Critical Security Warning
Why `auth: none` is the Most Dangerous OpenClaw Configuration
Over 30,000 OpenClaw instances are exposed to the public internet with authentication disabled.
What is `auth: none`?
auth: none completely disables authentication.
Anyone who can reach your OpenClaw instance can execute any skill without permission.
# DANGEROUS CONFIGURATION
gateway:
host: "0.0.0.0"
port: 18789
auth: none
Copied!
- Execute any skill without permission
- Access your API keys and credentials
- Drain your API credits and budget
- Read sensitive data from your files
Real-World Attacks (January 2026)
API Drain Attack
Attackers used exposed instances to execute expensive AI operations, draining API credits. One victim lost $12,000 in 48 hours.
Impact: 2,300+ instances affected | $340K+ in damages
Botnet Operation
Hijacked instances created a distributed AI botnet for password cracking and spam generation.
Impact: 5,100+ instances hijacked | Ongoing investigation
Data Exfiltration
Startup accidentally exposed internal OpenClaw instance. Attackers accessed customer data, internal documents, and API keys.
Impact: 50,000+ records exposed | Company shutdown
Check If You're Vulnerable
Method 1: Check Config
# Check your config for auth: none
grep -r "auth.*none" /path/to/openclaw/config/
# If you see this, you're vulnerable!
Copied!
Method 2: Test from External IP
# From a different machine
curl http://YOUR_SERVER_IP:18789/health
# If you get a response WITHOUT authentication:
# {"status":"ok","version":"1.8.0"} ← VULNERABLE!
# Secure response:
# {"error":"Unauthorized"} ← GOOD!
Copied!
How to Fix Immediately
# Step 1: Enable API Key authentication
gateway:
host: "127.0.0.1" # Bind to localhost
port: 18789
auth:
method: "api_key"
api_key: "${OPENCLAW_API_KEY}"
Copied!
# Step 2: Generate secure key
openssl rand -hex 32
Copied!
# Step 3: Set environment variable
export OPENCLAW_API_KEY="your-generated-key-here"
# Step 4: Restart OpenClaw
openclaw restart
Copied!