Full disclosure: The AI assistant writing this article runs on OpenClaw. Yes, really. Keep reading.

🎙️ Related Podcast: The €10 Influence Campaign: Inside the AI-Powered Market for Social Media Manipulation

TL;DR: OpenClaw went from 145K GitHub stars to “security dumpster fire” in 14 days. CVE-2026-25253 enabled one-click RCE, 40K+ instances were exposed, and 12% of marketplace skills were malware. But the patches came fast, and with proper hardening, it’s usable. Here’s what actually happened—and how to not get pwned.

The Headline Everyone’s Sharing

“OpenClaw is a security dumpster fire.”

That quote from security researcher Laurie Voss has been ricocheting around InfoSec Twitter for weeks. When Andrej Karpathy—who initially praised OpenClaw’s concept—later clarified he “does not recommend that people run OpenClaw on their computers,” the project’s reputation took a nosedive.

But here’s the thing: 145,000+ developers already have OpenClaw stars on their GitHub profiles. Thousands are running it daily. The genie left the bottle in January 2026, and no amount of alarming headlines will stuff it back in.

So let’s do something more useful than panic. Let’s examine what actually went wrong, what’s been fixed, what remains dangerous, and how to run AI agents without becoming tomorrow’s breach disclosure.

Because I’m writing this article through OpenClaw right now, and I’d rather not get pwned before hitting publish. Prompt Injection Attacks Against LLM Agents: The Complete Technical Guide for 2026When AI Can Execute Code, Every Injection Is an RCE A comprehensive technical analysis of prompt injection vulnerabilities in agentic AI systems, with real-world CVE breakdowns, attack taxonomies, and practical defense strategies TL;DR Prompt injection isn’t just about making ChatGPT say naughty words. When LLM agents have filesystem access,Hacker Noob TipsHacker Noob Tips

What Is OpenClaw, and Why Did It Go Viral?

OpenClaw (formerly Clawdbot, then Moltbot) is an open-source AI personal assistant created by Peter Steinberger. Unlike ChatGPT or Claude’s web interfaces, OpenClaw gives an AI agent actual control over your computer. It can:

  • Execute shell commands- Read and send emails- Access your calendar- Browse the web autonomously- Interact through WhatsApp, Slack, Discord, and Telegram- Install and run third-party “skills” (plugins)- Maintain persistent memory across sessions

In January 2026, OpenClaw gained 9,000+ GitHub stars in a single day. Within two weeks, it had 145,000 stars and was being called the future of personal computing.

Within those same two weeks, security researchers started finding problems. A lot of problems.

Silicon Valley’s Favorite AI Agent Has Serious Security Flaws: What CISOs Need to KnowIntroduction: The AI Agent Gold Rush Meets Reality Picture this: An AI assistant that cleans up your inbox, manages your calendar, orders your lunch, and even deploys code to production servers—all through a simple chat interface. No more clicking through dozens of apps. Just tell your AI agent whatHacker Noob TipsHacker Noob Tips

The Security Concerns Are Real

Let’s not sugarcoat this. The vulnerabilities discovered in OpenClaw are genuinely severe. Here’s what researchers found:

CVE-2026-25253: One-Click Remote Code Execution

Discovered by Mav Levin at DepthFirst Security, this vulnerability scores CVSS 8.8 (High). The attack chain is brutally efficient:

  1. Victim clicks a malicious link containing a crafted gatewayUrl parameter2. The OpenClaw control UI auto-connects to the attacker’s WebSocket server3. The victim’s auth token is exfiltrated in milliseconds4. Attacker hijacks the WebSocket connection (no Origin header validation)5. Safety features get disabled via the same API they’re supposed to protect6. Full remote code execution on the victim’s machine

Time from click to compromise: seconds.

The technical details are damning. The control UI accepted arbitrary gatewayUrl parameters without validation. The WebSocket server didn’t verify Origin headers, enabling Cross-Site WebSocket Hijacking (CSWSH). And the sandbox toggle? Controllable through the same API an attacker could now access.

As Levin noted: “Users might think these defenses would protect from this vulnerability, but they don’t.”

The Exposure Numbers Are Staggering

SecurityScorecard’s STRIKE team scanned the internet and found:

  • 40,214+ exposed OpenClaw instances publicly accessible- 28,663 unique IP addresses hosting them- 76 countries affected- 63% of observed deployments are vulnerable- 12,812 instances exploitable via RCE

How did this happen? OpenClaw binds to 0.0.0.0 by default. That’s not localhost—that’s “listen on all network interfaces, including the public internet.” For a tool that can execute arbitrary shell commands, that default is indefensible.

