Free Tool
A six-question self-check for self-hosted OpenClaw. Answer honestly and get your exposure level plus the concrete fix for each gap. You never paste a secret or any config: it is a questionnaire that runs entirely in your browser, and your answers never leave your device.
OpenClaw is secure by default: it binds the gateway to loopback and requires a secret. The widely reported exposure problem is an opt-out problem. This self-check maps your setup to the known hardening steps from our guide on running OpenClaw securely for a team. Pick the option that honestly describes you today.
FAQ
Not usually by a bad default. OpenClaw binds its gateway to loopback and requires a secret out of the box. Exposure comes from opt-outs: binding the gateway to a public interface for remote access, setting allowInsecureAuth, or choosing a trivial secret. Security researchers observed tens of thousands of exposed instances in early 2026, with remote code execution among the most prevalent risks. This self-check walks through the specific opt-outs that cause it.
Because the gateway authenticates clients against one shared secret, so whoever holds it can talk to every agent, trigger every tool, and read every session. There is no concept of who is calling, no per-agent access control, and a leaked secret compromises the whole installation rather than one account. For multiple users, delegate identity to an SSO-capable reverse proxy (trusted-proxy mode) or put a governance layer in front instead of sharing the secret.
No. It is a questionnaire that runs entirely in your browser with client-side JavaScript. You never paste secrets or configuration, your answers are never transmitted, and there is no sign-up. It only asks about your setup and maps your answers to known hardening steps.
Pinchy is the open-source governance layer for OpenClaw: it holds the gateway secret, adds per-user identity, allow-list permissions, and a signed audit trail. Free to self-host.
Or email us: info@heypinchy.com