TL;DR

• OpenClaw reached 180,000 GitHub stars in three weeks; within days, researchers found 21,000+ exposed instances leaking API keys and 341+ malicious skills delivering malware

• 36% of all ClawHub skills contain security flaws as of February 2026; the default stance on third-party skills should be disabled until verified

• The core attack surface spans four vectors: unauthenticated skill execution, persistent memory poisoning via SOUL.md/MEMORY.md, prompt injection through email and Slack, and secrets leakage through the agent's context window

• Hardening requires five controls in order: network isolation (dedicated container, non-root, read-only filesystem), authentication on every skill invocation, input validation on all skill parameters, secrets management outside the agent context, and skill integrity verification before installation

• Use SkillCheck by Repello to scan skills before enabling them; it runs in the browser with no install required

About OpenClaw

OpenClaw (formerly Clawdbot, then Moltbot) just became GitHub's fastest-growing repo in history: 180,000 stars in three weeks. It is an AI agent that runs locally, reads email, executes shell commands, and maintains memory across sessions.

Here is the problem. Within days of going viral, researchers found over 21,000 publicly exposed instances leaking API keys, 341+ malicious skills delivering malware, and a critical RCE vulnerability enabling one-click account takeover. As of February 2026, 36% of all ClawHub skills contain security flaws.

If you are deploying OpenClaw in production or even just playing with it on a VPS, this guide is meant to keep you from becoming a statistic.

What Makes OpenClaw Powerful (and Dangerous)

OpenClaw provides capabilities that SaaS AI assistants intentionally restrict:

• Full shell and file system access with no default sandboxing

• Persistent memory that retains context across sessions

• Direct integrations with Gmail, Slack, WhatsApp, Telegram, Discord, and calendars

• Extensibility through skills (third-party packages with system-level permissions)

• Web gateway on port 18789 for remote configuration

This is effectively giving an LLM "sudo" on your infrastructure. One compromised email, one poisoned skill, or one exploited gateway can lead to full system compromise.

The Attack Surface

1. Skills are the primary attack vector

The ClawHub marketplace is a supply chain disaster. Security audits from January to February 2026:

The ClawHavoc campaign: 335+ coordinated malicious skills delivering Atomic Stealer (AMOS).

Attack methodology:

• Professional disguises: Skills masquerade as crypto tools (solana-wallet-tracker, phantom-wallet-utilities), YouTube utilities (youtube-summarize-pro), or Polymarket trading bots.

• Social engineering via prerequisites: Installation instructions direct users to download password-protected ZIPs containing keyloggers, or execute base64-encoded scripts.

• Typosquatting: 29+ variants (clawhub, clawhub1, clawhubb, clawwhub, cllawhub).

• Shared C2 infrastructure: All ClawHavoc skills communicate with 91.92.242[.]30.

Why minimal vetting fails: ClawHub's only barrier is a one-week-old GitHub account. User "hightower6eu" published 314+ malicious packages. The marketplace grew from about 50 daily submissions in mid-January to 500+ by early February.

2. Exposed instances everywhere

Internet-wide scanning reveals catastrophic exposure:

• 30,000+ exposed instances detected during Jan 27 to Feb 8, 2026 (Bitsight)

• 21,639 instances visible as of Jan 31, 2026 (Censys), concentrated in the US, China (30%+ on Alibaba Cloud), and Singapore

• 15,200+ vulnerable to RCE based on version fingerprinting

• No authentication on hundreds of instances. Manual verification found gateways exposing Anthropic API keys, Telegram bot tokens, and Slack credentials.

Root causes:

• Misconfigured reverse proxies (Nginx) bypassing localhost-only restrictions

• Default port 18789 left publicly accessible

• Plaintext credentials in ~/.clawdbot/.env and markdown or JSON memory files

Shadow IT risk: Token Security reported that 22% of employees at monitored companies were running OpenClaw on corporate machines by late January 2026.

3. CVE-2026-25253: one-click RCE

The most critical vulnerability (CVSS 8.8) was disclosed Feb 3, 2026 and patched in version 2026.1.29:

• Attack vector: Control UI trusts the gatewayUrl query parameter without validation and auto-connects on page load.

• Exploitation: Clicking a crafted link triggers cross-site WebSocket hijacking, exfiltrating the token.

