Securing OpenClaw with TigerIdentity
Step-by-step guide to deploying enterprise identity controls for OpenClaw AI agents
Why Secure OpenClaw?
OpenClaw is the most popular open-source AI agent (145K+ GitHub stars, 100K+ active installations), but its broad permissions model creates enterprise security risks. OpenClaw agents can access email, calendars, CRM systems, and messaging platforms — often with the same unrestricted access as the human user.
Risks Without Controls
- • Unrestricted access to email/calendar/CRM
- • Long-lived API keys with no rotation
- • No audit trail of agent actions
- • Prompt injection vulnerability
- • Runaway agent scenarios
With TigerIdentity
- • Scoped just-in-time access per task
- • Short-lived tokens with auto-rotation
- • Complete audit trail with full context
- • Behavioral anomaly detection
- • Automatic rate limiting
What is OpenClaw?
OpenClaw is an open-source AI agent framework created by Peter Steinberger. It connects LLMs (Claude, GPT, DeepSeek) to real-world tools, automating tasks via messaging platforms like Slack, Teams, and Discord. Its ClawHub marketplace offers 3,000+ skills for email, calendar, CRM, code deployment, and more.
Learn more about OpenClaw on GitHub →Register Your OpenClaw Instances
Create an identity for each OpenClaw deployment
Each OpenClaw instance should be registered as a non-human identity (NHI) in TigerIdentity. This enables fine-grained access control, audit logging, and behavioral monitoring per agent.
Register via API
POST /v1/principals
Content-Type: application/json
{
"type": "ai_agent",
"name": "openclaw-alice-sales",
"description": "OpenClaw instance for Alice (Sales team)",
"attributes": {
"agent_type": "openclaw",
"agent_version": "2.1.0",
"owner": "[email protected]",
"department": "sales",
"risk_level": "medium",
"llm_provider": "anthropic",
"llm_model": "claude-sonnet-4-5-20250929",
"messaging_platform": "slack",
"capabilities": [
"read_email",
"draft_email",
"read_calendar",
"read_crm"
]
},
"relationships": {
"owner": "user_alice",
"team": "sales",
"manager": "user_bob"
}
}
# Response
{
"principal_id": "agent_openclaw_alice_001",
"api_key": "ti_oc_a1b2c3d4e5f6...",
"created_at": "2026-02-16T10:00:00Z"
}OpenClaw Deployment Patterns
| Deployment Pattern | Risk Level | Description |
|---|---|---|
| Personal | Medium | 1 agent per employee, scoped to owner's resources |
| Team Shared | High | 1 agent per team, shared access to team resources |
| Service | High | Headless automation, runs without user interaction |
Configure the MCP Gateway
Route OpenClaw through TigerIdentity
Deploy the TigerIdentity MCP Gateway as a proxy between OpenClaw agents and backend systems. All tool calls flow through the gateway for authorization and logging.
Gateway Configuration
# config/openclaw-gateway.yaml
apiVersion: v1
kind: MCPGateway
metadata:
name: openclaw-enterprise-gateway
spec:
endpoint: https://openclaw-gw.tigeridentity.company.com
port: 8443
authentication:
type: api_key
header: X-OpenClaw-API-Key
validate_against: tigeridentity
# OpenClaw skill backends
servers:
- name: email-service
type: api
endpoint: https://mail.company.com/api
protocol: mcp
resources:
- type: email
operations: [read, draft, send]
- name: calendar-service
type: api
endpoint: https://calendar.company.com/api
protocol: mcp
resources:
- type: calendar_event
operations: [read, create]
- name: crm-service
type: api
endpoint: https://crm.company.com/api
protocol: mcp
resources:
- type: contact
operations: [read, search]
- type: deal
operations: [read]
- name: slack-service
type: api
endpoint: https://slack.company.com/api
protocol: mcp
resources:
- type: message
operations: [read, send]
authorization:
enabled: true
policy_engine: tigeridentity
default_decision: deny
rate_limits:
- principal_type: ai_agent
agent_type: openclaw
limit: 500
window: 1mOpenClaw Client Configuration
# ~/.openclaw/config.yaml (on user's machine)
mcp:
gateway: https://openclaw-gw.tigeridentity.company.com
api_key: ${TIGERIDENTITY_AGENT_KEY}
# All tool calls route through TigerIdentity
proxy_all_requests: trueArchitecture
All OpenClaw skill requests are intercepted, authorized by policies, logged, and then proxied to backends.
Define Access Policies
Control what each OpenClaw instance can do
Create fine-grained policies that specify which OpenClaw agents can access what resources, when, and under what conditions.
