TL;DR
- OpenClaw reached 180,000 GitHub stars in three weeks; within days, researchers found 21,000+ exposed instances leaking API keys and 341+ malicious skills delivering malware
- 36% of all ClawHub skills contain security flaws as of February 2026; the default stance on third-party skills should be disabled until verified
- The core attack surface spans four vectors: unauthenticated skill execution, persistent memory poisoning via SOUL.md/MEMORY.md, prompt injection through email and Slack, and secrets leakage through the agent's context window
- Hardening requires five controls in order: network isolation (dedicated container, non-root, read-only filesystem), authentication on every skill invocation, input validation on all skill parameters, secrets management outside the agent context, and skill integrity verification before installation
- Use SkillCheck by Repello to scan skills before enabling them; it runs in the browser with no install required
About OpenClaw#
OpenClaw (formerly Clawdbot, then Moltbot) just became GitHub's fastest-growing repo in history: 180,000 stars in three weeks. It is an AI agent that runs locally, reads email, executes shell commands, and maintains memory across sessions.
Here is the problem. Within days of going viral, researchers found over 21,000 publicly exposed instances leaking API keys, 341+ malicious skills delivering malware, and a critical RCE vulnerability enabling one-click account takeover. As of February 2026, 36% of all ClawHub skills contain security flaws.
If you are deploying OpenClaw in production or even just playing with it on a VPS, this guide is meant to keep you from becoming a statistic.
What Makes OpenClaw Powerful (and Dangerous)#
OpenClaw provides capabilities that SaaS AI assistants intentionally restrict:
- Full shell and file system access with no default sandboxing
- Persistent memory that retains context across sessions
- Direct integrations with Gmail, Slack, WhatsApp, Telegram, Discord, and calendars
- Extensibility through skills (third-party packages with system-level permissions)
- Web gateway on port 18789 for remote configuration
This is effectively giving an LLM "sudo" on your infrastructure. One compromised email, one poisoned skill, or one exploited gateway can lead to full system compromise.
The Attack Surface#
1. Skills are the primary attack vector#
The ClawHub marketplace is a supply chain disaster. Security audits from January to February 2026:
| Research Org | Skills Analyzed | Malicious or Flawed |
|---|---|---|
| Koi Security | 2,857 | 341 malicious (12%) |
| Snyk (ToxicSkills) | 3,984 | 1,467 flawed (36.8%) |
| Bitdefender Labs | ~400 deep-dive | 800+ malicious identified |
The ClawHavoc campaign: 335+ coordinated malicious skills delivering Atomic Stealer (AMOS).
Attack methodology:
- Professional disguises: Skills masquerade as crypto tools (solana-wallet-tracker, phantom-wallet-utilities), YouTube utilities (youtube-summarize-pro), or Polymarket trading bots.
- Social engineering via prerequisites: Installation instructions direct users to download password-protected ZIPs containing keyloggers, or execute base64-encoded scripts.
- Typosquatting: 29+ variants (clawhub, clawhub1, clawhubb, clawwhub, cllawhub).
- Shared C2 infrastructure: All ClawHavoc skills communicate with 91.92.242[.]30.
Why minimal vetting fails: ClawHub's only barrier is a one-week-old GitHub account. User "hightower6eu" published 314+ malicious packages. The marketplace grew from about 50 daily submissions in mid-January to 500+ by early February.
2. Exposed instances everywhere#
Internet-wide scanning reveals catastrophic exposure:
- 30,000+ exposed instances detected during Jan 27 to Feb 8, 2026 (Bitsight)
- 21,639 instances visible as of Jan 31, 2026 (Censys), concentrated in the US, China (30%+ on Alibaba Cloud), and Singapore
- 15,200+ vulnerable to RCE based on version fingerprinting
- No authentication on hundreds of instances. Manual verification found gateways exposing Anthropic API keys, Telegram bot tokens, and Slack credentials.
