DEV Community

Richard Echols
Richard Echols

Posted on • Originally published at kiyomibot.ai

OpenClaw's Security Problem Is Bigger Than You Think

#ai #productivity #opensource #security

OpenClaw has 205,000 GitHub stars. It is one of the most-starred AI projects in history. And right now, it has a security problem that its community has been slow to fully reckon with.

This is not fear-mongering. The research is public. The CVEs are filed. The malicious skills have been catalogued. If you are running OpenClaw in production, or considering it, this is information you need before you make that decision.

The ClawHavoc Campaign: 341 Malicious Skills

In early 2026, security researchers identified a coordinated supply chain attack against the OpenClaw skill ecosystem, designated the ClawHavoc campaign. The attack involved 341 malicious skills published to OpenClaw's community skill repositories.

These skills were designed to look legitimate. They had reasonable names, descriptions, and initial behavior. Once installed and granted the permissions that OpenClaw skills typically request, they executed secondary payloads. The documented behaviors included:

  • Exfiltrating API keys stored in the OpenClaw configuration directory
  • Reading files from the user's home directory and uploading them to attacker-controlled servers
  • Establishing persistence mechanisms to survive OpenClaw restarts
  • Using the host system's AI API credits to run attacker workloads

OpenClaw skills run with broad filesystem and network permissions by default. That is a design choice that makes skills powerful, but it also means a malicious skill can do a great deal of damage before anyone notices.

If you have installed community skills from OpenClaw's public repositories in the past six months, audit your installed skills against the ClawHavoc indicators of compromise. Check your API usage dashboards for unexplained spikes.

The Snyk Study: 36.82% of Skills Have Security Flaws

Independent of the ClawHavoc campaign, Snyk conducted a security audit of the broader OpenClaw skill ecosystem. Their findings: 36.82% of audited skills contained at least one security flaw. The flaws ranged in severity, but the categories were consistent:

  • Insecure handling of credentials passed through skill parameters
  • Server-side request forgery vulnerabilities in skills that make outbound HTTP calls
  • Path traversal issues in skills with file access
  • Dependency vulnerabilities in skills that bundle third-party npm packages
  • Insufficient input validation allowing prompt injection to affect skill behavior

This is not a small sample. Snyk reviewed thousands of skills. Finding security issues in more than a third of them reflects a structural problem: the OpenClaw skill review process relies heavily on automated checks and community trust, not dedicated security engineering.

Cisco's Findings: Exposed Control Panels

Cisco's threat intelligence team separately documented widespread misconfiguration of OpenClaw deployments. Their research identified tens of thousands of OpenClaw control panels accessible on the public internet, many with default or no authentication.

OpenClaw's control panel provides full access to: installed skills, API key management, conversation history, connected integrations, and in many configurations, the underlying filesystem. An exposed panel is not just a data breach risk. It is a full system compromise risk.

The OpenClaw Creator Joined OpenAI

The project's trajectory changed in early 2026 when OpenClaw's creator joined OpenAI. The project has moved toward a foundation governance model. Several large teams that had been evaluating OpenClaw for internal deployment have cited the governance transition as a reason to pause and look at alternatives.

The Cost Problem: $300 to $750 per Month

Even before the security concerns, OpenClaw's cost model was already driving users toward alternatives. Because OpenClaw uses a bring-your-own-API-key model, your monthly costs are entirely variable.

Users in OpenClaw's community have reported:

  • Light personal use: $50 to $150/month
  • Moderate use: $200 to $400/month
  • Heavy use or misconfigured agents: $300 to $750/month and higher

There is no built-in spend cap in OpenClaw. When a ClawHavoc-infected skill is also using your API keys to run attacker workloads, those costs land in your billing account too.

OpenClaw vs. Kiyomi: A Direct Comparison

Factor OpenClaw Kiyomi
Pricing Variable. $300-750/mo at heavy use. Fixed. Free, $9/mo Pro, $149 lifetime.
Skill security 36.82% flagged by Snyk. ClawHavoc active. Curated preset system. No third-party skill execution.
Control panel Web-based. Thousands found exposed per Cisco. No web panel. Local app and Telegram bot only.
Data storage Cloud-based by default. Local-first. Memory stays on your device.
API keys You manage them. Targeted by ClawHavoc. No API keys required or stored on your device.
Governance Moving to foundation model. Creator joined OpenAI. Actively maintained by RMDW LLC.

What Teams Are Doing Instead

The teams switching away from OpenClaw are not abandoning AI assistants. They are choosing a different risk profile: fixed costs, no API key management, local-first data handling, and a curated ecosystem where they do not have to audit every add-on for malicious behavior.

Kiyomi is a Claude-powered AI assistant for Mac and Windows that works through Telegram. No web control panel. No community skill marketplace to audit. No API keys stored on your device. Presets are curated and reviewed.

  • Free: $0/month. Gemini access, local memory, core features.
  • Pro: $9/month or $149 lifetime. Full model access, unlimited memory, preset system.
  • Business: $29/month. Team presets, priority support, custom configurations.

Originally published at kiyomibot.ai

Sources: ClawHavoc campaign documentation (security community disclosure, 2026), Snyk OpenClaw Ecosystem Security Audit (2026), Cisco Threat Intelligence OpenClaw Deployment Research (2026).

Top comments (0)