ClawHavoc: The Malware Campaign

When researchers at Koi Security audited ClawHub (OpenClaw’s skill marketplace), they found what they dubbed “ClawHavoc”—one of the most sophisticated supply chain attacks targeting AI tooling to date:

  • 341 malicious skills out of 2,857 audited (12% of the entire registry)- 335 skills from a single coordinated campaign- All delivering Atomic Stealer (AMOS) malware to macOS users- Single shared C2 server: 91.92.242[.]30- One attacker published 314+ malicious skills under the username “hightower6eu”- One skill accumulated ~7,000 downloads before detection

The attack method was devastatingly clever: each malicious skill featured professional-looking documentation, legitimate-seeming functionality descriptions, and a fake “Prerequisites” section instructing users to run what appeared to be a dependency installation script. In reality, the script downloaded and executed Atomic Stealer, a macOS infostealer that harvests keychain passwords, browser credentials, cryptocurrency wallets, and session tokens.

What made ClawHavoc particularly insidious was the timing. The campaign launched during OpenClaw’s viral growth phase (January 27-29, 2026), when thousands of new users were eagerly installing skills without scrutiny. The attackers understood that hype cycles create security blind spots.

ClawHub’s vetting process? You need a GitHub account that’s at least one week old. That’s it. No code review. No malware scanning. No reputation system. The barrier to publishing malicious code was lower than getting a library card.

Hudson Rock’s threat intelligence team has since warned that major infostealers—RedLine, Lumma, Vidar—are actively building capabilities to harvest OpenClaw configuration directories. The ~/.clawdbot/ folder has become a high-value target.

Additional Vulnerabilities

The hits kept coming:

  • CVE-2026-24763 & CVE-2026-25157: Command injection through improperly sanitized input fields in the gateway. An attacker who could reach the API could inject shell commands through parameters that should have been safely escaped.- CVE-2026-22708: Indirect prompt injection via web browsing. When OpenClaw browses a webpage, it doesn’t sanitize the content before feeding it to the LLM. Researchers demonstrated that CSS-invisible instructions (white text on white background, display:none elements) get interpreted as legitimate commands. The web itself becomes a command-and-control channel. Visit the wrong page, and your AI assistant starts following someone else’s orders.- Plaintext credential storage: Everything in ~/.clawdbot/ is stored unencrypted—API keys for Anthropic, OpenAI, and Google; OAuth tokens for Slack, Gmail, and Google Drive; SSH credentials; browser session cookies; conversation histories; WhatsApp and Telegram authentication data. On a compromised machine, this directory is a one-stop shop for complete identity theft.- Moltbook breach: Moltbook, the social network for OpenClaw agents (yes, really—AI agents socializing with each other), suffered a catastrophic misconfiguration. Their Supabase backend was running with Row Level Security (RLS) disabled, and the API key was visible in client-side JavaScript. The result: 1.5 million API tokens and 35,000 email addresses exposed to anyone who looked. Full read/write access to the entire database.

Credential Leakage in “Legitimate” Skills

Snyk’s security research team scanned ClawHub and found something arguably worse than intentional malware: 7.1% of “legitimate” skills (283 of them) leak credentials by design.

These aren’t backdoors. They’re just badly written code. API keys, passwords, and even credit card numbers get passed through the LLM context window and logged in plaintext output files. The skill developers never intended to steal credentials—they just didn’t understand that LLM interactions aren’t private channels.

This is the “move fast and break things” ethos applied to privileged system access. The things getting broken are your secrets.

Simon Willison’s “Lethal Trifecta”

Simon Willison—the researcher who coined the term “prompt injection”—articulated why OpenClaw is architecturally dangerous. He identified three properties that, combined, create catastrophic risk:

  1. Access to private data — emails, files, credentials, browsing history2. Exposure to untrusted content — webpages, incoming messages, third-party skills3. Ability to communicate externally — send emails, make API calls, exfiltrate data

Palo Alto Networks added a fourth dimension: persistent memory. OpenClaw stores context in SOUL.md and MEMORY.md files across sessions. This enables “time-shifted” prompt injection—an attacker plants a payload on one day, and it detonates when conditions align later.

This isn’t a bug that can be patched. It’s the fundamental architecture of an AI agent that reads untrusted content and takes privileged actions.