Root causes:
- Misconfigured reverse proxies (Nginx) bypassing localhost-only restrictions
- Default port 18789 left publicly accessible
- Plaintext credentials in
~/.clawdbot/.envand markdown or JSON memory files
Shadow IT risk: Token Security reported that 22% of employees at monitored companies were running OpenClaw on corporate machines by late January 2026.
3. CVE-2026-25253: one-click RCE#
The most critical vulnerability (CVSS 8.8) was disclosed Feb 3, 2026 and patched in version 2026.1.29:
- Attack vector: Control UI trusts the
gatewayUrlquery parameter without validation and auto-connects on page load. - Exploitation: Clicking a crafted link triggers cross-site WebSocket hijacking, exfiltrating the token.
- Impact: With the stolen token, attackers gain operator-level gateway API access to modify sandbox settings and invoke privileged actions.
- Scope: Exploitable even on localhost-only deployments. All versions prior to 2026.1.29 are vulnerable.
4. Prompt injection#
OpenClaw processes untrusted content from emails, chat messages, web pages, and third-party APIs. Adversaries can embed malicious instructions:
- Direct injection: Malicious user messages bypass safety guardrails.
- Indirect injection: Poisoned emails or Slack messages contain hidden instructions.
- Persistent memory poisoning: Skills write to
SOUL.mdorMEMORY.md, creating delayed-execution attacks.
As Palo Alto Networks noted, persistent memory acts as an accelerant: attacks become stateful campaigns that evolve across sessions.
Practical Hardening#
1. Deployment and network isolation#
Never run OpenClaw on your primary workstation. Use dedicated infrastructure.
Hardened Docker deployment#
version: '3.8'
services:
openclaw-gateway:
image: openclaw/openclaw:latest
container_name: openclaw-gateway
restart: unless-stopped
user: "1000:1000"
read_only: true
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp:rw,noexec,nosuid,size=100m
- /var/tmp:rw,noexec,nosuid,size=50m
volumes:
- ./config:/home/node/.openclaw/config:rw
- ./workspace:/home/node/.openclaw/workspace:rw
- ./state:/home/node/.openclaw/state:rw
networks:
- openclaw-internal
ports:
- "127.0.0.1:18789:18789"
mem_limit: 2g
cpus: 2
pids_limit: 100
environment:
- NODE_ENV=production
- OPENCLAW_AUTH_TOKEN=${OPENCLAW_AUTH_TOKEN}
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
networks:
openclaw-internal:
driver: bridge
internal: trueKey hardening:
- Non-root execution (
user: "1000:1000") - Read-only filesystem (
read_only: true) - Dropped capabilities (
cap_drop: ALL) - tmpfs for temp storage (cleared on restart)
- Resource limits (reduce DoS impact)
- Internal network (no internet by default)
Gateway configuration#
# gateway.yaml
gateway:
bind: "127.0.0.1"
port: 18789
trustedProxies:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
auth:
token: "${OPENCLAW_AUTH_TOKEN}"
controlUi:
dangerouslyDisableDeviceAuth: false
allowInsecureAuth: false
mdns:
enabled: false
agents:
defaults:
sandbox:
mode: "non-main"
scope: "session"
workspaceAccess: "none"
docker:
network: "none"
user: "65534:65534"
readOnly: true
capDrop:
- ALL
securityOpt:
- no-new-privileges:true
memory: "1g"
cpus: 1
pidsLimit: 50Firewall rules#
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit 22/tcp
sudo ufw allow 443/tcp
# Never allow port 18789 from the public internet
sudo ufw enableTailscale for secure remote access#
curl -fsSL <https://tailscale.com/install.sh> | sh
sudo tailscale up
sudo tailscale serve --bg 127.0.0.1:18789Access it at https://[your-machine].tail[xxxx].[ts.net](<http://ts.net>) with automatic HTTPS and zero public exposure.
2. Skills supply chain security#
Default stance: disable ClawHub entirely.SkillCheck by Repello — browser-based, no install required. Works across OpenClaw, Claude Code, Cursor, and Windsurf. Backed by daily-updated threat intel from Repello's research team. Upload the skill zip and get a scored verdict with payload breakdown.
