Your OpenClaw instance is probably exposed right now. Here's how to fix it.
Last week, SecurityScorecard's STRIKE team found over 135,000 OpenClaw instances exposed to the public internet. 93% had critical authentication bypasses. 50,000+ were vulnerable to a known remote code execution exploit. Honeypot researchers reported probe attempts arriving within minutes of standing up a new instance.
This isn't theoretical. If you're running OpenClaw, your instance is likely reachable from the internet, accepting unauthenticated connections, and running with permissions broad enough to read your email, execute shell commands, and exfiltrate your credentials.
Here's how to lock it down in five minutes. No product pitch — just the fixes.
1. Bind to Loopback (30 seconds)
OpenClaw's default configuration binds to 0.0.0.0:18789 — every network interface, including the public internet. This is the single biggest reason 135,000 instances are exposed.
Fix it:
Open your OpenClaw config (~/.openclaw/openclaw.json) and set:
{
"gateway": {
"bind": "loopback"
}
}
Or launch with the CLI flag:
openclaw gateway run --bind loopback
This restricts the gateway to localhost only. If you need remote access, use an SSH tunnel or Tailscale — never expose the gateway directly.
Why this matters: The gateway HTTP surface includes the Control UI and canvas host, which serve arbitrary HTML/JS. Exposing them to the internet is equivalent to running an unauthenticated remote desktop.
2. Set a Gateway Password (30 seconds)
Even on loopback, set authentication. OpenClaw supports bearer tokens, passwords, and Tailscale identity verification.
{
"gateway": {
"auth": {
"password": "a-strong-random-password-here"
}
}
}
Generate something strong: openssl rand -base64 32
Without this, anyone who can reach your gateway — through a browser exploit, a malicious link, or a compromised local process — gets full agent control.
3. Update to 2026.2.12+ (60 seconds)
The February 12 release patched 40+ vulnerabilities, including SSRF protections, prompt injection hardening, and the WebSocket token exfiltration chain (CVE-2026-25253).
npm update -g openclaw
openclaw --version # Should show 2026.2.12 or later
If you're running anything older than 2026.1.29, you are vulnerable to one-click RCE. A crafted link in an email or webpage can steal your gateway token and execute arbitrary commands on your machine. Update immediately.
4. Audit Your Installed Skills (60 seconds)
341 malicious packages were found in ClawHub. They delivered credential stealers, cryptominers, and persistent backdoors disguised as legitimate tools.
Check what you have installed:
openclaw plugins list
For each plugin you don't recognize: remove it. For each plugin you do recognize: check when it was last updated and by whom.
Run the built-in security audit:
openclaw security audit --deep
This scans for dangerous patterns in skill code, exposed configs, overly permissive policies, and known vulnerability indicators. It's a diagnostic — it tells you what's wrong but doesn't enforce fixes.
5. Set API Spending Limits (60 seconds)
OpenClaw's heartbeat feature means your agent can wake up and take actions on its own — including making API calls that cost money. Without limits, a misconfigured or compromised agent can burn through hundreds of dollars overnight.
Set limits with your LLM provider:
- Anthropic: Console → Settings → Spend Limits → set a monthly cap
- OpenAI: Platform → Settings → Billing → Usage Limits → set a hard cap
- Google: Cloud Console → Billing → Budgets & Alerts → create a budget
Also in your OpenClaw config, restrict which models agents can use:
{
"models": {
"default": "claude-sonnet-4-5-20250514"
}
}
Don't let agents default to the most expensive model unless you've budgeted for it.
What These Fixes Don't Cover
These five steps address the most critical exposures. They don't solve everything:
Skill supply chain — openclaw security audit scans for dangerous patterns, but it's a point-in-time check. It doesn't block malicious skills from installing. It doesn't enforce network restrictions on skill execution. It doesn't scan for encoded payloads or obfuscated exfiltration.
Budget enforcement — Provider-side spending limits are coarse. They don't give you per-agent budgets, per-conversation caps, or real-time cost tracking. A single runaway agent still burns your entire monthly allocation before the provider cuts you off.
Audit trail — OpenClaw logs events, but there's no structured enforcement trace showing which security check passed or failed on each request. For compliance reporting (SOC2, ISO), you need a complete decision trail, not just activity logs.
Identity verification — When you have multiple agents or participate in multi-agent workflows, there's no cryptographic way to verify which agent produced which output. UUIDs aren't signatures.
Kill switch — You can stop an agent, but there's no instant council-level kill switch for shutting down multiple agents simultaneously, and no state snapshot/rollback if something goes wrong before you intervene.
Process isolation — OpenClaw's Docker sandbox is configurable and opt-in. Agents can be configured to run directly on the host. There's no enforcement-by-default isolation.
These are the gaps that require architectural solutions, not configuration changes.
Going Further
If you want enforcement that's active on every request — not just diagnostics you run manually — that's what we built Sammā Suit for.
It's an open-source security framework with 8 enforced layers: gateway protection (SUTRA), model permissions (DHARMA), skill vetting with static analysis (SANGHA), per-agent budget enforcement (KARMA), process isolation (BODHI), cryptographic identity signing (METTA), full audit trails (SILA), and kill switch with recovery (NIRVANA).
Two ways to use it:
Already running OpenClaw? Install the plugin:
openclaw plugins install samma-suit
Enforcement-by-default from first install. Budget limits, kill switches, audit trails, skill vetting, identity signing — active immediately.
Starting fresh? Use the standalone platform with built-in support for Anthropic, OpenAI, and Google models:
https://sammasuit.com
GitHub: https://github.com/OneZeroEight-ai/samma-suit
This guide is current as of February 17, 2026. OpenClaw patches frequently — check their changelog for the latest security fixes.``
Top comments (0)