• Impact: With the stolen token, attackers gain operator-level gateway API access to modify sandbox settings and invoke privileged actions.

• Scope: Exploitable even on localhost-only deployments. All versions prior to 2026.1.29 are vulnerable.

4. Prompt injection

OpenClaw processes untrusted content from emails, chat messages, web pages, and third-party APIs. Adversaries can embed malicious instructions:

• Direct injection: Malicious user messages bypass safety guardrails.

• Indirect injection: Poisoned emails or Slack messages contain hidden instructions.

• Persistent memory poisoning: Skills write to SOUL.md or MEMORY.md, creating delayed-execution attacks.

As Palo Alto Networks noted, persistent memory acts as an accelerant: attacks become stateful campaigns that evolve across sessions.

Practical Hardening

1. Deployment and network isolation

Never run OpenClaw on your primary workstation. Use dedicated infrastructure.

Hardened Docker deployment

version: '3.8'

services:
  openclaw-gateway:
    image: openclaw/openclaw:latest
    container_name: openclaw-gateway
    restart: unless-stopped

    user: "1000:1000"
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true

    tmpfs:
      - /tmp:rw,noexec,nosuid,size=100m
      - /var/tmp:rw,noexec,nosuid,size=50m

    volumes:
      - ./config:/home/node/.openclaw/config:rw
      - ./workspace:/home/node/.openclaw/workspace:rw
      - ./state:/home/node/.openclaw/state:rw

    networks:
      - openclaw-internal

    ports:
      - "127.0.0.1:18789:18789"

    mem_limit: 2g
    cpus: 2
    pids_limit: 100

    environment:
      - NODE_ENV=production
      - OPENCLAW_AUTH_TOKEN=${OPENCLAW_AUTH_TOKEN}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

networks:
  openclaw-internal:
    driver: bridge
    internal: true

version: '3.8'

services:
  openclaw-gateway:
    image: openclaw/openclaw:latest
    container_name: openclaw-gateway
    restart: unless-stopped

    user: "1000:1000"
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true

    tmpfs:
      - /tmp:rw,noexec,nosuid,size=100m
      - /var/tmp:rw,noexec,nosuid,size=50m

    volumes:
      - ./config:/home/node/.openclaw/config:rw
      - ./workspace:/home/node/.openclaw/workspace:rw
      - ./state:/home/node/.openclaw/state:rw

    networks:
      - openclaw-internal

    ports:
      - "127.0.0.1:18789:18789"

    mem_limit: 2g
    cpus: 2
    pids_limit: 100

    environment:
      - NODE_ENV=production
      - OPENCLAW_AUTH_TOKEN=${OPENCLAW_AUTH_TOKEN}
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}

networks:
  openclaw-internal:
    driver: bridge
    internal: true

Key hardening:

• Non-root execution (user: "1000:1000")

• Read-only filesystem (read_only: true)

• Dropped capabilities (cap_drop: ALL)

• tmpfs for temp storage (cleared on restart)

• Resource limits (reduce DoS impact)

• Internal network (no internet by default)

Gateway configuration

# gateway.yaml
gateway:
  bind: "127.0.0.1"
  port: 18789

  trustedProxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"

  auth:
    token: "${OPENCLAW_AUTH_TOKEN}"

  controlUi:
    dangerouslyDisableDeviceAuth: false
    allowInsecureAuth: false

  mdns:
    enabled: false

agents:
  defaults:
    sandbox:
      mode: "non-main"
      scope: "session"
      workspaceAccess: "none"

      docker:
        network: "none"
        user: "65534:65534"
        readOnly: true
        capDrop:
          - ALL
        securityOpt:
          - no-new-privileges:true
        memory: "1g"
        cpus: 1
        pidsLimit: 50

# gateway.yaml
gateway:
  bind: "127.0.0.1"
  port: 18789

  trustedProxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"

  auth:
    token: "${OPENCLAW_AUTH_TOKEN}"

  controlUi:
    dangerouslyDisableDeviceAuth: false
    allowInsecureAuth: false

  mdns:
    enabled: false

agents:
  defaults:
    sandbox:
      mode: "non-main"
      scope: "session"
      workspaceAccess: "none"

      docker:
        network: "none"
        user: "65534:65534"
        readOnly: true
        capDrop:
          - ALL
        securityOpt:
          - no-new-privileges:true
        memory: "1g"
        cpus: 1
        pidsLimit: 50

