Cisco's AI Threat and Security Research team released a critical security assessment of OpenClaw on January 28, characterizing it as "an absolute nightmare from a security perspective." Despite calling it a "dream for busy professionals," researchers Amy Chang, Vineeth Sai Narajala, and Idan Habler identified four primary attack surfaces that self-hosters need to take seriously.
The Four Threat Vectors
- Shell command execution through agent prompts
- File system access without proper sandboxing
- API key leakage via prompt injection
- Messaging app integrations (WhatsApp, iMessage) as attack vectors
The fundamental issue: OpenClaw's local deployment model assumes a trusted environment. When exposed to the internet without hardening, that trust model breaks.
Skill Scanner Results
Cisco built an open-source Skill Scanner and tested 31,000 ClawHub skills. 26% contained at least one vulnerability. A test skill called "What Would Elon Do?" silently exfiltrated user data, triggering 9 findings including 2 critical.
The Bigger Picture
This report dropped alongside multiple threats:
- CVE-2026-25253: Critical one-click RCE (CVSS 8.8), patched in v2026.1.29
- ClawHavoc Campaign: 341 malicious skills found in ClawHub deploying Atomic macOS Stealer
- 42,665 exposed instances discovered by researcher Maor Dayan, 93.4% with bypassed authentication
What to Do About It
If you're self-hosting OpenClaw:
- Enable authentication (seriously, 93% of exposed instances didn't)
- Isolate your network
- Update regularly
- Audit your installed skills
Or use a managed host that handles isolation, auth enforcement, and hourly patching for you.
Originally published on ClawHosters Blog
Top comments (0)