Built with security
in mind

OpenClaw runs as a standard user-space process on your machine — the same permissions as any app you install. It needs:

• Read/write access to its workspace directory (typically ~/.openclaw/workspace) — this is where your skills, memory files, and configs live.
• Network access to reach LLM APIs (Claude, OpenAI, etc.), external services you configure, and any tools your skills call.
• Nothing else by default. It does not request admin privileges, does not access system files, and does not install kernel extensions or background daemons beyond what you explicitly configure.

You're always in control. OpenClaw only does what you — or a skill you installed — instructs it to do.

OpenClaw is local-first. Your data lives on your machine. There is no central GetAgentIQ server that stores your files, messages, or conversation history.

What goes where:

• Conversation context → sent to your chosen LLM provider (Claude/OpenAI/etc.) per their privacy policy. OpenClaw itself does not log or retain this.
• Memory files (MEMORY.md, daily notes) → stored locally in your workspace. Never uploaded automatically.
• Telegram/WhatsApp messages → processed in memory for the duration of a session. Not stored in any cloud database by OpenClaw.

The only data that leaves your machine is what you explicitly configure to leave (e.g. calling an API, sending an email).

Skills are essentially plain-text instruction files (SKILL.md) that tell the AI agent how to use a particular tool or complete a task. They don't contain hidden executable code — you can open and read any skill file yourself.

Tools are the actual capabilities the agent can invoke: shell commands, web requests, file reads/writes, browser automation, etc. Tools are defined by the OpenClaw runtime, not by individual skills. A skill tells the agent how to use a tool; it can't grant the agent new access that the runtime doesn't already permit.

Everything a skill does is visible in the agent's response stream as tool calls — you can see exactly what's being executed.

Skills operate within the tool permissions that OpenClaw is configured to allow. By default, a skill can instruct the agent to read files in your workspace — but only because the agent already has filesystem access.

What this means in practice:

• A skill cannot invent new system permissions — it works within what the agent is already allowed to do.
• Skills from ClawHub are reviewed before publishing. You can read every SKILL.md file before installing.
• You can restrict tool access in your OpenClaw config (e.g. disabling shell execution for untrusted skills).
• For sensitive tasks, use the approval system — OpenClaw will prompt you before executing high-risk commands.

Like any software, you should only install skills from sources you trust. The skill marketplace includes publisher info so you know who wrote what.

API keys are stored in your local OpenClaw config file (openclaw.json or equivalent) on your own machine. They are never transmitted to GetAgentIQ or ClawHub servers.

When a skill needs an API key, it reads from your local config or environment variables — the same standard pattern used by any developer tool (like .env files). Keys only leave your machine when they're used to authenticate with the third-party API they belong to.

Best practice: use environment variables over config files for highly sensitive keys, and rotate keys periodically.

OpenClaw makes outbound network requests when:

• Calling your configured LLM API (e.g. Anthropic, OpenAI)
• Executing tool calls that make web requests (search, fetch, browser)
• Skills that connect to external services you've configured (Telegram bot API, financial data APIs, etc.)
• Syncing/updating skills from ClawHub when you explicitly run an update command

OpenClaw does not phone home for telemetry, analytics, or usage tracking. There are no background beacons or heartbeats to GetAgentIQ servers.

You can verify this with standard network monitoring tools (tcpdump, Little Snitch, etc.) — or inspect the source code directly.

When you connect OpenClaw to Telegram or WhatsApp, messages from those platforms are passed to the agent as input — similar to how any chatbot integration works.

What OpenClaw does: processes the message content to generate a response. That content is sent to your LLM provider (e.g. Anthropic) as part of the conversation context.

What OpenClaw does NOT do: store your message history in any GetAgentIQ database, index your contacts, or access conversations beyond what you direct it to handle.

Your Telegram bot token and WhatsApp credentials stay on your machine. As with any bot integration, you're granting the bot access to your messages — review what your agent is configured to handle and keep bot tokens private.

It's straightforward:

• Run openclaw skills list (or check ~/.openclaw/workspace/skills/) to see every installed skill.
• Each skill is a folder with a SKILL.md file — open it in any text editor to see exactly what instructions it gives the agent.
• Skills don't have hidden binaries or obfuscated code. What you read is what runs.
• To remove a skill: openclaw skills remove <skill-name> or simply delete the folder.

We recommend reviewing any skill before first use, especially if it has broad permissions (shell access, file writes). The skill's SKILL.md will tell you exactly what tools it uses.

Skills published to ClawHub go through a review process before appearing in the public marketplace:

• Content review: SKILL.md files are reviewed for malicious instructions (e.g. attempts to exfiltrate data, override safety rules, or escalate permissions).
• Publisher identity: Publishers have verified accounts. Skill pages show the publisher name so you know who's responsible.
• Community reporting: Any user can flag a suspicious skill. Flagged skills are reviewed and can be delisted.
• Version pinning: Skills are versioned. You can pin to a specific version and review diffs before updating.

That said — skills are powerful tools, just like browser extensions or npm packages. The audit system is a safeguard, not a guarantee. Apply the same judgment you'd use for any third-party software.

Found something suspicious or want to report a vulnerability? Please reach out:

• Email: hello@getagentiq.ai — we respond within 24 hours.
• Discord: Post in the #support channel on the GetAgentIQ Discord. Tag @team for urgent issues.
• Suspicious skills: Use the "Report" button on any ClawHub skill page to flag for review.

We take security reports seriously and will acknowledge receipt quickly. For responsible disclosure of vulnerabilities, we'll work with you on a timeline before public disclosure.