The 12-Point OpenClaw Hardening Checklist (Detailed Guide)

If you've decided OpenClaw is worth the risk for your trading workflow, this is the minimum bar to clear before connecting it to real capital. Every item on this checklist maps to a documented 2026 incident or a known failure mode. None of them are optional. None of them are paranoid.

We'll walk through all 12 points in order, with explanations of why each one exists, the configuration commands or settings to enable them, and the failure mode they prevent. Print this guide and check off each item before your first live trade.

TL;DR — The 30-second answer

• Update to v2026.4.12+ (CVE-2026-25253 and CVE-2026-32922 patched).
• Run on isolated VPS, never daily-driver.
• Separate hot wallet capped to position size.
• Audit every SKILL.md manually.
• Bind Gateway to localhost; never expose port 18789.
• API keys with no withdrawal permissions.
• Paper trade 2–4 weeks before going live.
• 5% daily loss hard kill-switch.
• 1–2% position size cap in code.
• Daily manual log review.
• Telegram alerts on every trade + heartbeat.
• Weekly CVE check.

The three operator rules that save accounts

Before the checklist, internalize three rules. They're the meta-rules that every other item below implements. Get these wrong and everything else is decoration.

• Rule of 100%: if you can't lose 100% of what's on this VPS overnight, the position is too big. Hot wallet = position size. Period.
• Rule of 5%: daily loss limit is 5%, hard-coded, automatic halt. Not LLM-decided. Not negotiable. After hitting it, the bot stops and you investigate.
• Rule of 1–2%: per-trade position size is 1–2% of capital. Hard-coded as a constant in your SKILL.md. The LLM should never have authority to choose size.

Point 1 — Update to v2026.4.12 or later

Why: CVE-2026-25253 (CVSS 8.8) and CVE-2026-32922 (CVSS 9.9) are patched only in v2026.1.29+ and v2026.3.11+ respectively. v2026.4.12 includes both plus the ARMO researcher's additional sandbox bypass fix.

How: npm install -g openclaw@2026.4.12. Pin the version — don't use @latest. Subscribe to github.com/openclaw/openclaw/security/advisories for new disclosures.

Point 2 — Run on isolated VPS, not daily-driver

Why: A compromised OpenClaw can read everything its user account can read. On your laptop, that's your browser cookies, your password manager, your hardware wallet pairing keys, your work email. On a VPS, it's just the VPS — which you've already accepted you can lose 100% of.

How: Hetzner CX22 (€4/month) or DigitalOcean Basic Droplet ($6/month). Fresh Ubuntu 24.04, dedicated user for OpenClaw, no other services running. See our VPS comparison.

Point 3 — Separate hot wallet, capped to position size

Why: Even with isolated VPS, a malicious skill can drain the wallet present on that VPS. Therefore the wallet should never hold more than the bot's max position. Cold storage (hardware wallet) lives on a different machine entirely — ideally a machine never connected to the internet during transactions.

How: Generate a new MetaMask seed phrase on a fresh browser profile on the VPS. Send only the bot's working capital. Refund manually from cold storage when the hot wallet drops below operating threshold. Never copy your main seed to the VPS.

Point 4 — Audit every SKILL.md manually

Why: ClawHavoc. 1,184 malicious skills got into the marketplace. Even with current VirusTotal scanning, novel attacks will slip through.

How: Before clawhub install, open the skill's GitHub source. Use the 60-second audit method. Look for the four red flags. If anything looks wrong, don't install.

Point 5 — Bind Gateway to localhost only

Why: CVE-2026-25253 exploited the Gateway via WebSocket. Even with the patch, you should not expose the Gateway to the internet.

How: openclaw config get gateway.bind should return 127.0.0.1. If you need remote access, use SSH port forwarding: ssh -L 18789:localhost:18789 user@vps. Never use --allow-external.

Point 6 — API keys with no withdrawal permissions

Why: If your API key gets stolen, the attacker should not be able to move funds off the exchange. Every major exchange (Binance, Bybit, OKX, Kraken) lets you create API keys with trading permissions but not withdrawal permissions.

How: In each exchange's API key management: create a new key, enable "Spot Trading" or "Futures Trading" only, disable "Withdrawal," set IP whitelist to your VPS's IP. Test by attempting a withdrawal — should fail.

Point 7 — Paper trade 2–4 weeks before live

Why: Most strategies that look great in backtest fail in live. The reasons range from latency, to slippage, to the strategy being curve-fit to the past, to the LLM hallucinating in production. Two to four weeks of paper trading surfaces almost all of these issues.

How: Use the broker's demo/testnet mode. Deriv has paper trading. Binance has testnet. Polymarket doesn't really, so simulate by tracking your would-be positions in a spreadsheet. Log every decision the LLM made. Review weekly.

Point 8 — 5% daily loss hard kill-switch

Why: Multiple documented cases of bots blowing up accounts in single days because a hallucination or a market move went unchecked. The single biggest predictor of long-term survival is preventing single-day catastrophes.

How: In your trading skill, compute daily P&L at the start of every order. If -5% of starting capital, close all positions and halt. This must be in code, not in the LLM's instructions. The LLM cannot be trusted to enforce its own kill-switch.

Point 9 — 1–2% position size, hard-capped

Why: Kelly criterion math says 1–2% is appropriate for strategies with realistic edge. Anything higher amplifies drawdowns. LLMs sometimes "want" to size larger after a win (recency bias from training data); don't let them.

How: In the trading skill: position_size = min(0.02 * capital, intended_size). The minimum operation means the LLM can size smaller but never larger than the cap.

Point 10 — Daily manual log review

Why: Bots fail silently. A small hallucination today becomes a position you don't understand tomorrow. Daily review catches these before they compound.

How: 10 minutes every morning. Check trades placed yesterday. Check the LLM's reasoning chain on each. Look for: trades that don't match the strategy intent, increasing position sizes, repeated failures with the same error, anything you don't immediately understand.

Point 11 — Telegram alerts on every trade + heartbeat

Why: You won't be at your computer when something goes wrong. A Telegram bot that pings you on every trade gives you situational awareness; a heartbeat ping (every 1–2 hours "still alive") tells you when the bot has stopped — which can be just as serious as misfiring.

How: Use the bundled telegram skill. Configure your bot token and chat ID. In your trading skill, send a message after every order. Set up a cron job that sends "OpenClaw heartbeat" every 60 minutes if the bot is up.

Point 12 — Weekly CVE check

Why: OpenClaw is young software; new CVEs are likely. Quarterly check is too slow. Weekly catches you up before disclosure windows close.

How: Every Monday morning, check github.com/openclaw/openclaw/security/advisories. Sign up for email alerts. For any new CVE with CVSS > 7, update within 24 hours.

Frequently asked questions

What to read next

• Is OpenClaw Safe? The Honest 2026 Risk Assessment
• CVE-2026-25253 Explained
• ClawHavoc: 1,184 Malicious Skills
• How to Spot a Malicious SKILL.md