Firewall rules

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit 22/tcp
sudo ufw allow 443/tcp

# Never allow port 18789 from the public internet
sudo

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit 22/tcp
sudo ufw allow 443/tcp

# Never allow port 18789 from the public internet
sudo

Tailscale for secure remote access

curl -fsSL <https://tailscale.com/install.sh> | sh
sudo tailscale up
sudo tailscale serve --bg 127

curl -fsSL <https://tailscale.com/install.sh> | sh
sudo tailscale up
sudo tailscale serve --bg 127

Access it at https://[your-machine].tail[xxxx].[ts.net](<http://ts.net>) with automatic HTTPS and zero public exposure.

2. Skills supply chain security

Default stance: disable ClawHub entirely.

SkillCheck by Repello — browser-based, no install required. Works across OpenClaw, Claude Code, Cursor, and Windsurf. Backed by daily-updated threat intel from Repello's research team. Upload the skill zip and get a scored verdict with payload breakdown.

VirusTotal scanning

openclaw skills scan --skill-name youtube-summarize-pro
openclaw skills audit --daily

openclaw skills scan --skill-name youtube-summarize-pro
openclaw skills audit --daily

Manual skill audit

Before installing any skill, check for:

• External downloads (password-protected ZIPs, curl | bash)

• Base64-encoded commands

• Network requests to unfamiliar domains

• Hardcoded API keys, tokens, or webhook URLs

• File system writes outside the workspace

• Typosquatting in package names

Security scanners

# Cisco's Skill Scanner
git clone <https://github.com/cisco/skill-scanner>
cd skill-scanner
python scan.py /path/to/skill

# Snyk's mcp-scan
npm install -g @snyk/mcp-scan
mcp-scan /path/to/skill

# Koi's Clawdex
pip install clawdex --break-system-packages

# Cisco's Skill Scanner
git clone <https://github.com/cisco/skill-scanner>
cd skill-scanner
python scan.py /path/to/skill

# Snyk's mcp-scan
npm install -g @snyk/mcp-scan
mcp-scan /path/to/skill

# Koi's Clawdex
pip install clawdex --break-system-packages

Blocklist known infrastructure

sudo ufw deny out to 91

sudo ufw deny out to 91

Skill installation policy

# config.yaml
skills:
  autoInstall: false
  autoUpdate: false
  allowedSources:
    - "verified-only"
  blocklist:
    - "hightower6eu"
    - "Sakaen736jih"

# config.yaml
skills:
  autoInstall: false
  autoUpdate: false
  allowedSources:
    - "verified-only"
  blocklist:
    - "hightower6eu"
    - "Sakaen736jih"

System-level skills sandboxing

Skills run with the same permissions as the main process. Isolate them:

# docker-compose.yml
services:
  openclaw-skills-sandbox:
    image: openclaw/openclaw:latest
    container_name: openclaw-skills-sandbox
    restart: unless-stopped

    user: "65534:65534"
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
      - seccomp=/path/to/seccomp-skills.json

    network_mode: "none"

    volumes:
      - ./skills-workspace:/workspace:rw

    mem_limit: 512m
    cpus: 0.5
    pids_limit: 20

    environment

# docker-compose.yml
services:
  openclaw-skills-sandbox:
    image: openclaw/openclaw:latest
    container_name: openclaw-skills-sandbox
    restart: unless-stopped

    user: "65534:65534"
    read_only: true
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
      - seccomp=/path/to/seccomp-skills.json

    network_mode: "none"

    volumes:
      - ./skills-workspace:/workspace:rw

    mem_limit: 512m
    cpus: 0.5
    pids_limit: 20

    environment

Custom seccomp profile (blocks network syscalls, privilege escalation, kernel module loading):