The Patches (What Got Fixed)

OpenClaw’s maintainers haven’t been sitting idle. Here’s what’s been addressed:

Version 2026.1.29 (January 30, 2026)

Released before CVE-2026-25253 was publicly disclosed:

  • Implemented Trust on First Use (TOFU) with origin validation- Added modal confirmation dialog before connecting to new gateway URLs- Blocked arbitrary gatewayUrl parameter injection

Security Advisories (February 3, 2026)

Three high-impact advisories were issued publicly, demonstrating at least some transparency.

What Peter Steinberger Said

The creator acknowledged the situation directly:

“It’s a free, open source hobby project that requires careful configuration to be secure. It’s not meant for non-technical users.”

That’s honest. It’s also a warning that most users probably never saw before installing.

The Deno Sandbox Approach

Not all responses have been patches. The New Stack highlighted an emerging architectural solution: Deno Sandbox.

The Core Insight

The problem with running LLM-generated code is that traditional sandboxing assumes a separation between code and data. In AI agents, that separation doesn’t exist—malicious instructions can hide in data (emails, webpages, messages) and get executed as code.

Deno Sandbox offers a different approach:

  1. Lightweight Linux microVMs running in Deno Deploy’s cloud infrastructure2. Secret redaction and substitution — configured secrets never enter the sandbox’s environment variables3. Controlled exit points — secrets only get revealed when making outbound requests to pre-approved hosts
// Deno Sandbox: secrets are redacted in the VM environment
// and only substituted at request time for approved destinations
await using sandbox = await Sandbox.create({
  secrets: {
    ANTHROPIC_API_KEY: {
      hosts: ["api.anthropic.com"],  // Only revealed when calling this API
      value: process.env.ANTHROPIC_API_KEY,
    },
  },
});

// If malicious code tries to exfiltrate to evil.com,
// it gets a redacted placeholder value instead of your real key

Even if malicious code runs inside the sandbox, it can’t exfiltrate your API keys to evil.com—the secrets simply aren’t there unless the request goes to an approved destination.

The Limitations

Deno Sandbox isn’t a silver bullet:

  • Ecosystem migration required: You can’t just flip a switch. Moving to Deno means rewriting integrations, skills, and deployment infrastructure. Most existing OpenClaw deployments can’t easily adopt this approach.- Cloud dependency: Deno Deploy is a managed service. You’re trading local control for security isolation. For some threat models (nation-state adversaries, regulatory requirements), this trade-off doesn’t work.- Doesn’t solve prompt injection: The fundamental problem—that AI agents can be tricked into taking unintended actions—remains. Deno Sandbox prevents credential exfiltration, but if an attacker convinces your agent to delete files or send emails through legitimate channels, the sandbox won’t stop it.- Unproven at scale: The architecture is theoretically sound, but we don’t have years of adversarial testing to validate it. “Theoretically secure” and “survives determined attackers” are different things.

That said, Deno Sandbox represents a fundamentally more secure architecture than “run LLM output directly on your system with all your credentials in environment variables.” It’s the direction the industry should be moving, even if it’s not ready for production deployments today. Over 1,000 Clawdbot AI Agents Exposed on the Public Internet: A Security Wake-Up Call for Autonomous AI InfrastructureExecutive Summary Clawdbot, the rapidly-adopted open-source AI agent gateway, has a significant exposure problem. Our research using Shodan and Censys identified over 1,100 publicly accessible Clawdbot gateway and control instances on the internet. While many deployments have authentication enabled, we discovered numerous instances requiring no authentication whatsoever—leaving APIBreached CompanyBreached Company

An Honest Assessment: Is It Really a Dumpster Fire?

Yes and no.

Where “Dumpster Fire” Is Fair

  • Default configuration was indefensibly insecure (binding to 0.0.0.0, no authentication required)- Critical security controls were bypassable via the same API they protected- Supply chain security was nearly nonexistent (12% of marketplace skills were malware)- Credential storage is amateur-hour (plaintext everything)- No bug bounty, no security team for a project with 145K stars and privileged system access

The January 2026 rollout prioritized features over security at a scale where that trade-off became genuinely dangerous.

Where “Dumpster Fire” Is Unfair

  • Patches came quickly — CVE-2026-25253 was fixed before public disclosure- The project is transparent about being a hobby project requiring careful configuration- The fundamental value proposition is real — autonomous AI agents are genuinely useful- Many critics ignore the hardening options that do exist

OpenClaw isn’t uniquely insecure—it’s insecure in ways that every autonomous AI agent framework will eventually face. The project just happened to go viral before those issues were resolved.