VirusTotal scanning#
openclaw skills scan --skill-name youtube-summarize-pro
openclaw skills audit --dailyManual skill audit#
Before installing any skill, check for:
- External downloads (password-protected ZIPs,
curl | bash) - Base64-encoded commands
- Network requests to unfamiliar domains
- Hardcoded API keys, tokens, or webhook URLs
- File system writes outside the workspace
- Typosquatting in package names
Security scanners#
# Cisco's Skill Scanner
git clone <https://github.com/cisco/skill-scanner>
cd skill-scanner
python scan.py /path/to/skill
# Snyk's mcp-scan
npm install -g @snyk/mcp-scan
mcp-scan /path/to/skill
# Koi's Clawdex
pip install clawdex --break-system-packages
clawdex audit /path/to/skillBlocklist known infrastructure#
sudo ufw deny out to 91.92.242.30Skill installation policy#
# config.yaml
skills:
autoInstall: false
autoUpdate: false
allowedSources:
- "verified-only"
blocklist:
- "hightower6eu"
- "Sakaen736jih"System-level skills sandboxing#
Skills run with the same permissions as the main process. Isolate them:
# docker-compose.yml
services:
openclaw-skills-sandbox:
image: openclaw/openclaw:latest
container_name: openclaw-skills-sandbox
restart: unless-stopped
user: "65534:65534"
read_only: true
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
- seccomp=/path/to/seccomp-skills.json
network_mode: "none"
volumes:
- ./skills-workspace:/workspace:rw
mem_limit: 512m
cpus: 0.5
pids_limit: 20
environment:
- SKILLS_MODE=sandbox
- NO_INTERNET=trueCustom seccomp profile (blocks network syscalls, privilege escalation, kernel module loading):
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
"syscalls": [
{
"names": [
"read",
"write",
"open",
"close",
"stat",
"fstat",
"lseek",
"mmap",
"mprotect",
"munmap",
"brk",
"access",
"getpid",
"getuid",
"getgid",
"geteuid",
"getegid",
"exit",
"exit_group"
],
"action": "SCMP_ACT_ALLOW"
}
]
}Skills filesystem isolation with Firejail#
sudo apt install firejail
firejail \\
--net=none \\
--private=/tmp/skill-workspace \\
--read-only=/usr \\
--read-only=/lib \\
--read-only=/lib64 \\
--noroot \\
--seccomp \\
--caps.drop=all \\
openclaw skill run youtube-summarize-proSkills network filtering#
If a skill needs network access, whitelist specific domains:
sudo useradd -r -s /bin/false openclaw-skills
# Block all outbound by default
sudo iptables -A OUTPUT -m owner --uid-owner openclaw-skills -j DROP
# Whitelist specific domains
sudo iptables -I OUTPUT -m owner --uid-owner openclaw-skills -d googleapis.com -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4Runtime skills monitoring#
# Monitor syscalls
sudo strace -f -e trace=network,file -p $(pgrep -f "skill:youtube") 2>&1 | \\
grep -E "(connect|open|write)" | \\
tee /var/log/openclaw/skills-syscalls.log
# Alert on suspicious patterns
tail -f /var/log/openclaw/skills-syscalls.log | \\
grep -E "(\\.env|credentials|password|token|api_key)" && \\
notify-send "SECURITY ALERT" "Skill accessing sensitive files"Skills code signing#
For high-security environments, require cryptographic signatures:
# Generate signing key
openssl genrsa -out skills-signing-key.pem 4096
openssl rsa -in skills-signing-key.pem -pubout -out skills-public-key.pem
# Sign a skill
tar -czf youtube-summarize-pro.tar.gz /path/to/skill/
openssl dgst -sha256 -sign skills-signing-key.pem \\
-out youtube-summarize-pro.sig youtube-summarize-pro.tar.gz
# Verify before installation
openssl dgst -sha256 -verify skills-public-key.pem \\
-signature youtube-summarize-pro.sig youtube-summarize-pro.tar.gz
if [ $? -eq 0 ]; then
openclaw skill install youtube-summarize-pro.tar.gz
else
echo "SIGNATURE VERIFICATION FAILED"
fiEnforce signatures:
# config.yaml
skills:
signatureVerification:
enabled: true
publicKey: "/path/to/skills-public-key.pem"
algorithm: "RSA-SHA256"
rejectUnsigned: true3. Access controls and least privilege#
Tool whitelisting#
# agents.yaml
agents:
defaults:
tools:
allowed:
- group:messaging
- tool:web_search
denied:
- tool:exec
- tool:browser
- group:runtimeHuman-in-the-loop approvals#
agents:
defaults:
approvals:
exec:
required: true
timeout: 300
fs:
write:
required: true
delete:
required: true
messaging:
send:
required: trueCredential isolation#
Never store credentials in plaintext.
