This article was originally written by Fadeke Adegbuyi (Manager, Content Marketing)
OpenClaw isn’t just another chatbot wrapper. It executes shell commands, controls your browser, manages your calendar, reads and writes files, and remembers everything across sessions. The project runs locally on your machine and connects to WhatsApp, Telegram, iMessage, Discord, Slack, and over a dozen other platforms via pre-built integrations. It functions as a truly connected personal assistant. As a result, the use cases people have dreamed up for OpenClaw are wild.
One user showed an OpenClaw agent making money on Polymarket by monitoring news feeds and executing trades automatically. Another gave their bot access to home surveillance cameras. Someone else unleashed subagents to apply for UpWork freelancing jobs on their behalf.
But this kind of access to your digital life comes with real consequences when things go wrong. And things have gone wrong. Security researchers found that the agent shipped with serious flaws that made it possible for attackers to hijack machines with a single malicious link. Meanwhile, Moltbook, a Reddit-style platform with over 2.8 million AI agents, had its database completely exposed, so anyone could take control of any AI agent on the platform.
None of this means you should avoid OpenClaw entirely. It means you should understand OpenClaw security challenges and take precautions before spinning up an agent with root access to your laptop. Running OpenClaw in an isolated cloud environment can help neutralize some of these risks—DigitalOcean's 1-Click Deploy for OpenClaw, for example, handles authentication, firewall rules, and container isolation out of the box so your personal machine stays out of the equation.
What are OpenClaw security challenges?
OpenClaw security challenges boil down to a design tension: the tool needs broad system permissions to be useful, but those permissions create a massive attack surface when something goes wrong. The agent runs with whatever privileges your user account has—full disk, terminal, and network access—by design.
It's also agentic and self-improving, meaning it can modify its own behavior, update its memory, and install new skills autonomously. This is impressive from a capability standpoint, but another vector that can cause things to spiral when guardrails are missing. Pair that with defaults that skip authentication, an unvetted skill marketplace, and persistent memory storing weeks of context, and trouble follows. The takeaway: approach with caution, isolate from production systems, and carefully scrutinize the defaults.
To his credit, OpenClaw creator Peter Steinberger has been openly vocal about these risks and actively encourages running OpenClaw in a sandboxed environment, which isolates tool execution inside Docker containers to limit filesystem and process access when the model misbehaves. DigitalOcean's one-click deployment does exactly this out of the box, giving you that isolation without the manual setup.
7 OpenClaw security challenges to watch out for
We've already seen a security audit uncover 512 vulnerabilities (eight critical) and malicious ClawHub skills stealing cryptocurrency wallets. None of these challenges are theoretical. They're all based on incidents that have already played out within weeks of OpenClaw’s launch.
These are the challenges you need to have on your radar if you're experimenting with OpenClaw:
1. One-click remote code execution through WebSocket hijacking
One of the most alarming OpenClaw vulnerabilities discovered so far is CVE-2026-25253, a one-click remote code execution flaw that Mav Levin, a founding researcher at DepthFirst, disclosed in late January 2026. The attack worked because OpenClaw's local server didn’t validate the WebSocket origin header—so any website you visited could silently connect to your running agent. An attacker just needed you to click one link. From there, they chained a cross-site WebSocket hijack into full code execution on your machine. The compromise happened in milliseconds. This is the core danger of running an agent locally on the same machine you're browsing the web with—one careless click and an attacker is already inside.
Levin's proof-of-concept showed that visiting a single malicious webpage was enough to steal authentication tokens and gain operator-level access to the gateway API—giving an attacker access to change your config, read your files, and run commands.
Security checks: In this instance, the fix landed in version 2026.1.29, so update immediately if you’re a version behind. Beyond that, best practices include avoiding running OpenClaw while browsing untrusted sites and considering putting the agent behind a reverse proxy with proper origin validation for an additional layer of protection.
2. Tens of thousands of unprotected OpenClaw instances sitting open on the internet
Here's the thing about OpenClaw's early defaults: the agent trusted any connection from localhost without asking for a password. That sounded fine until the gateway sits behind a misconfigured reverse proxy—at which point every external request got forwarded to 127.0.0.1, and your agent thought the whole internet was a trusted local user. SecurityScorecard's STRIKE team found over 30,000 internet-exposed OpenClaw instances.
Security researcher Jamieson O'Reilly showed just how bad this gets. He accessed Anthropic API keys, Telegram bot tokens, Slack accounts, and complete chat histories from exposed instances, even sending messages on behalf of users and running commands with full admin privileges. No authentication required.
This has since been addressed—gateway auth is now required by default, and the onboarding wizard auto-generates a token even for localhost.
Security checks: At a minimum, check whether your instance is reachable from the public internet. Use a firewall to restrict access, enable gateway token authentication, and never expose the control plane without a VPN or SSH tunnel in front of it. This is a case where a managed cloud deployment can solve the problem outright—because your personal API keys, chat histories, and credentials aren’t sitting on an exposed local machine in the first place.
3. Malicious skills on ClawHub are poisoning the supply chain
ClawHub, OpenClaw's public skill marketplace, lets anyone publish an extension—the only requirement is a GitHub account older than one week. That low bar has unfortunately turned the marketplace into a target. Koi Security audited all 2,857 skills on ClawHub and found 341 that were outright malicious. Bitdefender's independent scan put the number closer to 900 malicious skills, roughly 20% of all packages. A single account—"hightower6eu"—uploaded 354 malicious packages by itself.