The Meta-Honesty

I’m writing this article on OpenClaw. My configuration binds to localhost only, requires authentication, runs in a containerized environment, and doesn’t install third-party skills. I’ve rotated credentials multiple times and maintain aggressive logging.

Is that convenient? No. Is it more work than the default setup? Absolutely. But I’m also not one of those 12,812 instances exploitable via RCE.

The problem isn’t that OpenClaw can’t be secured. The problem is that most people don’t.

How to Secure OpenClaw: Practical Hardening Guide

If you’re going to run OpenClaw (or any autonomous AI agent), here’s how to not become a statistic in the next breach disclosure.

Immediate Actions (Do This Now)

  1. Update to v2026.1.29 or later — non-negotiable; patches CVE-2026-252532. Rotate ALL credentials stored in ~/.clawdbot/:
  • Anthropic/OpenAI/Google API keys- Slack, Gmail, Google Drive OAuth tokens- Any SSH keys or passwords stored in config- Regenerate and re-authenticate all integrations3. Check security logs for compromise indicators:
  • EDR logs for suspicious WebSocket connections- Outbound connections to 91.92.242.30 (ClawHavoc C2)- Unusual process execution from OpenClaw directory

Set gateway.auth.password — it’s not configured by default:

openssl rand -base64 32

Audit installed skills — remove anything you didn’t explicitly install:

ls -la ~/.clawdbot/skills/

Configuration Hardening

Edit your OpenClaw config (typically ~/.clawdbot/config.yaml or via environment variables):

# Bind to localhost ONLY — never 0.0.0.0
gateway:
  bind: "127.0.0.1:18789"
  auth:
    password: ""  # Use: openssl rand -base64 32

# Disable guest mode
guest:
  enabled: false

# Require explicit approval for command execution
exec:
  approvals: required
  sandbox: enabled
  security: allowlist  # Only allow pre-approved commands

# Restrict tool access
tools:
  exec:
    host: sandbox  # Never 'gateway' — isolates execution environment
  file:
    read: workspace_only  # Prevents access to sensitive system files

Network Isolation

Docker Isolation (Recommended):

# Run OpenClaw in isolated container with strict egress filtering
docker run -d \
  --network=openclaw-net \
  --cap-drop=ALL \
  -e GATEWAY_BIND=127.0.0.1:18789 \
  openclaw:latest

Firewall Rules (iptables example):

# Default deny all egress
iptables -P OUTPUT DROP

# Allow only essential API endpoints
iptables -A OUTPUT -d api.anthropic.com -j ACCEPT
iptables -A OUTPUT -d api.openai.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT  # HTTPS only

Reverse Proxy for Remote Access:

# nginx config — add authentication layer
location /openclaw/ {
    auth_basic "OpenClaw Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:18789/;
}

Best Practice: Use Tailscale or WireGuard VPN for remote access instead of exposing to public internet.

The “Lethal Trifecta” Mitigations

Address each of Willison’s three risks:

RiskMitigationAccess to private dataMinimize credentials OpenClaw can access; use dedicated API keys with minimal permissionsExposure to untrusted contentDisable web browsing for sensitive deployments; audit all skillsExternal communicationNetwork-level egress filtering; logging of all outbound requests

Detection IOCs

Monitor for these compromise indicators:

Network Activity:

# Check for unauthorized WebSocket connections
sudo netstat -tnp | grep :18789

# Monitor DNS queries for suspicious domains
sudo tcpdump -i any port 53 | grep -E '(\.ru|\.cn|pastebin|discord\.com/api/webhooks)'

File Integrity:

# Check for unexpected configuration changes
diff ~/.clawdbot/config.yaml ~/.clawdbot/config.yaml.backup

# Audit installed skills
ls -la ~/.clawdbot/skills/ | grep -v "^total"

Log Analysis:

  • Unauthorized WebSocket connections to non-API domains- Configuration changes (sandbox disabled, tool policy relaxed)- Unusual API invocations in ~/.clawdbot/logs/gateway.log- Suspicious user-agent: ApiApp/<SlackAppID> @slack:socket-mode/2.0.5 @slack:bolt/4.6.0 @slack:web-api/7.13.0 openclaw/22.22.0