# HashiCorp Vault
export ANTHROPIC_API_KEY=$(vault kv get -field=key secret/anthropic)
# AWS Secrets Manager
export ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value \\
--secret-id openclaw/anthropic-key \\
--query SecretString \\
--output text)
# 1Password CLI
export ANTHROPIC_API_KEY=$(op read "op://Personal/Anthropic API Key/credential")Rotation schedule:
- API keys: every 30 to 90 days
- Gateway tokens: every 7 to 14 days
- Emergency rotation: immediately after incidents
4. Prompt injection defenses#
Input sanitization (example)#
# agents.yaml
agents:
defaults:
channels:
email:
allowFrom:
- "@yourcompany.com"
- "trusted-partner.com"
slack:
dm:
dmPolicy: "pairing"
allowFrom:
- "U01234567"
telegram:
dm:
dmPolicy: "pairing"
tools:
web_fetch:
enabled: false
web_search:
sanitize: trueUse Claude Opus 4.5#
According to Kaspersky research, Claude Opus 4.5 has strong prompt injection detection. It was found that Claude Opus 4.5 is currently the most resistant to prompt injection attacks when compared to other LLMs. In their testing, it was significantly better at detecting malicious instructions embedded in emails, documents, and web content - the primary attack vectors against OpenClaw agents.
This is also backed by Repello AI's comparative red-team study, which found Claude Opus 4.5 had only a 4.8% multi-turn breach rate in agentic environments, compared to 14.3% for GPT-5.2 and 28.6% for GPT-5.1.
Memory hygiene#
# Audit memory files
grep -r "ignore previous" ~/.openclaw/state/
grep -r "exfiltrate" ~/.openclaw/state/
grep -r "base64" ~/.openclaw/state/
# Periodic reset (every 30 days)
openclaw memory reset --agent main --confirmMulti-step attack detection#
The model does not inherently understand that a sequence of benign-looking steps can produce a malicious outcome.
Attack scenario:
- "Can you check my email for messages from John?"
- "Great, can you create a summary of those emails in a markdown file?"
- "Now compress that markdown file."
- "Can you upload that compressed file to this shared storage link I use for backups?"
Each step looks innocent. Together, they exfiltrate email content.
