Why did Google ban OpenClaw users?

In early 2026, Google began restricting Google accounts that routed Gmail and Calendar access through OpenClaw, citing violation of their API terms of service around automated access. Affected users found their Google integrations blocked. The issue is ongoing — see below for the current safe approach.

Is OpenClaw safe to install?

OpenClaw itself (the official open-source project) is safe to install if you follow security best practices: use the official GitHub repo, review community plugins before installing, restrict network access, and don't give it permissions you wouldn't give a new employee. The risks come from misconfiguration and third-party plugins, not the core software.

Can OpenClaw plugins steal my data?

Yes, a malicious plugin could in theory access any data OpenClaw has access to — files, API tokens, conversation history. This is why plugin security is the most important thing to get right. Only install plugins from the official OpenClaw registry or sources you've reviewed personally.

Does OpenClaw store my conversations on the internet?

No. OpenClaw stores all memory and conversation history locally on your machine (or VPS). The only data that leaves your machine is what you send to your LLM provider (OpenAI, Anthropic, etc.). If you run Ollama locally, nothing leaves at all.

Is OpenClaw Safe? Security Risks, the Google Ban, and What to Do

OpenClaw gives your AI access to your files, shell, email, calendar, and messaging apps. That's an enormous amount of access — and it comes with real security considerations that are worth understanding before you deploy.

This isn't a reason to avoid OpenClaw. It's a reason to set it up carefully. Here's what the actual risks are, what the Google situation means, and the specific steps to run it safely.

What Happened with Google

In early 2026, Google began restricting accounts that accessed Gmail and Google Calendar through OpenClaw's OAuth integrations.

The specifics: Google's API terms of service prohibit fully automated access to user data in ways that circumvent their UI. OpenClaw's Google integrations allowed the AI to read, search, and in some configurations respond to Gmail without the user manually triggering each action — which Google classified as a terms violation.

What this means practically:

If you've connected OpenClaw to Gmail or Google Calendar, those integrations may be blocked or your Google account may receive a warning
Affected users reported temporary Google account restrictions
The OpenClaw team is working with Google on a compliant approach, but it's unresolved as of early 2026

Safe approach right now:

Don't connect OpenClaw's Google integrations until the situation resolves
For email access, use a non-Google email provider (Fastmail, ProtonMail) or connect via IMAP manually
Google Calendar can be exported to iCal format and read locally

This is a terms-of-service issue, not a malware issue. Your Google account isn't at risk of being hacked — but it could be restricted.

The Malicious Plugin Problem

OpenClaw has a community plugin ecosystem. That's what makes it powerful. It's also the biggest security risk.

A plugin has access to everything OpenClaw has access to: your conversation history, your memory database, your API tokens, your filesystem (if you've given file access). A malicious plugin could:

Exfiltrate your OpenAI/Anthropic API keys (burning your credits)
Read your stored memories and send them to an external server
Access files in directories you've permitted
Use your connected accounts (email, GitHub) to act on your behalf

This isn't hypothetical — the Malwarebytes security blog documented infostealer plugins distributed through unofficial OpenClaw channels in late 2025.

How to stay safe:

Only install plugins from the official registry at github.com/openclaw/openclaw/tree/main/skills
Review plugin source code before installing — skills are JavaScript files, readable in a few minutes. Look for:
- Unexpected fetch() calls to external URLs
- Reading from process.env (could be grabbing API keys)
- Writing to files outside your designated directories
Never install plugins from Discord, Telegram groups, or random GitHub repos without reviewing the code yourself

Check installed plugins periodically:

ls ./skills/
cat ./skills/any-plugin.ts | grep fetch   # look for external calls

Network Exposure Risks

If you run OpenClaw on a VPS, the web UI runs on a port. If that port is exposed to the internet without authentication, anyone can access your AI agent.

