DEV Community: Santosh T The latest articles on DEV Community by Santosh T (@santosh_t_637f7c9257441a5). https://dev.to/santosh_t_637f7c9257441a5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3775196%2F88798ca9-91bb-4b6d-b5f8-8c1927d10ef7.jpg DEV Community: Santosh T https://dev.to/santosh_t_637f7c9257441a5 en Why I Built a Secure Open-Source AI Agent After Seeing OpenClaw's 512 CVEs Santosh T Mon, 16 Feb 2026 08:17:15 +0000 https://dev.to/santosh_t_637f7c9257441a5/why-i-built-a-secure-open-source-ai-agent-after-seeing-openclaws-512-cves-187p https://dev.to/santosh_t_637f7c9257441a5/why-i-built-a-secure-open-source-ai-agent-after-seeing-openclaws-512-cves-187p <p>OpenClaw is everywhere. 180K+ GitHub stars. Baidu integrated it. Elon Musk tweeted about it.</p> <p>But if you're a security professional, it's terrifying:</p> <ul> <li> <strong>512 vulnerabilities</strong> disclosed (8 critical)</li> <li> <strong>One-click remote code execution</strong> via malicious links</li> <li> <strong>230+ malicious skills</strong> uploaded to ClawHub</li> <li>Gateway binds <strong>0.0.0.0 by default</strong> — 30,000+ instances exposed</li> <li>Credentials and memories stored in <strong>plaintext</strong> </li> <li> <strong>No skill signing</strong> — anyone can upload anything</li> </ul> <p>This matters because personal AI agents aren't chatbots. They have access to your filesystem, your email, your credentials, your shell. An insecure agent is an open door.</p> <h2> What I Built </h2> <p>I'm a security engineer with 15+ years in the industry. I built <strong>Gulama</strong> with one principle: <strong>security isn't a feature you add later — it's the foundation you build on.</strong></p> <h3> 15+ Security Mechanisms </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mechanism</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><strong>AES-256-GCM encryption</strong></td> <td>All credentials and memories encrypted at rest</td> </tr> <tr> <td><strong>Sandboxed execution</strong></td> <td>Every tool runs in bubblewrap/Docker sandbox</td> </tr> <tr> <td><strong>Ed25519-signed skills</strong></td> <td>No unsigned code runs, ever</td> </tr> <tr> <td><strong>Policy engine</strong></td> <td>Cedar-inspired deterministic authorization</td> </tr> <tr> <td><strong>Canary tokens</strong></td> <td>Prompt injection detection</td> </tr> <tr> <td><strong>Egress filtering + DLP</strong></td> <td>Prevents data exfiltration</td> </tr> <tr> <td><strong>Loopback binding</strong></td> <td>Gateway binds 127.0.0.1 ONLY</td> </tr> <tr> <td><strong>Hash-chain audit</strong></td> <td>Tamper-proof cryptographic audit trail</td> </tr> </tbody> </table></div> <h3> But Also a Real Agent </h3> <p>Gulama isn't just a security demo. It's a full-featured personal AI agent:</p> <ul> <li> <strong>100+ LLM providers</strong> via LiteLLM — Anthropic, OpenAI, DeepSeek, Groq, Ollama (free/local), and more</li> <li> <strong>19 built-in skills</strong> — files, shell, web, browser, email, calendar, GitHub, Notion, Spotify, voice, MCP bridge</li> <li> <strong>10 communication channels</strong> — CLI, Telegram, Discord, Slack, WhatsApp, Matrix, Teams, Google Chat, Web UI, Voice Wake</li> <li> <strong>Full MCP support</strong> — both server and client</li> <li> <strong>Multi-agent orchestration</strong> — spawn background sub-agents</li> <li> <strong>RAG-powered memory</strong> — ChromaDB vector search</li> <li> <strong>Self-modifying</strong> — the agent writes its own new skills at runtime (sandboxed)</li> <li> <strong>5 autonomy levels</strong> — from "ask before everything" to full autopilot</li> </ul> <h2> Side-by-Side: Gulama vs OpenClaw </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Gulama</th> <th>OpenClaw</th> </tr> </thead> <tbody> <tr> <td>Security mechanisms</td> <td><strong>15+ built into core</strong></td> <td>~0</td> </tr> <tr> <td>Memory encryption</td> <td><strong>AES-256-GCM</strong></td> <td>None (plaintext)</td> </tr> <tr> <td>Skill signing</td> <td><strong>Ed25519 mandatory</strong></td> <td>None</td> </tr> <tr> <td>Sandbox</td> <td><strong>bubblewrap/Docker</strong></td> <td>Container-only</td> </tr> <tr> <td>Prompt injection defense</td> <td><strong>Canary tokens</strong></td> <td>None</td> </tr> <tr> <td>MCP support</td> <td><strong>Full server + client</strong></td> <td>None</td> </tr> <tr> <td>Multi-agent</td> <td><strong>Background sub-agents</strong></td> <td>None</td> </tr> <tr> <td>LLM providers</td> <td> <strong>100+</strong> via LiteLLM</td> <td>~5</td> </tr> <tr> <td>Communication channels</td> <td><strong>10</strong></td> <td>CLI-focused</td> </tr> </tbody> </table></div> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>gulama gulama setup gulama chat </code></pre> </div> <p>That's it. 60 seconds to a secure AI agent.</p> <h2> Links </h2> <ul> <li> <strong>GitHub</strong>: <a href="https://github.com/san-techie21/gulama-bot" rel="noopener noreferrer">github.com/san-techie21/gulama-bot</a> </li> <li> <strong>PyPI</strong>: <a href="https://pypi.org/project/gulama/" rel="noopener noreferrer">pypi.org/project/gulama</a> </li> <li> <strong>License</strong>: MIT</li> </ul> <p>Security shouldn't be an afterthought. Especially when the agent has access to your files, emails, and credentials.</p> <p>Happy to answer questions in the comments!</p> security opensource ai python