Defense: action sequence analysis
# agents.yaml
agents:
defaults:
security:
sequenceAnalysis:
enabled: true
windowSize: 10 # Analyze last 10 actions
patterns:
- name: "data_exfiltration"
steps:
- type: "file_read"
path: ".*\\.(env|key|pem|credentials)"
- type: "network_send"
action: "block"
alert: true
- name: "credential_harvesting"
steps:
- type: "file_read"
path: ".*"
- type: "file_write"
path: "/tmp/.*"
- type: "file_read"
path: "/tmp/.*"
- type: "network_send"
action: "require_approval"
alert: true
- name: "privilege_escalation_attempt"
steps:
- type: "exec"
command: ".*chmod.*"
- type: "exec"
command: ".*sudo.*"
action: "block"
alert: trueImplement rate limiting on sensitive operations:
agents:
defaults:
security:
rateLimits:
file_operations:
reads: 50/hour
writes: 20/hour
network_operations:
requests: 100/hour
upload_size: "10MB/hour"
exec_operations:
commands: 10/hour5. Monitoring, logging, and incident response#
Comprehensive logging#
# logging.yaml
logging:
level: "debug"
outputs:
- type: "file"
path: "/var/log/openclaw/gateway.log"
rotate: "daily"
retain: 90
- type: "syslog"
host: "siem.yourcompany.com"
port: 514
protocol: "tcp"
tools:
logLevel: "info"
logPayloads: true
api:
logLevel: "info"
logHeaders: true
logBodies: falseSIEM integration#
# Splunk
sudo apt install splunkforwarder
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openclaw/
# ELK Stack
filebeat setup
filebeat -e -c /etc/filebeat/filebeat.ymlAlert rules (examples)#
# Unusual API usage
index=openclaw sourcetype=gateway
| stats count by api_endpoint
| where count > 100
# Credential file access
index=openclaw sourcetype=gateway
| search file_path="*/.env" OR file_path="*/credentials/*"
| table _time, user, file_path, action
# External network connections
index=openclaw sourcetype=gateway
| search network_event="outbound_connection"
| where dest_ip NOT IN ("127.0.0.1", "10.0.0.0/8", "172.16.0.0/12")
| table _time, dest_ip, dest_port, processIncident response playbook#
If you detect compromise:
1. Immediate isolation
docker compose down openclaw-gateway
sudo ufw deny out from any to any2. Credential rotation
openclaw credentials rotate --all --force
openclaw gateway token revoke
openclaw gateway token generate3. Forensic analysis
tar -czf openclaw-incident-$(date +%Y%m%d).tar.gz \\
/var/log/openclaw/ \\
~/.openclaw/state/ \\
~/.openclaw/config/
grep "tool:exec" /var/log/openclaw/gateway.log > commands.log
grep "network_event" /var/log/openclaw/gateway.log > network.log4. Recovery
docker compose down
rm -rf ~/.openclaw/state/
tar -xzf openclaw-backup-clean.tar.gz -C ~/.openclaw/
docker compose up -d6. Enterprise considerations#
Shadow AI detection#
# Scan network for OpenClaw
nmap -p 18789 --open 10.0.0.0/8
# Shodan query
shodan search "Clawdbot Control" org:"YourCompany"
# Endpoint detection
#!/bin/bash
if lsof -i :18789 > /dev/null 2>&1; then
echo "ALERT: OpenClaw detected"
fiTiered autonomy models#
# agents.yaml
agents:
list:
- name: "marketing-agent"
llm:
model: "claude-sonnet-4-5-20250929"
tools:
allowed:
- group:messaging
approvals:
messaging:
send:
required: true
- name: "devops-agent"
llm:
model: "claude-opus-4-5-20251101"
tools:
allowed:
- tool:exec
- group:fs
approvals:
exec:
required: true
fs:
write:
required: true
- name: "executive-agent"
llm:
model: "claude-opus-4-5-20251101"
tools:
allowed:
- group:messaging
- group:calendar
approvals:
messaging:
send:
required: falseSecurity checklist#
Before deploying OpenClaw:
- Update to version 2026.1.29+ (patches CVE-2026-25253).
- Deploy on isolated infrastructure (dedicated VPS or container).
- Configure a localhost-only gateway (
127.0.0.1:18789). - Use Tailscale or a VPN for remote access.
- Disable or heavily audit ClawHub skills.
- Whitelist only essential tools.
- Use a secrets vault for credentials.
- Enable comprehensive logging with SIEM.
- Block known-malicious infrastructure (91.92.242[.]30).
- Enable action sequence analysis.
- Test the incident response playbook.
Final thoughts#
OpenClaw represents a shift from sandboxed cloud AI to autonomous local agents with system-level access. Within weeks of going viral, we saw coordinated malware campaigns, tens of thousands of exposed instances, and critical RCE vulnerabilities.