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": [
        "read",
        "write",
        "open",
        "close",
        "stat",
        "fstat",
        "lseek",
        "mmap",
        "mprotect",
        "munmap",
        "brk",
        "access",
        "getpid",
        "getuid",
        "getgid",
        "geteuid",
        "getegid",
        "exit",
        "exit_group"
      ],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
  "syscalls": [
    {
      "names": [
        "read",
        "write",
        "open",
        "close",
        "stat",
        "fstat",
        "lseek",
        "mmap",
        "mprotect",
        "munmap",
        "brk",
        "access",
        "getpid",
        "getuid",
        "getgid",
        "geteuid",
        "getegid",
        "exit",
        "exit_group"
      ],
      "action": "SCMP_ACT_ALLOW"
    }
  ]
}

Skills filesystem isolation with Firejail

sudo apt install firejail

firejail \\
  --net=none \\
  --private=/tmp/skill-workspace \\
  --read-only=/usr \\
  --read-only=/lib \\
  --read-only=/lib64 \\
  --noroot \\
  --seccomp \\
  --caps.drop

sudo apt install firejail

firejail \\
  --net=none \\
  --private=/tmp/skill-workspace \\
  --read-only=/usr \\
  --read-only=/lib \\
  --read-only=/lib64 \\
  --noroot \\
  --seccomp \\
  --caps.drop

Skills network filtering

If a skill needs network access, whitelist specific domains:

sudo useradd -r -s /bin/false openclaw-skills

# Block all outbound by default
sudo iptables -A OUTPUT -m owner --uid-owner openclaw-skills -j DROP

# Whitelist specific domains
sudo iptables -I OUTPUT -m owner --uid-owner openclaw-skills -d googleapis.com -j ACCEPT

sudo

sudo useradd -r -s /bin/false openclaw-skills

# Block all outbound by default
sudo iptables -A OUTPUT -m owner --uid-owner openclaw-skills -j DROP

# Whitelist specific domains
sudo iptables -I OUTPUT -m owner --uid-owner openclaw-skills -d googleapis.com -j ACCEPT

sudo

Runtime skills monitoring

# Monitor syscalls
sudo strace -f -e trace=network,file -p $(pgrep -f "skill:youtube") 2>&1 | \\
  grep -E "(connect|open|write)" | \\
  tee /var/log/openclaw/skills-syscalls.log

# Alert on suspicious patterns
tail -f /var/log/openclaw/skills-syscalls.log | \\
  grep -E "(\\.env|credentials|password|token|api_key)" && \\
  notify-send "SECURITY ALERT" "Skill accessing sensitive files"

# Monitor syscalls
sudo strace -f -e trace=network,file -p $(pgrep -f "skill:youtube") 2>&1 | \\
  grep -E "(connect|open|write)" | \\
  tee /var/log/openclaw/skills-syscalls.log

# Alert on suspicious patterns
tail -f /var/log/openclaw/skills-syscalls.log | \\
  grep -E "(\\.env|credentials|password|token|api_key)" && \\
  notify-send "SECURITY ALERT" "Skill accessing sensitive files"

Skills code signing

For high-security environments, require cryptographic signatures:

# Generate signing key
openssl genrsa -out skills-signing-key.pem 4096
openssl rsa -in skills-signing-key.pem -pubout -out skills-public-key.pem

# Sign a skill
tar -czf youtube-summarize-pro.tar.gz /path/to/skill/
openssl dgst -sha256 -sign skills-signing-key.pem \\
  -out youtube-summarize-pro.sig youtube-summarize-pro.tar.gz

# Verify before installation
openssl dgst -sha256 -verify skills-public-key.pem \\
  -signature youtube-summarize-pro.sig youtube-summarize-pro.tar.gz

if [ $? -eq 0 ]; then
  openclaw skill install youtube-summarize-pro.tar.gz
else
  echo "SIGNATURE VERIFICATION FAILED"
fi

# Generate signing key
openssl genrsa -out skills-signing-key.pem 4096
openssl rsa -in skills-signing-key.pem -pubout -out skills-public-key.pem

# Sign a skill
tar -czf youtube-summarize-pro.tar.gz /path/to/skill/
openssl dgst -sha256 -sign skills-signing-key.pem \\
  -out youtube-summarize-pro.sig youtube-summarize-pro.tar.gz

# Verify before installation
openssl dgst -sha256 -verify skills-public-key.pem \\
  -signature youtube-summarize-pro.sig youtube-summarize-pro.tar.gz

if [ $? -eq 0 ]; then
  openclaw skill install youtube-summarize-pro.tar.gz
else
  echo "SIGNATURE VERIFICATION FAILED"
fi

