The OpenClaw security crisis produced one useful thing: clarity about what AI agent security actually requires. Before January 2026, "AI agent security" was a vague concern. After March, it was a checklist.
This isn't theoretical. Every item on this list corresponds to a real vulnerability that was exploited in the wild during Q1 2026.
Network Exposure
1. Check your bind address.
```bash ss -tlnp | grep -E "(zeroclaw|openclaw|ollama)" ```
If any AI service is listening on 0.0.0.0 (all interfaces), it's accessible from the internet if your machine has a public IP. Change to 127.0.0.1 immediately.
OpenClaw's default bind address was 0.0.0.0. This single default was responsible for 42,000+ exposed instances. ZeroClaw defaults to 127.0.0.1.
2. Scan for exposed ports.
From outside your network (use a VPS or a service like Shodan):
```bash nmap -p 3000,11434,8080 your-public-ip ```
Port 3000 (common agent UI), 11434 (Ollama), and 8080 (common web interface) should not be accessible externally unless you've explicitly configured access with proper authentication.
3. Use a reverse proxy with authentication.
If you need remote access, put your agent behind nginx or Caddy with proper authentication. Never expose the agent directly.
Authentication and Tokens
4. Rotate all API keys and tokens.
If your agent has been running with the same API keys since initial setup, rotate them now. The ClawHub attack harvested environment variables — any key that was accessible to the agent process should be considered potentially compromised if you ever installed a third-party skill.
5. Check token expiration.
OpenClaw used bearer tokens with no expiration. A stolen token remained valid forever. ZeroClaw uses gateway pairing with session-limited tokens. If you're on OpenClaw, check whether your authentication tokens expire and rotate them on a schedule.
6. Separate credentials by scope.
Don't give your agent a single API key with full access to everything. Create scoped credentials: a read-only key for the knowledge base, a write key for the specific service the agent needs to modify, separate keys for each integration.
Skills and Extensions
7. Audit installed skills.
```bash # For OpenClaw: openclaw skills list
# Check each against known-malicious lists: # github.com/koi-security/clawhavoc-indicators ```
For ZeroClaw: review the tools section of your config.toml. Every tool listed there has the permissions granted in its configuration block — verify each one is intentional.
8. Remove skills you don't actively use.
Every installed skill is attack surface. If you installed "solana-wallet-tracker" six months ago and never used it, remove it. Unused skills are the digital equivalent of leaving a window open "because we might want fresh air later."
9. Verify skill sources.
For OpenClaw: check the author of each installed skill. Verify they have a legitimate GitHub profile with a history predating the skill publication. ClawHavoc used newly created accounts.
For ZeroClaw: this concern doesn't apply — there's no marketplace to install from.
Permissions and Sandboxing
10. Review filesystem access.
What files and directories can your agent access? OpenClaw skills have full filesystem access by default. ZeroClaw uses deny-by-default allowlists.
```bash # Check ZeroClaw's file access config: grep -A 5 "\[tools\." ~/.zeroclaw/config.toml ```
Your agent should only access the directories it needs. A support chatbot doesn't need access to /etc/ssh. A coding assistant doesn't need access to your browser profile.
11. Review network access.
Can your agent make arbitrary network requests? If yes, a compromised agent can exfiltrate data to any endpoint. ZeroClaw's allowlist model restricts outbound connections to explicitly permitted endpoints.
12. Check process permissions.
What user does the agent run as? Running as root gives the agent (and any compromised skill) complete system access. Run agents as a dedicated low-privilege user.
```bash # Check: ps aux | grep zeroclaw # Should NOT show 'root' in the first column ```
Data Protection
13. Encrypt the memory database.
Your agent's memory contains every conversation you've had with it. If the machine is stolen or accessed by an attacker, unencrypted memory is a data leak.
ZeroClaw supports SQLCipher for at-rest encryption. Enable it in config.toml.
14. Review what's in environment variables.
```bash env | grep -iE "(key|token|secret|password|credential)" ```
Every environment variable visible to the agent process is accessible to every skill/tool the agent uses. Move sensitive credentials to a secrets manager or ZeroClaw's encrypted config storage.
Monitoring
15. Enable audit logging.
- •Every tool invocation (what tool, what parameters, what result)
- •Every external network request (destination, payload size)
- •Every file access (path, operation type)
- •Authentication events (successes and failures)
Feed these logs to your monitoring stack and set alerts for anomalous patterns: unusual outbound connections, unexpected file accesses, tool invocations at unusual hours.
The Quick Assessment
If you want a fast read on your agent's security posture, answer three questions:
- 1.**Is it reachable from the internet?** If yes, fix that first.
- 2.**Can a skill/tool access anything it wants?** If yes, add permission boundaries.
- 3.**Do you have logs that would show a breach?** If no, enable logging.
Those three questions, answered honestly, catch 90% of the vulnerabilities that were exploited in the OpenClaw crisis. The remaining 10% is the detailed checklist above.
Security isn't a state. It's a practice. Run this checklist quarterly, after any configuration change, and after installing any new extension. The ten minutes it takes is cheaper than the alternative.