Policy 1: Sales Team OpenClaw
policy "openclaw-sales-team":
description: "Access controls for Sales team OpenClaw agents"
principals:
type: ai_agent
attributes:
agent_type: openclaw
department: sales
default_decision: deny
rules:
- name: read-email
effect: allow
resources:
type: email
actions: [read, draft]
conditions:
- time.is_business_hours() == true
- owner.risk_score < 70
- name: read-crm
effect: allow
resources:
type: contact
actions: [read, search]
data_masking:
fields: [phone, personal_email, ssn]
- name: send-email
effect: allow_with_approval
resources:
type: email
actions: [send]
approval:
approvers:
- type: principal
id: agent.owner
- name: block-financial
effect: deny
resources:
type: [deal, payment, invoice]
actions: [read, write, delete]
priority: 100Policy 2: Emergency Lockdown
policy "openclaw-emergency-lockdown":
description: "Immediately restrict all OpenClaw agents"
principals:
type: ai_agent
attributes:
agent_type: openclaw
rules:
- name: lockdown
effect: deny
resources: "*"
actions: "*"
conditions:
- security.threat_level == "critical"
priority: 1000 # Highest priority - overrides everythingAdvanced Policy Patterns
Department Scoping
Sales agents cannot access engineering resources
conditions: resource.department == agent.departmentClawHub Skill Restrictions
Only allow pre-approved ClawHub skills
conditions: skill.id in approved_skillsLLM Provider Controls
Restrict which LLM models agents can use
conditions: llm_model in ["claude-sonnet-4-5"]Owner-Based Inheritance
Agents inherit a subset of owner's permissions
inherit_from: agent.ownerMonitor and Respond
Real-time visibility into all OpenClaw agents
Track all OpenClaw activity in real-time with comprehensive audit logging, dashboards, and behavioral anomaly detection.
OpenClaw Activity Dashboard
Key Metrics
Query OpenClaw Audit Logs
# Get all actions by a specific OpenClaw agent
GET /v1/audit/events?principal_id=agent_openclaw_alice_001&limit=100
# Find OpenClaw agents with denied requests
GET /v1/audit/events?agent_type=openclaw&outcome=deny
# Search for email sending activity
GET /v1/audit/events?agent_type=openclaw&resource_type=email&action=send
# Aggregate OpenClaw activity by department
POST /v1/audit/events/aggregate
{
"group_by": ["department", "outcome"],
"filters": [
{ "field": "agent_type", "operator": "eq", "value": "openclaw" }
],
"time_range": {
"start": "2026-02-16T00:00:00Z",
"end": "2026-02-16T23:59:59Z"
}
}
# Response
{
"groups": [
{
"department": "sales",
"outcome": "allow",
"count": 4521
},
{
"department": "sales",
"outcome": "deny",
"count": 23
}
]
}OpenClaw-Specific Alerts
# alerts/openclaw-monitoring.yaml
alerts:
- name: openclaw-excessive-email-sends
condition: |
count(action == "send" and resource_type == "email") > 50
in last 10 minutes
for agent_type == "openclaw"
severity: warning
actions:
- notify: agent_owner
- rate_limit: true
- name: openclaw-crm-bulk-access
condition: |
count(resource_type == "contact" and action == "read") > 100
in last 5 minutes
for agent_type == "openclaw"
severity: high
actions:
- notify: security-team
- require_approval: true
- name: openclaw-after-hours-access
condition: |
time_of_day not in business_hours
and agent_type == "openclaw"
and resource.sensitivity == "confidential"
severity: warning
actions:
- notify: [agent_owner, security-team]
- name: openclaw-clawhub-skill-abuse
condition: |
skill.source == "clawhub"
and skill.id not in approved_skills
severity: critical
actions:
- deny_request: true
- notify: security-team
- suspend_agent: trueBehavioral Anomaly Detection for OpenClaw
TigerIdentity learns normal behavior patterns for each OpenClaw agent. Unusual activity triggers automatic response:
- • Accessing resources outside typical scope (e.g., engineering data from sales agent)
- • Sudden spike in ClawHub skill usage or new skill execution
- • Access patterns different from owner's typical behavior
- • After-hours access to sensitive resources
Best Practices
One Identity Per Instance
Every OpenClaw deployment gets its own identity. Never share API keys between agents.
Scope by Department
Sales agents should never see engineering resources and vice versa. Enforce strict department boundaries.
Restrict ClawHub Skills
Only allow pre-approved ClawHub skills through policy. Block unknown or high-risk skills by default.
Require Approval for External Actions
Sending emails, posting messages, and creating records should always require owner approval.
Set Rate Limits by Risk
Personal agents: 500 req/min, team shared: 200 req/min, service agents: 1000 req/min.
Review Weekly
Audit OpenClaw access patterns and tighten policies based on actual usage. Remove unused permissions.
Secure Your OpenClaw Deployment
Start governing OpenClaw agents with TigerIdentity today