I Kept Auditing OpenClaw on AWS Lightsail: 53 Default Skills, No Channel Access Controls, Deletable Logs (Part 2)
Part 2 of a series: In Part 1 we audited the initial OpenClaw setup on AWS Lightsail — outdated kernel, the gateway + allow attack chain, and the Gateway Token exposed in plaintext. If you haven't read it, start there . In Part 1 I closed with a warning: secure setup is the starting point, not the destination. Once the server is patched, the firewall restricted, and security settings reviewed — there's still the entire dashboard to explore. And the OpenClaw dashboard isn't just a UI. It's a map of attack surfaces: each section has its own security implications, its own trust model, its own blast radius if something goes wrong. Channels, Agents, Cron Jobs, Nodes, Logs, Config and Debug. I reviewed them all. What I found isn't catastrophic — OpenClaw isn't broken. But it's also not production-ready with the default configuration. And there are design decisions every team should understand before connecting this agent to their messaging channels or infrastructure. That's what we're lookin
Continue reading on Dev.to
Opens in a new tab
![[MM’s] Boot Notes — The Day Zero Blueprint — Test Smarter on Day One](/_next/image?url=https%3A%2F%2Fcdn-images-1.medium.com%2Fmax%2F1368%2F1*AvVpFzkFJBm-xns4niPLAA.png&w=1200&q=75)
