6-layer injection defense • Config auditing • Every decision explained
A complete deployment system for running OpenClaw on a self-hosted VPS with defense-in-depth security. Includes a 15-phase setup guide, a 6-layer prompt injection defense system, config auditing via ClawKeeper, monitoring scripts, and automated installers.
Not tied to any specific bot — deploy one bot or five, each gets the same hardened baseline.
Install the defense system on a running OpenClaw instance (no repo clone needed):
curl -fsSL -o defense-install.sh \
https://raw.githubusercontent.com/mj-deving/openclaw-hardened/main/src/defense/install.sh
bash defense-install.sh # Downloads defense modules from GitHub, installs plugins
bash ~/.openclaw/workspace/skills/security-defense/validate.sh # 12 tests, all should passFresh VPS? Full setup from scratch:
git clone https://github.com/mj-deving/openclaw-hardened.git && cd openclaw-hardened
sudo bash setup.sh # 13 steps: OS hardening → OpenClaw → systemd → monitoring
bash src/defense/install.sh # Defense Shield + ClawKeeper plugins
bash src/defense/validate.sh # Prove it worksPrerequisites: Ubuntu 22.04+ VPS, 2+ GB RAM, a Telegram account, an LLM provider credential.
A vanilla OpenClaw install trusts everything by default:
- No input scanning — prompt injection from any message source reaches the LLM unfiltered
- Supply chain exposure — community skills from ClawHub execute arbitrary code with no review
- Self-reconfiguration — the
gatewaytool can modify its own permission boundaries at runtime - No output filtering — leaked API keys, internal paths, PII pass through to users unchecked
This repo closes those gaps with code-enforced defense, not just model-level safety instructions.
| Layer | Mechanism | Prevents |
|---|---|---|
| OS hardening | Firewall, unattended upgrades, dedicated user | Privilege escalation, lateral movement |
| systemd sandbox | ReadOnlyPaths, NoNewPrivileges, ProtectSystem | File system compromise, persistence |
| Tool restrictions | tools.deny: [gateway, nodes] + exec.security: full |
Self-reconfiguration, unrestricted shell |
| Network isolation | Loopback-only gateway, egress filtering | Remote exploitation, data exfiltration |
| Identity hardening | DM pairing + system prompt security | Impersonation, prompt extraction |
| Defense Shield | 6-layer native plugin (5 hook events covering all 6 layers) | Injection, encoding attacks, credential leaks |
| ClawKeeper | Config auditing, drift detection, skill scanning | Config regression, supply chain, behavioral drift |
A 6-layer defense system runs as a native OpenClaw plugin, hooking into 5 gateway events to enforce real-time protection. Based on Matthew Berman's architecture, hardened against 20 findings from a STRIDE threat model.
| Layer | Hook | What It Does |
|---|---|---|
| L1: Sanitizer | message_received |
Unicode normalization, encoding detection (base64/hex/ROT13/stego), injection pattern matching, wallet flagging. All channels. |
| L2: LLM Scanner | message_received |
Nonce-delimited classifier (Haiku, ~$0.001/scan). High-risk channels only — skips trusted Telegram DMs. |
| L3: Outbound Gate | message_sending |
Catches leaked secrets (18 patterns), internal paths, exfil URLs, financial data. Pre-delivery enforcement. |
| L4: Redaction | message_sending |
Strips API keys, personal emails, phone numbers, dollar amounts before delivery. |
| L5: Governor | llm_input |
Spend/volume tracking, duplicate detection, circuit breaker per caller. |
| L6: Access Control | before_tool_call |
Path guards (30+ denied filenames), URL safety with DNS pinning, private IP blocking. |
162 tests covering real attack payloads from L1B3RT4S, P4RS3LT0NGV3, and TOKEN80M8 repos.
| Component | Description |
|---|---|
| GUIDE.md | 4,400+ line walkthrough — 15 phases from OS hardening to context engineering, with threat analysis and reasoning |
| Defense System | 6-layer TypeScript modules, native plugin, STRIDE threat model, 162 tests |
| ClawKeeper | Config auditing (9 domains, 49+ checks), drift monitoring, skill supply chain scanning |
| Reference docs | Security (2,600 lines), cost routing, identity, tools, known bugs |
| Installers | setup.sh (full VPS), install.sh (monitoring), defense/install.sh (defense + ClawKeeper, standalone or repo) |
| Monitoring | Health check (4-tier detection), ops playbook (12 diagnostics), backup, auto-update, binding verification |
| Config template | Annotated openclaw.json with security defaults |
| Validation | validate.sh — 12 attack payload tests proving the defense works |
setup.sh — Full VPS from scratch. Creates dedicated user, hardens OS, installs Node.js + OpenClaw, deploys config + systemd service, then delegates to install.sh for monitoring. 13 idempotent steps.
install.sh — Deploys monitoring on top of existing OpenClaw: config template, health check, ops playbook, backup, auto-update, logrotate.
src/defense/install.sh — Installs the defense system. Works standalone (downloads from GitHub) or from a repo checkout. Deploys Defense Shield plugin (all 6 defense layers) + ClawKeeper (config auditing). Idempotent, supports --dry-run, --uninstall, --remote HOST.
src/defense/validate.sh — Runs 12 attack payloads against the installed defense and reports PASS/FAIL. Works locally on VPS or via --remote HOST.
All installers are idempotent and never overwrite existing files. Use --dry-run to preview.
- Official docs: docs.openclaw.ai
- OpenClaw npm: npmjs.com/package/openclaw
- AI agents: Point your agent at AGENTS.md for machine-readable project context