Malwarebytes just published their assessment of OpenClaw, and the headline quote is brutal:
"An over-eager intern with an adventurous nature, a long memory, and no real understanding of what should stay private."
Source: Malwarebytes Blog
This comes the same week as:
- SecurityScorecard: 40,214 exposed instances, 63% vulnerable, 12,812 RCE-exploitable
- Endor Labs: 6 new CVEs (SSRF, path traversal, auth bypass)
- Kaspersky: Enterprise risk management guide for OpenClaw
- Dutch DPA: Formal warning against deploying on sensitive systems
- Hudson Rock: First documented case of an infostealer grabbing a complete OpenClaw identity
The Core Problem
Malwarebytes nails the fundamental tension:
OpenClaw is designed to be adventurous — browse the web, run shell commands, read/write files, chain skills together. But this adventurousness + open source + rapid growth = a security nightmare.
The Meta AI safety director who couldn't prevent OpenClaw from deleting her email inbox? That's not a bug. That's the architecture working as designed.
What You Can Actually Do
1. Don't Expose to the Internet
312,000+ instances are running on default port 18789 with no authentication. If that's you, fix it now.
2. Update Constantly
OpenClaw has patched 9+ CVEs in 2026 alone. Run updates weekly at minimum.
3. Audit Your Skills
The ClawHub ecosystem has 824+ known malicious skills. Review every installed skill. Remove what you don't use.
# Scan skills for suspicious patterns
npx clawmoat skill-audit ./path-to-skill
4. Add Runtime Monitoring
Sandboxes contain blast radius. But they don't tell you when:
- A skill reads
~/.ssh/id_rsa - Credentials are exfiltrated through allowed network channels
- A skill's behavior changes after an update
You need a host-level monitoring layer:
npm install clawmoat
# Permission tiers (observer/worker/standard/full)
# Forbidden zone enforcement (~/.ssh, ~/.aws, browser creds)
# Network egress logging
# Skill integrity checking
npx clawmoat --tier worker --audit-log ./audit.json
5. Treat It Like an Untrusted Employee
Malwarebytes' "intern" analogy is perfect. You wouldn't give an intern unrestricted access to your SSH keys, AWS credentials, and browser passwords. Don't give your agent that access either.
The Bigger Picture
This isn't just an OpenClaw problem. Every AI agent framework that runs locally with broad system access faces the same fundamental challenge. OpenClaw is just the first to hit mainstream adoption — and the first to hit mainstream exploitation.
The industry needs:
- Permission models that default to least privilege
- Runtime monitoring that watches agent behavior, not just prompts
- Supply chain security for agent plugins/skills
- Audit trails for regulatory compliance
- Human-in-the-loop for sensitive operations
ClawMoat handles 1-4 as an open-source layer. Zero dependencies, 142 tests, MIT license.
The question isn't whether to use AI agents — it's whether to use them without guardrails.
Further reading:
Top comments (0)