CrowdStrike's CTO Elia Zaitsev just published what might be the most thorough security breakdown of OpenClaw to date. They're not treating it as a chatbot. They're treating it as an autonomous system with real access to real infrastructure.
The Numbers
156 total security advisories. 28 with CVE IDs assigned, 128 still awaiting assignment.
Severity breakdown: 4 Critical, 52 High, 88 Medium, 12 Low. That's 56 advisories rated High or Critical.
Four Attack Vectors
CrowdStrike identified:
- Direct prompt injection where attackers feed malicious instructions to the agent
- Indirect prompt injection through contaminated data sources
- Agentic tool chain attacks exploiting how OpenClaw connects to external systems
- AI tool poisoning targeting plugins and skills
As Zaitsev put it: "AI agents don't just generate answers, they can take action; operating with speed, autonomy, and privileged access to email, calendars, sensitive data, credentials, and third-party systems."
The Scale Problem
Censys found 21,639 publicly accessible OpenClaw instances. Most probably running without dedicated security monitoring or regular patching.
CrowdStrike also demoed their Falcon AIDR blocking a live Discord exfiltration attack targeting an OpenClaw instance. These aren't theoretical risks.
What This Means
If you're running OpenClaw on a VPS you set up months ago, 56 High/Critical advisories should make you uncomfortable. Self-hosted AI without professional security management is becoming a liability.
Managed hosting like ClawHosters applies auto-patching, credential isolation, and monitoring as standard. The kinds of protections CrowdStrike recommends, applied automatically.
Top comments (0)