClaw is an AI agent framework. In a DenchClaw deployment, it has access to:

File system access:

~/.openclaw-dench/workspace/ — your workspace files, database, memory, documents
Whatever other directories you grant access to via skills

Database access:

workspace.duckdb — your CRM database with all contacts, deals, notes

Browser access:

A copy of your Chrome profile — meaning the agent's browser is authenticated wherever your browser is authenticated

Messaging:

Messages sent to and from connected channels (Telegram, WhatsApp, Discord, etc.)

AI API traffic:

Prompts sent to cloud AI models (Claude, GPT-4) contain your queries and potentially CRM data in context

This is a significant access surface. Security consciousness is appropriate.

Where Data Leaves Your Machine#

AI model API calls. If you're using cloud AI models (Claude, GPT-4), your prompts go to those providers. Prompts may contain customer names, deal notes, or other CRM data you include in context. This is the most significant data residency consideration.

Messaging channels. Messages you send via Telegram/WhatsApp transit those platforms' servers. The agent's responses are visible to those platforms.

Web enrichment. When the browser agent looks up information, those queries go to the web. The sites visited can observe the traffic.

Nothing else. DenchClaw itself doesn't send your data to Dench's servers. The DenchClaw code is open source and can be audited. There's no telemetry callback, no data collection endpoint.

The AI Model Privacy Trade-off#

The most important security decision when configuring DenchClaw: which AI model to use.

Cloud models (Claude, GPT-4): Best quality. Your prompts leave your machine. The AI provider can see your queries. Anthropic and OpenAI have privacy policies that generally don't use API data for training, but review their current policies.

Local models (Ollama + Llama, Mistral): Lower quality on complex tasks. Your prompts never leave your machine. Zero external data exposure for the inference layer.

Configure in DenchClaw:

# Use local Ollama model
openclaw config set model ollama/llama3.1:70b
 
# For highest privacy, also disable web search
openclaw config set tools.web_search disabled

Hardening a DenchClaw Deployment#

For local use (single user, personal machine):

Default security is adequate. Your machine's user account controls access. Enable FileVault (macOS) for full-disk encryption. Keep your OS and Node.js updated.

For VPS/server deployment:

# Use HTTPS - Nginx + Let's Encrypt
certbot --nginx -d crm.yourdomain.com
 
# Firewall - only expose necessary ports
ufw allow 22/tcp  # SSH
ufw allow 443/tcp # HTTPS
ufw deny 19001    # Don't expose gateway directly
ufw enable
 
# Set API key for authentication
openclaw config set api.key "$(openssl rand -hex 32)"
 
# Don't run as root
useradd -m denchclaw
su denchclaw -c "npx denchclaw"

For team deployments:

Use VPN for network-level access control
Implement application-level authentication
Regular backups to encrypted offsite storage
Audit logs: ~/.openclaw-dench/workspace/logs/

Known Security Limitations#

No built-in user authentication. DenchClaw doesn't have login/password management. Access control is at the network level. If someone can reach your DenchClaw URL, they can use it.

No row-level data isolation. All users with access see all data. For teams with sensitive data that needs separation, build application-level controls or use separate instances.

Browser session exposure. The browser agent operates with your Chrome profile's cookies. If someone compromises your DenchClaw instance, they have browser access. Keep your DenchClaw instance's access tightly controlled.

Prompt injection risk. AI agents can be manipulated by content in the data they process. A maliciously crafted contact note could potentially influence agent behavior. DenchClaw runs in a sandboxed environment and has explicit safety guidelines, but no prompt injection prevention is perfect.

What DenchClaw Does to Limit Exposure#

Safety rules. The agent won't: exfiltrate data to external parties, send messages without explicit instruction, take irreversible destructive actions without confirmation.

Explicit permission model. Skills declare what they access. You can review what each skill does before using it.

Open source auditability. Every line of code is on GitHub. You can audit what the agent does with your data.

No mandatory cloud telemetry. DenchClaw doesn't call home with usage data. Installation is local and complete.

For the full security comparison with SaaS CRMs, see are open source CRMs secure. For the full product overview, see what is DenchClaw.