Enforce signatures:

# config.yaml
skills:
  signatureVerification:
    enabled: true
    publicKey: "/path/to/skills-public-key.pem"
    algorithm: "RSA-SHA256"
    rejectUnsigned: true

# config.yaml
skills:
  signatureVerification:
    enabled: true
    publicKey: "/path/to/skills-public-key.pem"
    algorithm: "RSA-SHA256"
    rejectUnsigned: true

3. Access controls and least privilege

Tool whitelisting

# agents.yaml
agents:
  defaults:
    tools:
      allowed:
        - group:messaging
        - tool:web_search

      denied

# agents.yaml
agents:
  defaults:
    tools:
      allowed:
        - group:messaging
        - tool:web_search

      denied

Human-in-the-loop approvals

agents:
  defaults:
    approvals:
      exec:
        required: true
        timeout: 300

      fs:
        write:
          required: true
        delete:
          required: true

      messaging:
        send:
          required: true

agents:
  defaults:
    approvals:
      exec:
        required: true
        timeout: 300

      fs:
        write:
          required: true
        delete:
          required: true

      messaging:
        send:
          required: true

Credential isolation

Never store credentials in plaintext.

# HashiCorp Vault
export ANTHROPIC_API_KEY=$(vault kv get -field=key secret/anthropic)

# AWS Secrets Manager
export ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value \\
  --secret-id openclaw/anthropic-key \\
  --query SecretString \\
  --output text)

# 1Password CLI
export ANTHROPIC_API_KEY=$(op read "op://Personal/Anthropic API Key/credential")

# HashiCorp Vault
export ANTHROPIC_API_KEY=$(vault kv get -field=key secret/anthropic)

# AWS Secrets Manager
export ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value \\
  --secret-id openclaw/anthropic-key \\
  --query SecretString \\
  --output text)

# 1Password CLI
export ANTHROPIC_API_KEY=$(op read "op://Personal/Anthropic API Key/credential")

Rotation schedule:

• API keys: every 30 to 90 days

• Gateway tokens: every 7 to 14 days

• Emergency rotation: immediately after incidents

4. Prompt injection defenses

Input sanitization (example)

# agents.yaml
agents:
  defaults:
    channels:
      email:
        allowFrom:
          - "@yourcompany.com"
          - "trusted-partner.com"

      slack:
        dm:
          dmPolicy: "pairing"
          allowFrom:
            - "U01234567"

      telegram:
        dm:
          dmPolicy: "pairing"

    tools:
      web_fetch:
        enabled: false

      web_search:
        sanitize: true

# agents.yaml
agents:
  defaults:
    channels:
      email:
        allowFrom:
          - "@yourcompany.com"
          - "trusted-partner.com"

      slack:
        dm:
          dmPolicy: "pairing"
          allowFrom:
            - "U01234567"

      telegram:
        dm:
          dmPolicy: "pairing"

    tools:
      web_fetch:
        enabled: false

      web_search:
        sanitize: true

Use Claude Opus 4.5

According to Kaspersky research, Claude Opus 4.5 has strong prompt injection detection. It was found that Claude Opus 4.5 is currently the most resistant to prompt injection attacks when compared to other LLMs. In their testing, it was significantly better at detecting malicious instructions embedded in emails, documents, and web content - the primary attack vectors against OpenClaw agents.

This is also backed by Repello AI's comparative red-team study, which found Claude Opus 4.5 had only a 4.8% multi-turn breach rate in agentic environments, compared to 14.3% for GPT-5.2 and 28.6% for GPT-5.1.

Memory hygiene

# Audit memory files
grep -r "ignore previous" ~/.openclaw/state/
grep -r "exfiltrate" ~/.openclaw/state/
grep -r "base64" ~/.openclaw/state/

# Periodic reset (every 30 days)
openclaw memory reset --agent main --confirm

# Audit memory files
grep -r "ignore previous" ~/.openclaw/state/
grep -r "exfiltrate" ~/.openclaw/state/
grep -r "base64" ~/.openclaw/state/

# Periodic reset (every 30 days)
openclaw memory reset --agent main --confirm

Multi-step attack detection

The model does not inherently understand that a sequence of benign-looking steps can produce a malicious outcome.

