Security Guide
SmartClaw is built with an offline-first, highly private architecture. However, your setup is only as secure as the credentials you use. Follow these best practices for self-serve installation and daily use.
Secure Secret Storage
SmartClaw never stores your plaintext API keys in accessible files. We integrate directly with your Operating System's native secure keystore (Windows Credential Manager & Apple Keychain).
Strong Account Recovery
Ensure you use a strong, unique password for the SmartClaw Web Dashboard. Enable two-step verification if you are linking cloud providers to synchronize settings between multiple devices.
Automation Permissions
If you grant SmartClaw the ability to execute terminal commands or control browser tabs (Agentic Mode), carefully review the explicitly granted permissions inside the app's Guardian tab.
Silent Auto-Updates Every 6 Hours
SmartClaw automatically updates OpenClaw and itself in the background — 3 minutes after startup, then every 6 hours. If a new version fails health checks, your previous configuration is automatically restored via rollback. No action required from you.
OpenClaw Runs Locally — Not Exposed to the Internet
OpenClaw binds exclusively to 127.0.0.1 (localhost). It cannot be reached from other devices on your network or the internet. No inbound firewall rules are needed. Remote access is only available when you explicitly enable it via the Remote Access panel.
Biometric App Lock (Mobile)
On Android and iOS, SmartClaw locks automatically when you leave the app. Fingerprint or Face ID is required to re-enter. API keys and session tokens are stored in an AES-encrypted file inside the app's private data directory — inaccessible to other apps on the device.
Encrypted Remote Access Tunnel
When you enable remote mobile access, SmartClaw creates a Cloudflare Tunnel — a randomly-generated HTTPS URL that expires when stopped. The URL changes every session and your OpenClaw auth token is still required for all API calls, so the URL alone cannot access your assistant.
End-to-End Encrypted Chat Sync
Cloud Chat Sync encrypts all conversation data on your device using AES-256-GCM before transmission. SmartClaw servers only ever see opaque ciphertext. Cross-device pairing uses a 6-digit PIN to securely transfer the encryption key via PBKDF2 key derivation.
Adaptive Learning — Local Only
SmartClaw's adaptive learning builds a local knowledge base of your preferences, corrections, and task patterns. This data lives exclusively in your local SQLite database and is never transmitted to any server, keeping your personal insights fully private.
Remote Access Security
By default, OpenClaw is not accessible from outside your machine. It listens only on 127.0.0.1. Remote access is opt-in and requires deliberate setup.
Cloudflare Tunnel — generates a random, ephemeral *.trycloudflare.com URL. TLS-encrypted by Cloudflare end-to-end. URL expires when you stop the tunnel.
Auth token required — the public URL alone is not enough to access your assistant. All requests must include OpenClaw's auth token.
Stop when not needed — close the tunnel from Dashboard → Remote Access when you no longer need mobile access. This immediately revokes the public URL.
The Local Advantage
If you choose to run models locally (e.g. Llama 3 on our built-in inference engine), zero conversation data ever leaves your machine. We do not track your prompts, collect telemetry on your messages, or sell metadata to advertisers.
When you connect to cloud providers via API keys (like OpenAI), your messages are transmitted directly from your computer to their servers via standard TLS encryption. SmartClaw's own servers are never in the middle.