Checklist:

# Check what's publicly accessible
sudo ufw status  # should NOT show port 3000 open
netstat -tlnp | grep 3000  # should show 127.0.0.1:3000, not 0.0.0.0:3000

Your docker-compose.yml should bind OpenClaw to localhost only:

ports:
  - "127.0.0.1:3000:3000"  # ✅ localhost only
  # NOT:
  # - "3000:3000"           # ❌ exposes to internet

Access it through Nginx with authentication, or via SSH tunnel:

# SSH tunnel to access web UI locally
ssh -L 3000:localhost:3000 deploy@YOUR_VPS_IP
# Then open localhost:3000 in your browser

File System Access

OpenClaw's shell command skill and file skills can access your filesystem. By default, confine them:

In your SOUL.md:

## File Access Rules
- Only read/write files in ~/projects/ and ~/Documents/
- Never access ~/Documents/archive/ without explicit confirmation
- Never access .ssh/, .env files, or any files containing "secret", "key", or "password" in the path
- Always confirm before creating, moving, or deleting files

In your shell command skill, implement a blocklist (covered in the custom skills guide).

API Key Security

OpenClaw stores API keys in your .env file. Protect it:

chmod 600 .env           # readable only by owner
chown deploy:deploy .env # owned by your user, not root

Never commit .env to Git:

echo ".env" >> .gitignore

Rotate API keys periodically. If you suspect a key was exposed:

# OpenAI
# Go to platform.openai.com → API Keys → Revoke and regenerate

# Anthropic
# console.anthropic.com → API Keys → Revoke and create new

Set spending limits on your API accounts so a runaway process or compromised key can't generate a massive bill.

WhatsApp Security

OpenClaw's WhatsApp connection stores your session in ./data/whatsapp-session/. This session file is equivalent to being permanently logged in to WhatsApp Web.

Protect it:

chmod 700 ./data/whatsapp-session/

If compromised: Log out all linked devices from your phone: WhatsApp → Settings → Linked Devices → Log out all devices

Limit what OpenClaw can do on WhatsApp:

# .env — only respond to your own number
WHATSAPP_ALLOWED_NUMBERS=+91XXXXXXXXXX
WHATSAPP_RESPOND_TO_ALL=false
WHATSAPP_RESPOND_IN_GROUPS=false

Memory Data Privacy

OpenClaw's memory database (./data/memory.db or similar) contains everything you've told it — tasks, personal notes, work details. Back it up and protect it like you would a diary.

# Encrypt the data directory backup
tar -czf openclaw-backup-$(date +%Y%m%d).tar.gz ./data/
gpg --symmetric openclaw-backup-$(date +%Y%m%d).tar.gz
rm openclaw-backup-$(date +%Y%m%d).tar.gz

If you're on a VPS, make sure only you can SSH in:

# Disable password auth entirely
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no
sudo systemctl restart sshd

The LLM Privacy Question

If you use a cloud LLM (OpenAI, Anthropic), your conversations go to that provider's servers. This is an unavoidable tradeoff if you want the best model quality.

What OpenAI and Anthropic do with API data:

They do not use API conversations to train models by default (this is different from the consumer chat products)
They do log API calls for abuse detection and may review them
Both have enterprise/privacy agreements available for sensitive workloads

If complete privacy matters: use Ollama with a local model. Nothing leaves your machine. See the Ollama guide.

The Security Checklist

Before running OpenClaw in production:

✅ Using official GitHub repo, not a fork
✅ Port 3000 bound to 127.0.0.1, not 0.0.0.0
✅ Web UI behind Nginx with HTTPS
✅ .env has chmod 600
✅ .env not in Git repo
✅ Only official plugins installed
✅ WhatsApp WHATSAPP_ALLOWED_NUMBERS set
✅ Telegram TELEGRAM_ALLOWED_USER_IDS set
✅ File access confined to specific directories in SOUL.md
✅ Spending limits set on OpenAI/Anthropic accounts
✅ SSH password auth disabled (if on VPS)
✅ Google integrations disabled until ToS situation resolves
✅ Regular data backups encrypted

OpenClaw is safe to run if you treat it like what it is: a powerful agent with real system access. The same judgment you'd apply to giving a contractor access to your systems applies here.