Attack scenario:

1. "Can you check my email for messages from John?"

2. "Great, can you create a summary of those emails in a markdown file?"

3. "Now compress that markdown file."

4. "Can you upload that compressed file to this shared storage link I use for backups?"

Each step looks innocent. Together, they exfiltrate email content.

Defense: action sequence analysis

# agents.yaml
agents:
  defaults:
    security:
      sequenceAnalysis:
        enabled: true
        windowSize: 10  # Analyze last 10 actions

        patterns:
          - name: "data_exfiltration"
            steps:
              - type: "file_read"
                path: ".*\\.(env|key|pem|credentials)"
              - type: "network_send"
            action: "block"
            alert: true

          - name: "credential_harvesting"
            steps:
              - type: "file_read"
                path: ".*"
              - type: "file_write"
                path: "/tmp/.*"
              - type: "file_read"
                path: "/tmp/.*"
              - type: "network_send"
            action: "require_approval"
            alert: true

          - name: "privilege_escalation_attempt"
            steps:
              - type: "exec"
                command: ".*chmod.*"
              - type: "exec"
                command: ".*sudo.*"
            action: "block"
            alert: true

# agents.yaml
agents:
  defaults:
    security:
      sequenceAnalysis:
        enabled: true
        windowSize: 10  # Analyze last 10 actions

        patterns:
          - name: "data_exfiltration"
            steps:
              - type: "file_read"
                path: ".*\\.(env|key|pem|credentials)"
              - type: "network_send"
            action: "block"
            alert: true

          - name: "credential_harvesting"
            steps:
              - type: "file_read"
                path: ".*"
              - type: "file_write"
                path: "/tmp/.*"
              - type: "file_read"
                path: "/tmp/.*"
              - type: "network_send"
            action: "require_approval"
            alert: true

          - name: "privilege_escalation_attempt"
            steps:
              - type: "exec"
                command: ".*chmod.*"
              - type: "exec"
                command: ".*sudo.*"
            action: "block"
            alert: true

Implement rate limiting on sensitive operations:

agents:
  defaults:
    security:
      rateLimits:
        file_operations:
          reads: 50/hour
          writes: 20/hour

        network_operations:
          requests: 100/hour
          upload_size: "10MB/hour"

        exec_operations:
          commands

agents:
  defaults:
    security:
      rateLimits:
        file_operations:
          reads: 50/hour
          writes: 20/hour

        network_operations:
          requests: 100/hour
          upload_size: "10MB/hour"

        exec_operations:
          commands

5. Monitoring, logging, and incident response

Comprehensive logging

# logging.yaml
logging:
  level: "debug"

  outputs:
    - type: "file"
      path: "/var/log/openclaw/gateway.log"
      rotate: "daily"
      retain: 90

    - type: "syslog"
      host: "siem.yourcompany.com"
      port: 514
      protocol: "tcp"

  tools:
    logLevel: "info"
    logPayloads: true

  api:
    logLevel: "info"
    logHeaders: true
    logBodies: false

# logging.yaml
logging:
  level: "debug"

  outputs:
    - type: "file"
      path: "/var/log/openclaw/gateway.log"
      rotate: "daily"
      retain: 90

    - type: "syslog"
      host: "siem.yourcompany.com"
      port: 514
      protocol: "tcp"

  tools:
    logLevel: "info"
    logPayloads: true

  api:
    logLevel: "info"
    logHeaders: true
    logBodies: false

SIEM integration

# Splunk
sudo apt install splunkforwarder
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openclaw/

# ELK Stack
filebeat setup
filebeat -e -c

# Splunk
sudo apt install splunkforwarder
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log/openclaw/

# ELK Stack
filebeat setup
filebeat -e -c

Alert rules (examples)

# Unusual API usage
index=openclaw sourcetype=gateway
| stats count by api_endpoint
| where count > 100

# Credential file access
index=openclaw sourcetype=gateway
| search file_path="*/.env" OR file_path="*/credentials/*"
| table _time, user, file_path, action

# External network connections
index=openclaw sourcetype=gateway
| search network_event="outbound_connection"
| where dest_ip NOT IN ("127.0.0.1", "10.0.0.0/8", "172.16.0.0/12"

