The RAK Security Framework for OpenClaw Deployments
The RAK (Restrict, Audit, Know) security framework for OpenClaw deployments. Practical three-pillar approach to securing your AI agent.
After analyzing hundreds of OpenClaw security incidents and near-misses, the OpenClaw security community developed the RAK framework: Restrict, Audit, Know. This three-pillar approach provides a memorable structure for thinking about AI agent security.
Pillar 1: RESTRICT
Limit what your agent can do to the minimum necessary. The principle of least privilege applied to AI agents.
Restrict capabilities:
{
"tools": {
"allow": ["read-email", "read-calendar", "brave-search"],
"confirmation_required": ["send-email", "calendar-write", "file-write"]
}
}
Restrict network access: Configure your firewall to limit which external endpoints OpenClaw can reach.
Restrict data access: Don't connect your agent to every data source you have. Connect only what it needs for its tasks.
Restrict skill permissions: Review and reject skills requesting permissions broader than their stated purpose.
Why Restrict matters: Even a successful prompt injection attack or compromised skill has limited impact if the agent can't actually do much with its access.
Pillar 2: AUDIT
Log everything and review regularly. What you can't see, you can't secure.
Enable comprehensive logging:
{
"logging": {
"log_tool_calls": true,
"log_external_requests": true,
"log_prompt_injections": true,
"retention_days": 90
}
}
Review logs weekly: Look for:
- Unexpected tool calls
- External requests to unfamiliar domains
- Injection flags
- Unusual activity times (activity when you weren't using the agent)
Use nacre.sh's audit dashboard: nacre.sh Pro includes a visual audit dashboard with anomaly detection and alerts.
Monitor API spending: Check LLM provider usage weekly. Unexpected spikes indicate potential compromise.
Pillar 3: KNOW
Understand your agent's capabilities, the skills you've installed, and the data it can access. You cannot secure what you don't understand.
Know your skills: Regularly review the ClawHub skills installed on your instance. Delete skills you're not using.
Know your permissions: Run openclaw permissions audit to get a report of everything your agent can access.
Know your data flows: Understand which data leaves your instance and where it goes. Review the data flow documentation.
Know about CVEs: Subscribe to OpenClaw Foundation security advisories. Stay current.
Applying RAK at nacre.sh
nacre.sh's interface organizes security settings around RAK:
- Restrict tab: tools.allow configuration, skill management, confirmation settings
- Audit tab: Log viewer, anomaly alerts, API usage dashboard
- Know tab: Permissions report, data flow visualization, skill dependency graph
Frequently Asked Questions
Is RAK an official OpenClaw standard?
RAK was developed by the OpenClaw community security team and is recommended but not formally standardized. The OpenClaw Foundation endorses it in their security documentation.
Where do I start if I'm overwhelmed?
Start with Restrict. Implement a strict tools.allow first — this is the single most impactful security control. Audit comes second; logging is passive and easy to enable.
How does RAK relate to ZeroClaw?
ZeroClaw implements RAK's Restrict pillar by default (strict deny-by-default). It's RAK's Restrict principle implemented at the framework level rather than through configuration.
nacre.sh
Run OpenClaw without the server headaches
Dedicated instance, automatic TLS, nightly backups, and 290+ LLM integrations. Live in under 90 seconds from $12/month.
Deploy your agent →