This isn't a reason to avoid OpenClaw. It's a reason to set it up carefully. Here's what the actual risks are, what the Google situation means, and the specific steps to run it safely.

What Happened with Google

In early 2026, Google began restricting accounts that accessed Gmail and Google Calendar through OpenClaw's OAuth integrations.

What this means practically:

If you've connected OpenClaw to Gmail or Google Calendar, those integrations may be blocked or your Google account may receive a warning
Affected users reported temporary Google account restrictions
The OpenClaw team is working with Google on a compliant approach, but it's unresolved as of early 2026

Safe approach right now:

Don't connect OpenClaw's Google integrations until the situation resolves
For email access, use a non-Google email provider (Fastmail, ProtonMail) or connect via IMAP manually
Google Calendar can be exported to iCal format and read locally

This is a terms-of-service issue, not a malware issue. Your Google account isn't at risk of being hacked — but it could be restricted.

The Malicious Plugin Problem

OpenClaw has a community plugin ecosystem. That's what makes it powerful. It's also the biggest security risk.

A plugin has access to everything OpenClaw has access to: your conversation history, your memory database, your API tokens, your filesystem (if you've given file access). A malicious plugin could:

Exfiltrate your OpenAI/Anthropic API keys (burning your credits)
Read your stored memories and send them to an external server
Access files in directories you've permitted
Use your connected accounts (email, GitHub) to act on your behalf

This isn't hypothetical — the Malwarebytes security blog documented infostealer plugins distributed through unofficial OpenClaw channels in late 2025.

How to stay safe:

Only install plugins from the official registry at github.com/openclaw/openclaw/tree/main/skills
Review plugin source code before installing — skills are JavaScript files, readable in a few minutes. Look for:
- Unexpected fetch() calls to external URLs
- Reading from process.env (could be grabbing API keys)
- Writing to files outside your designated directories
Never install plugins from Discord, Telegram groups, or random GitHub repos without reviewing the code yourself

Check installed plugins periodically:

ls ./skills/
cat ./skills/any-plugin.ts | grep fetch   # look for external calls

Network Exposure Risks

If you run OpenClaw on a VPS, the web UI runs on a port. If that port is exposed to the internet without authentication, anyone can access your AI agent.

Checklist:

# Check what's publicly accessible
sudo ufw status  # should NOT show port 3000 open
netstat -tlnp | grep 3000  # should show 127.0.0.1:3000, not 0.0.0.0:3000

Your docker-compose.yml should bind OpenClaw to localhost only:

ports:
  - "127.0.0.1:3000:3000"  # ✅ localhost only
  # NOT:
  # - "3000:3000"           # ❌ exposes to internet

Access it through Nginx with authentication, or via SSH tunnel:

# SSH tunnel to access web UI locally
ssh -L 3000:localhost:3000 deploy@YOUR_VPS_IP
# Then open localhost:3000 in your browser

File System Access

OpenClaw's shell command skill and file skills can access your filesystem. By default, confine them:

In your SOUL.md:

## File Access Rules
- Only read/write files in ~/projects/ and ~/Documents/
- Never access ~/Documents/archive/ without explicit confirmation
- Never access .ssh/, .env files, or any files containing "secret", "key", or "password" in the path
- Always confirm before creating, moving, or deleting files

In your shell command skill, implement a blocklist (covered in the custom skills guide).