# Unusual API usage
index=openclaw sourcetype=gateway
| stats count by api_endpoint
| where count > 100

# Credential file access
index=openclaw sourcetype=gateway
| search file_path="*/.env" OR file_path="*/credentials/*"
| table _time, user, file_path, action

# External network connections
index=openclaw sourcetype=gateway
| search network_event="outbound_connection"
| where dest_ip NOT IN ("127.0.0.1", "10.0.0.0/8", "172.16.0.0/12"

Incident response playbook

If you detect compromise:

1. Immediate isolation

docker compose down openclaw-gateway
sudo

docker compose down openclaw-gateway
sudo

2. Credential rotation

openclaw credentials rotate --all --force

openclaw credentials rotate --all --force

3. Forensic analysis

tar -czf openclaw-incident-$(date +%Y%m%d).tar.gz \\
  /var/log/openclaw/ \\
  ~/.openclaw/state/ \\
  ~/.openclaw/config/

grep "tool:exec" /var/log/openclaw/gateway.log > commands.log
grep "network_event"

tar -czf openclaw-incident-$(date +%Y%m%d).tar.gz \\
  /var/log/openclaw/ \\
  ~/.openclaw/state/ \\
  ~/.openclaw/config/

grep "tool:exec" /var/log/openclaw/gateway.log > commands.log
grep "network_event"

4. Recovery

docker compose down
rm -rf ~/.openclaw/state/
tar -xzf openclaw-backup-clean.tar.gz -C ~/.openclaw/
docker compose up -d

docker compose down
rm -rf ~/.openclaw/state/
tar -xzf openclaw-backup-clean.tar.gz -C ~/.openclaw/
docker compose up -d

6. Enterprise considerations

Shadow AI detection

# Scan network for OpenClaw
nmap -p 18789 --open 10.0.0.0/8

# Shodan query
shodan search "Clawdbot Control" org:"YourCompany"

# Endpoint detection
#!/bin/bash
if lsof -i :18789 > /dev/null 2>&1; then
  echo "ALERT: OpenClaw detected"
fi

# Scan network for OpenClaw
nmap -p 18789 --open 10.0.0.0/8

# Shodan query
shodan search "Clawdbot Control" org:"YourCompany"

# Endpoint detection
#!/bin/bash
if lsof -i :18789 > /dev/null 2>&1; then
  echo "ALERT: OpenClaw detected"
fi

Tiered autonomy models

# agents.yaml
agents:
  list:
    - name: "marketing-agent"
      llm:
        model: "claude-sonnet-4-5-20250929"
      tools:
        allowed:
          - group:messaging
      approvals:
        messaging:
          send:
            required: true

    - name: "devops-agent"
      llm:
        model: "claude-opus-4-5-20251101"
      tools:
        allowed:
          - tool:exec
          - group:fs
      approvals:
        exec:
          required: true
        fs:
          write:
            required: true

    - name: "executive-agent"
      llm:
        model: "claude-opus-4-5-20251101"
      tools:
        allowed:
          - group:messaging
          - group:calendar
      approvals:
        messaging:
          send:
            required: false

# agents.yaml
agents:
  list:
    - name: "marketing-agent"
      llm:
        model: "claude-sonnet-4-5-20250929"
      tools:
        allowed:
          - group:messaging
      approvals:
        messaging:
          send:
            required: true

    - name: "devops-agent"
      llm:
        model: "claude-opus-4-5-20251101"
      tools:
        allowed:
          - tool:exec
          - group:fs
      approvals:
        exec:
          required: true
        fs:
          write:
            required: true

    - name: "executive-agent"
      llm:
        model: "claude-opus-4-5-20251101"
      tools:
        allowed:
          - group:messaging
          - group:calendar
      approvals:
        messaging:
          send:
            required: false

Security checklist

Before deploying OpenClaw:

1. Update to version 2026.1.29+ (patches CVE-2026-25253).

2. Deploy on isolated infrastructure (dedicated VPS or container).

3. Configure a localhost-only gateway (127.0.0.1:18789).

4. Use Tailscale or a VPN for remote access.

5. Disable or heavily audit ClawHub skills.

6. Whitelist only essential tools.

7. Use a secrets vault for credentials.

8. Enable comprehensive logging with SIEM.

9. Block known-malicious infrastructure (91.92.242[.]30).

10. Enable action sequence analysis.

11. Test the incident response playbook.

Final thoughts

OpenClaw represents a shift from sandboxed cloud AI to autonomous local agents with system-level access. Within weeks of going viral, we saw coordinated malware campaigns, tens of thousands of exposed instances, and critical RCE vulnerabilities.