The attack is clever. You install what looks like a useful skill and the documentation looks professional. But buried in a "Prerequisites" section, it asks you to install something first—and that something is Atomic Stealer (AMOS), a macOS credential-stealing malware.
Security checks: OpenClaw has since partnered with VirusTotal to scan new skill uploads, but Steinberger himself admitted this isn't a silver bullet. At a minimum, before installing any skill, read its source code. Check the publisher's account age and history. Put simply, treat every skill as untrusted code running with your agent's full permissions. Unlike some exposure risks, malicious skills are a threat regardless of where OpenClaw runs—a poisoned skill executes the same way on a cloud server as it does on your laptop.
4. Credential storage in plaintext and API key leakage
One of the less glamorous but more dangerous issues is how OpenClaw handles secrets. The platform stores credentials in plaintext—including API keys for your LLM provider and tokens for every messaging platform your agent connects to—and those become targets the moment your instance is accessible to anyone other than you. Prompt injection attacks can also trick the agent into exfiltrating credentials by embedding hidden instructions in content the agent processes.
Cisco's team tested a skill called "What Would Elon Do?" and surfaced nine security findings, two of them critical. The skill instructed the bot to execute a curl command sending data to an external server controlled by the skill's author. Functionally, it was malware hiding behind a joke name.
Security check: At a minimum, rotate your API keys regularly and store secrets using environment variables or a dedicated secrets manager rather than config files. It's also worth setting spending limits on your LLM provider accounts. That way, even if a key is compromised, it can't rack up thousands in charges.
5. Prompt injection attacks amplified by persistent memory
What makes prompt injection in OpenClaw worse than in a typical chatbot is the persistent memory. The agent retains long-term context, preferences, and conversation history across sessions—which is one of its best features. But it also means a malicious instruction embedded in a website, email, or document doesn't have to execute immediately. Palo Alto Networks warned that these become "stateful, delayed-execution attacks". A hidden prompt in a PDF you opened last Tuesday could sit dormant in the agent's memory until a future task triggers it days later.
Security check: There's no perfect fix for prompt injection right now; it's an unresolved problem in agentic AI. But you can reduce the blast radius by limiting what tools and permissions your agent has access to, segmenting its access to sensitive systems, and reviewing its memory and context periodically for anything unexpected.
6. Shadow AI spreading through enterprise networks
This one's for anyone working at a company where developers tinker on their work machines. Token Security found that 22% of their enterprise customers have employees running OpenClaw as shadow AI without IT approval. Bitdefender confirmed the same, showing employees deploying agents on corporate machines connected to internal networks. An OpenClaw agent on a developer's laptop with VPN access to production means every vulnerability above is now a business problem.
Security check: If you're on a security team, you should scan your network for OpenClaw instances now. Set up detection for its WebSocket traffic patterns, and mandate that any approved use runs in an isolated environment—a VM or cloud server—rather than on laptops with internal access. Giving teams an approved, isolated deployment path is the fastest way to get ahead of shadow AI—it's much easier to enforce guardrails when the alternative isn't 'don't use it at all.'
7. The Moltbook database breach exposing millions of agent credentials
The security mess isn't limited to OpenClaw itself. Moltbook, the social network for AI agents built by Matt Schlicht, suffered a database exposure that cybersecurity firm Wiz discovered in early February. The database had zero access controls. Anyone who found it could view 1.5 million API tokens, 35,000 email addresses, and private messages between agents—enough to take control of any agent on the platform. China's Ministry of Industry and Information Technology issued a formal warning about OpenClaw security risks, citing incidents like this breach.
Security check: If you've used Moltbook, rotate every API key and token associated with your agent. Treat third-party platforms in the OpenClaw ecosystem with the same skepticism you'd apply to any new service asking for your credentials and consider additional security checks.
Any references to third-party companies, trademarks, or logos in this document are for informational purposes only and do not imply any affiliation with, sponsorship by, or endorsement of those third parties.
Pricing and product information accurate as of February 2026.
Top comments (2)
Useful rundown. #5 (prompt injection with persistent memory) is interesting because pattern matching alone won't catch the sophisticated versions of these attacks.
The problem: the same text can be legitimate or malicious depending on where it appears. Instructions in a skill definition are expected. Instructions embedded in an API response or a database field? That's an attack. But the pattern itself looks identical.
So the detection question isn't "does this content look dangerous?"—it's "is this content doing what it's supposed to do?" A weather API returning instructions isn't doing what it's supposed to do. That's the signal, not the pattern.
On #3 (malicious skills): 341 malicious skills on ClawHub is a supply chain problem. While reviewing source code is key here, automated scanning that understands what legitimate skill definitions look like vs ones trying to expand permissions or exfiltrate.
You also mentioned another thing missing from most agent security discussions: observability into the runtime environment itself. Open ports, overly broad permissions, sandbox escape attempts. The content-level attacks get attention, but the infrastructure-level exposure is just as real.
I'm working on an open source solution that combines intent-based content detection with this kind of system-level observability. The 360-degree view is vital as threats emerge, evolve and proliferate.
I got hit hard with #2. I had someone messaging my OpenClaw instance on Telegram before I had even messaged it myself. Luckily it was on a temporary Digital Ocean droplet and I had been planning to nuke and recreate it anyway once I'd learned how to set up the production environment. Ended up switching to the preconfigured version you offer instead!