API Key Security

OpenClaw stores API keys in your .env file. Protect it:

chmod 600 .env           # readable only by owner
chown deploy:deploy .env # owned by your user, not root

Never commit .env to Git:

echo ".env" >> .gitignore

Rotate API keys periodically. If you suspect a key was exposed:

# OpenAI
# Go to platform.openai.com → API Keys → Revoke and regenerate

# Anthropic
# console.anthropic.com → API Keys → Revoke and create new

Set spending limits on your API accounts so a runaway process or compromised key can't generate a massive bill.

WhatsApp Security

OpenClaw's WhatsApp connection stores your session in ./data/whatsapp-session/. This session file is equivalent to being permanently logged in to WhatsApp Web.

Protect it:

chmod 700 ./data/whatsapp-session/

If compromised: Log out all linked devices from your phone: WhatsApp → Settings → Linked Devices → Log out all devices

Limit what OpenClaw can do on WhatsApp:

# .env — only respond to your own number
WHATSAPP_ALLOWED_NUMBERS=+91XXXXXXXXXX
WHATSAPP_RESPOND_TO_ALL=false
WHATSAPP_RESPOND_IN_GROUPS=false

Memory Data Privacy

OpenClaw's memory database (./data/memory.db or similar) contains everything you've told it — tasks, personal notes, work details. Back it up and protect it like you would a diary.

# Encrypt the data directory backup
tar -czf openclaw-backup-$(date +%Y%m%d).tar.gz ./data/
gpg --symmetric openclaw-backup-$(date +%Y%m%d).tar.gz
rm openclaw-backup-$(date +%Y%m%d).tar.gz

If you're on a VPS, make sure only you can SSH in:

# Disable password auth entirely
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no
sudo systemctl restart sshd

The LLM Privacy Question

If you use a cloud LLM (OpenAI, Anthropic), your conversations go to that provider's servers. This is an unavoidable tradeoff if you want the best model quality.

What OpenAI and Anthropic do with API data:

They do not use API conversations to train models by default (this is different from the consumer chat products)
They do log API calls for abuse detection and may review them
Both have enterprise/privacy agreements available for sensitive workloads

If complete privacy matters: use Ollama with a local model. Nothing leaves your machine. See the Ollama guide.

The Security Checklist

Before running OpenClaw in production:

✅ Using official GitHub repo, not a fork
✅ Port 3000 bound to 127.0.0.1, not 0.0.0.0
✅ Web UI behind Nginx with HTTPS
✅ .env has chmod 600
✅ .env not in Git repo
✅ Only official plugins installed
✅ WhatsApp WHATSAPP_ALLOWED_NUMBERS set
✅ Telegram TELEGRAM_ALLOWED_USER_IDS set
✅ File access confined to specific directories in SOUL.md
✅ Spending limits set on OpenAI/Anthropic accounts
✅ SSH password auth disabled (if on VPS)
✅ Google integrations disabled until ToS situation resolves
✅ Regular data backups encrypted

OpenClaw is safe to run if you treat it like what it is: a powerful agent with real system access. The same judgment you'd apply to giving a contractor access to your systems applies here.

Is OpenClaw Safe? Security Risks, the Google Ban, and What to Do

What Happened with Google

The Malicious Plugin Problem

Network Exposure Risks

File System Access

API Key Security

WhatsApp Security

Memory Data Privacy

The LLM Privacy Question

The Security Checklist

Related articles

Best LLM for OpenClaw: Anthropic vs OpenAI vs Local Models (2026)

Building Custom Skills and Plugins for OpenClaw

Run OpenClaw with Local LLMs Using Ollama (Zero API Costs)

Is OpenClaw Safe? Security Risks, the Google Ban, and What to Do

What Happened with Google

The Malicious Plugin Problem

Network Exposure Risks

File System Access

API Key Security

WhatsApp Security

Memory Data Privacy

The LLM Privacy Question

The Security Checklist

Related articles

Best LLM for OpenClaw: Anthropic vs OpenAI vs Local Models (2026)

Building Custom Skills and Plugins for OpenClaw

Run OpenClaw with Local LLMs Using Ollama (Zero API Costs)