The risks are manageable through defense-in-depth: network isolation, supply chain controls, least-privilege policies, prompt injection defenses, action sequence analysis, and comprehensive monitoring. Organizations that treat OpenClaw as privileged infrastructure can harness its capabilities while maintaining security posture.

The question is not whether autonomous agents will transform work. It is whether we will secure them before they are everywhere.

Frequently Asked Questions

What are the security risks of deploying OpenClaw in production?

The primary risks include unauthenticated or over-permissioned skill execution, missing input validation on skill parameters, shared session state across users creating cross-tenant data leakage, and no integrity checks on skill definitions. Because OpenClaw operates with delegated permissions and supports chained tool calls, a single misconfigured skill can propagate its blast radius to every downstream action in the chain. Repello AI's research on malicious OpenClaw skills documented real-world attack paths that exploit exactly these properties.

How do you securely authenticate users and skills in an OpenClaw deployment?

Secure OpenClaw authentication requires OAuth 2.1 or OIDC for all user-facing entry points, with short-lived scoped tokens validated on every request rather than only at session initiation. Skills should run under their own non-human identities using RFC 8693 token exchange rather than receiving and forwarding the user's original token. Policy enforcement must be centralized at the OpenClaw layer so that individual skills cannot act outside the permissions explicitly granted to them.

What is skill sandboxing in OpenClaw and why does it matter?

Skill sandboxing isolates each OpenClaw skill's execution environment so that a compromised or malicious skill cannot access the memory, filesystem, or network resources of other skills or the host system. Without sandboxing, a skill that processes external user input (a web search, a file read, an email fetch) can be used as a vector to inject instructions that affect other skills running in the same process. Effective sandboxing includes per-skill network egress policies, read-only filesystem access where possible, and resource quotas to prevent denial-of-service through skill exhaustion.

How should secrets be managed in an OpenClaw deployment?

Secrets must never be stored in environment variables, skill configuration files, or system prompts where the language model can read them. Use a secrets manager such as HashiCorp Vault or AWS Secrets Manager to provide skills with short-lived, lease-limited credentials scoped to the minimum permissions they need. The OpenClaw runtime retrieves secrets on behalf of skills through a middleware layer that the model cannot directly access. Any secret that has touched a context window should be treated as compromised.

What should an OpenClaw security checklist include before going to production?

A production-ready OpenClaw deployment should verify: (1) OAuth 2.1 or OIDC with per-request token validation; (2) RFC 8693 token exchange so skills use their own scoped credentials, not the user token; (3) cryptographic signing of skill manifests with signature verification at load time; (4) schema validation on all skill inputs and hard size limits on outputs; (5) secrets in a vault, never in the model context; (6) per-session state isolation with deterministic cleanup on disconnect; (7) structured audit logging tying every skill execution to a session, user, and timestamp.

Can OpenClaw skills be exploited through prompt injection?

Yes. Skills that process external content (web pages, documents, emails, any user-supplied input) are vulnerable to prompt injection if that content is passed to the model without sanitization. An attacker embeds instructions in the content that override the skill's intended behavior, causing it to exfiltrate data, call unintended downstream tools, or modify its own output. Repello AI's teardown of malicious OpenClaw skills demonstrated attack paths where injected instructions in skill payloads caused the agent to perform unauthorized actions across chained tool calls. Defense requires input sanitization at the skill boundary, output validation before results return to the model, and runtime monitoring to detect anomalous tool call patterns.

About Repello

Repello AI focuses on securing AI systems that use agents, tools, and multi-step workflows. The platform is built to help teams test and analyze how agentic AI systems behave in real-world conditions, including how they interact with external tools, data sources, and permissions.

With a focus on agentic security, Repello enables structured evaluation of AI agents to identify failure modes, unsafe behaviors, and security weaknesses that can emerge as agents plan, act, and execute tasks autonomously. This helps teams better understand the behavior of their agentic systems and address issues before deployment.