The risks are manageable through defense-in-depth: network isolation, supply chain controls, least-privilege policies, prompt injection defenses, action sequence analysis, and comprehensive monitoring. Organizations that treat OpenClaw as privileged infrastructure can harness its capabilities while maintaining security posture.
The question is not whether autonomous agents will transform work. It is whether we will secure them before they are everywhere.
Frequently Asked Questions#
What are the security risks of deploying OpenClaw in production?#
The primary risks include unauthenticated or over-permissioned skill execution, missing input validation on skill parameters, shared session state across users creating cross-tenant data leakage, and no integrity checks on skill definitions. Because OpenClaw operates with delegated permissions and supports chained tool calls, a single misconfigured skill can propagate its blast radius to every downstream action in the chain. Repello AI's research on malicious OpenClaw skills documented real-world attack paths that exploit exactly these properties.
How do you securely authenticate users and skills in an OpenClaw deployment?#
Secure OpenClaw authentication requires OAuth 2.1 or OIDC for all user-facing entry points, with short-lived scoped tokens validated on every request rather than only at session initiation. Skills should run under their own non-human identities using RFC 8693 token exchange rather than receiving and forwarding the user's original token. Policy enforcement must be centralized at the OpenClaw layer so that individual skills cannot act outside the permissions explicitly granted to them.
What is skill sandboxing in OpenClaw and why does it matter?#
Skill sandboxing isolates each OpenClaw skill's execution environment so that a compromised or malicious skill cannot access the memory, filesystem, or network resources of other skills or the host system. Without sandboxing, a skill that processes external user input (a web search, a file read, an email fetch) can be used as a vector to inject instructions that affect other skills running in the same process. Effective sandboxing includes per-skill network egress policies, read-only filesystem access where possible, and resource quotas to prevent denial-of-service through skill exhaustion.
How should secrets be managed in an OpenClaw deployment?#
Secrets must never be stored in environment variables, skill configuration files, or system prompts where the language model can read them. Use a secrets manager such as HashiCorp Vault or AWS Secrets Manager to provide skills with short-lived, lease-limited credentials scoped to the minimum permissions they need. The OpenClaw runtime retrieves secrets on behalf of skills through a middleware layer that the model cannot directly access. Any secret that has touched a context window should be treated as compromised.
What should an OpenClaw security checklist include before going to production?#
A production-ready OpenClaw deployment should verify: (1) OAuth 2.1 or OIDC with per-request token validation; (2) RFC 8693 token exchange so skills use their own scoped credentials, not the user token; (3) cryptographic signing of skill manifests with signature verification at load time; (4) schema validation on all skill inputs and hard size limits on outputs; (5) secrets in a vault, never in the model context; (6) per-session state isolation with deterministic cleanup on disconnect; (7) structured audit logging tying every skill execution to a session, user, and timestamp.
Can OpenClaw skills be exploited through prompt injection?#
Yes. Skills that process external content (web pages, documents, emails, any user-supplied input) are vulnerable to prompt injection if that content is passed to the model without sanitization. An attacker embeds instructions in the content that override the skill's intended behavior, causing it to exfiltrate data, call unintended downstream tools, or modify its own output. Repello AI's teardown of malicious OpenClaw skills demonstrated attack paths where injected instructions in skill payloads caused the agent to perform unauthorized actions across chained tool calls. Defense requires input sanitization at the skill boundary, output validation before results return to the model, and runtime monitoring to detect anomalous tool call patterns.
About Repello#
Repello AI focuses on securing AI systems that use agents, tools, and multi-step workflows. The platform is built to help teams test and analyze how agentic AI systems behave in real-world conditions, including how they interact with external tools, data sources, and permissions.
With a focus on agentic security, Repello enables structured evaluation of AI agents to identify failure modes, unsafe behaviors, and security weaknesses that can emerge as agents plan, act, and execute tasks autonomously. This helps teams better understand the behavior of their agentic systems and address issues before deployment.
