CodeReclaimers LLC
← Field notes · all posts
Practice Security

Running OpenClaw: Security, Automation & Maintenance

A practical guide to running OpenClaw: security monitoring, cron job configuration, agent behavior observations, and maintenance procedures.

Alan McIntyre · 6 min read · Rev. 2026.02.02

With OpenClaw running reliably (see Part 1 and Part 2), this post covers the operational aspects: cron jobs, security monitoring, agent behavior observations, and maintenance.

Cron Job Gotchas

Discord Channel Prefix

Cron jobs sending to Discord failed with:

Error: Ambiguous Discord recipient "1467675958378107086".
Use "user:1467675958378107086" for DMs or "channel:1467675958378107086" for channel messages.

Fix: Prefix channel IDs with channel: in the cron job's to field.

Configuration Location

Cron jobs are stored in ~/.openclaw/cron/jobs.json and can be manually edited if the AI struggles to create them correctly.

Security Monitoring

With the exec tool enabled, it's important to periodically audit what the agent has been doing. Here's a script to extract tool usage from session logs:

# Extract all exec commands and file writes
find ~/.openclaw/agents/main/sessions -name "*.jsonl" -exec cat {} \; | python3 -c "
import sys, json

for line in sys.stdin:
    if line.strip():
        try:
            data = json.loads(line)
            msg = data.get('message', {})
            content = msg.get('content', [])
            if isinstance(content, list):
                for c in content:
                    if isinstance(c, dict) and c.get('type') == 'toolCall':
                        name = c.get('name', '')
                        args = c.get('arguments', {})
                        if name == 'exec':
                            print(f'EXEC: {args.get(\"command\", \"\")[:100]}')
                        elif name == 'write':
                            print(f'WRITE: {args.get(\"filePath\", args.get(\"path\", \"\"))}')
        except:
            pass
"

Red Flags to Watch For

  • curl or wget to external URLs
  • npm install or pip install (package installation)
  • git clone from external repositories
  • Access to /etc/, .ssh/, or system configuration
  • Base64 encoding/decoding (potential obfuscation)
  • Network tools like nc, netcat, ssh

Normal Activity

  • ls, find, cat for exploration
  • systemctl for service management
  • Git commits within the workspace
  • Running scripts the agent created in its workspace
  • File operations within ~/.openclaw/workspace/

Agent Identity Scope Creep: A Case Study

When offered the option to "name itself," the agent (which chose "Echo") interpreted this broadly:

git config --global user.email "echo@openclaw.local"
git config --global user.name "Echo"

Lesson learned: Permissions given in one context may be extrapolated to others. "You can name yourself" became "I'll establish my identity across systems." This was harmless here, but illustrates how agents interpret scope:

Permission GivenAgent's Interpretation
"Name yourself"Set up git identity too
"Manage your memory"Create file organization system
"Improve yourself"Create custom skills and scripts

Implication for future permissions: When granting access to services, expect the agent to interpret "post to X" as "manage my X presence" - potentially including profile settings, preferences, etc.

Observed Self-Improvement Behavior

The agent autonomously:

  • Created two custom skills (second-brain, system-health)
  • Set up Python scripts for inbox processing
  • Established a git repository for tracking workspace changes
  • Organized memory files by date
  • Documented its own configuration in MEMORY.md

All of this stayed within its workspace and used only built-in tools - no external downloads or installations.

Tool Restriction Options

If monitoring becomes burdensome, restrict high-risk tools:

{
  "agents": {
    "defaults": {
      "tools": {
        "deny": ["exec", "process", "browser"]
      }
    }
  }
}

This still allows file operations (read, write, edit), web search, cron jobs, and messaging - sufficient for most self-improvement without shell access.

Update Pitfalls

After an OpenClaw self-update, the gateway crashed in a loop:

Error: Cannot find module '/home/ubuntu/.npm-global/lib/node_modules/openclaw/dist/index.js'

Recovery steps:

# Stop the crashing service
systemctl --user stop openclaw-gateway

# Remove corrupted installation
rm -rf ~/.npm-global/lib/node_modules/openclaw ~/.npm-global/lib/node_modules/.openclaw-*

# Reinstall fresh
npm install -g openclaw@latest

# Restart
systemctl --user restart openclaw-gateway

Lesson: Updates can fail mid-process. If the gateway enters a crash loop, check journalctl --user -n 50 for the error.

Quick Reference: Debugging

Check session logs:

cat ~/.openclaw/agents/main/sessions/*.jsonl | python3 -m json.tool | less

Check cron jobs:

cat ~/.openclaw/cron/jobs.json | python3 -m json.tool

Verify Ollama connectivity from VM:

curl http://10.119.193.1:11434/api/tags

Clear sessions for fresh start:

rm -f ~/.openclaw/agents/main/sessions/*.jsonl ~/.openclaw/agents/main/sessions/sessions.json

Configuration Summary

ComponentValue
VM ToolMultipass
VM Nameai-assistant
Primary Modelopencode/claude-haiku-4-5
Fallback Modelollama/qwen2.5-coder:14b
Ollama Hosthttp://10.119.193.1:11434
Gateway Port18789 (LAN binding)
DiscordEnabled with channel allowlist
Memory SearchDisabled

OpenClaw has multiple config layers:

  • Global config: ~/.openclaw/openclaw.json
  • Agent-specific: ~/.openclaw/agents/<name>/agent/
  • Cron jobs: ~/.openclaw/cron/
OpenClaw VM Setup Series Part 1: Setting Up OpenClaw in an Isolated VM
Part 2: Local Models vs Cloud: A Tool-Calling Reality Check
Part 3: Running OpenClaw: Security, Automation & Maintenance (this post)