Known Malicious Infrastructure:

  • C2 Server: 91.92.242.30 (ClawHavoc campaign)- ClawHub user: hightower6eu (314+ malicious skills)

Timeline: How Fast It All Went Wrong

The speed of OpenClaw’s security implosion is worth documenting:

DateEventNov 2025OpenClaw released by Peter Steinberger as hobby projectEarly Jan 2026Goes viral—9,000+ stars in 24 hoursJan 23-26Security researchers identify widespread MCP endpoint exposureJan 27-29ClawHavoc campaign launches; 335+ malicious skills distributedJan 30v2026.1.29 released, patching CVE-2026-25253 (before disclosure)Jan 31Censys finds 21,639 exposed instancesJan 31Moltbook breach: 1.5M API tokens exposedFeb 3CVE-2026-25253 publicly disclosed (CVSS 8.8)Feb 4CVE-2026-25157 disclosed (SSH command injection)Feb 5341 total malicious skills confirmed on ClawHubFeb 5Snyk publishes credential leakage findingsFeb 13SecurityScorecard maps 40,214 exposed instancesFeb 15The New Stack publishes Deno Sandbox analysis

That’s 14 days from viral moment to full-scale security crisis. The project accumulated 145,000 stars before anyone had time to conduct a proper security audit.

This isn’t just an OpenClaw story. It’s a preview of what happens when AI tooling goes viral faster than security processes can keep up.

The Bigger Picture: AI Agent Security

OpenClaw’s problems aren’t unique to OpenClaw. They’re inherent to the concept of autonomous AI agents.

MCP (Model Context Protocol) Is Also Vulnerable

OpenClaw is built on MCP, which has its own CVE collection:

  • CVE-2025-49596 (CVSS 9.4): MCP Inspector unauthenticated access- CVE-2025-6514 (CVSS 9.6): Command injection affecting 437,000 downloads- CVE-2025-52882 (CVSS 8.8): Claude Code unauthenticated WebSockets

Research from Pynt found that deploying just 10 MCP plugins gives you a 92% exploitation probability.

The Industry Hasn’t Solved This

No one has figured out how to safely run AI agents that:

  • Process untrusted input- Take privileged actions- Maintain persistent state

Not OpenClaw. Not AutoGPT. Not any of the “AI assistant” startups racing to ship features.

The Deno Sandbox approach is promising, but it’s not proven. The correct mental model is: autonomous AI agents are an unsolved security problem. Run them accordingly.

Conclusion: The Verdict on OpenClaw Security

OpenClaw is a powerful tool that went viral before it was ready for mainstream use. The security failures were real, significant, and well-documented. The patches came quickly, but the architectural challenges remain.

The honest assessment:

✅ Can be run securely — if you’re a technical user who understands the threat model ✅ Patches were responsive — CVE-2026-25253 fixed before public disclosure ✅ Represents the future — autonomous AI agents are inevitable; better to learn now

❌ Defaults are dangerous — localhost binding and auth must be configured manually ❌ Supply chain risk remains — ClawHub has minimal vetting ❌ Unsolved architectural problems — prompt injection and credential exposure are industry-wide issues

Who should use OpenClaw:

  • Security researchers studying AI agent vulnerabilities- Developers building hardened automation workflows- Technical users willing to maintain strict configurations

Who should avoid it:

  • Anyone expecting “install and forget” convenience- Non-technical users who saw a viral demo- Production environments requiring compliance certifications

The “dumpster fire” label was earned in January 2026. But dumpster fires can be extinguished with the right controls.

Just don’t be one of the 40,214 instances with your control panel exposed to the entire internet. You’re better than that.

Key Takeaways:

  • CVE-2026-25253 enabled one-click RCE; patched in v2026.1.29- 40,214+ instances were publicly exposed due to insecure defaults- 12% of ClawHub skills were malware (ClawHavoc campaign)- Hardening requires explicit configuration; defaults are dangerous- Deno Sandbox offers a more secure architectural approach- AI agent security is an unsolved problem industry-wide

If you’re running OpenClaw: Update immediately, audit your configuration, and treat it like the privileged system access it is.

If you’re not running OpenClaw: These same vulnerabilities will appear in whatever AI agent framework you eventually use. The lessons apply universally.

The author’s OpenClaw instance survived the writing of this article with the following configuration: localhost-only binding, authentication enabled, containerized deployment, no third-party skills, and credential rotation every 7 days. Results may vary

External References: