OpenClaw has become the hottest open-source AI project of early 2026. With 200,000+ GitHub stars, over 1.5 million agents created, and a creator who just got hired by OpenAI – this “personal AI assistant” has captured the imagination of developers worldwide. But behind the excitement lies a trail of critical vulnerabilities, supply chain attacks, and architectural security concerns that every developer and enterprise should understand before hitting install.
In this post, we break down what OpenClaw is, why the security community is raising red flags, and what you should do if you’re considering using it.
What Is OpenClaw?
OpenClaw (formerly Clawdbot and Moltbot) is a free, open-source autonomous AI agent created by Austrian developer Peter Steinberger. Unlike traditional chatbots that simply respond to prompts, OpenClaw is designed to act — it can execute shell commands, manage files, browse the web, send emails, control smart home devices, and interact with over 50 third-party services.
The agent runs locally on your machine and connects through messaging platforms you already use: WhatsApp, Telegram, Slack, Discord, Signal, iMessage, and Microsoft Teams. You bring your own API key for your preferred LLM (Claude, GPT-4, Gemini, or even local models), and OpenClaw becomes your always-on digital assistant.
The project went viral in January 2026, partly due to the launch of “Moltbook” — a social media platform where AI agents post amongst themselves. On February 14, 2026, Steinberger announced he was joining OpenAI, with the project transitioning to an independent, OpenAI-sponsored foundation.
The Security Reality Check
While OpenClaw’s capabilities are impressive, security researchers from Cisco, CrowdStrike, Microsoft, Kaspersky, Sophos, and others have published detailed warnings. Here’s what you need to know.
CVE-2026-25253: The One-Click RCE That Shook the Community
The most critical vulnerability discovered was CVE-2026-25253, rated CVSS 8.8 (High). Discovered by the DepthFirst research team, this flaw allowed an attacker to achieve full gateway compromise with a single click.
The attack worked like this: OpenClaw’s Control UI trusted the gatewayUrl from the query string without validation. If a user who had authenticated to the Control UI visited a malicious webpage or clicked a crafted link, their gateway token was silently exfiltrated. With that token, the attacker could connect to the victim’s local gateway, disable safety controls, and execute arbitrary commands — achieving one-click remote code execution.
Critically, this vulnerability was exploitable even on instances bound to loopback (localhost only), because the victim’s own browser initiated the outbound connection. It was patched in version 2026.1.29, but older versions remain widely deployed and vulnerable.
The CVE Parade Continues
The initial RCE was just the beginning. The security research community has since uncovered a steady stream of additional vulnerabilities:
- CVE-2026-25157: A command injection vulnerability patched in version 2026.1.25.
- CVE-2026-24763: A Docker sandbox bypass discovered after the initial RCE fix proved incomplete, patched in version 2026.1.30.
- CVE-2026-25593 and CVE-2026-25475: Two additional security issues fixed alongside the sandbox bypass.
- CVE-2026-26322: A Server-Side Request Forgery (SSRF) bug in OpenClaw’s Gateway tool, rated CVSS 7.6.
- CVE-2026-26319: Missing Telnyx webhook authentication (CVSS 7.5).
- CVE-2026-26329: Path traversal in browser upload (High severity).
- Multiple additional SSRF and authentication bypass vulnerabilities discovered by Endor Labs (six new vulns disclosed on February 18, 2026 alone).
Supply Chain Poisoning: Malicious Skills in ClawHub
OpenClaw’s functionality is extended through “skills” — community-contributed plugins available in the ClawHub repository. Since anyone could upload a skill, threat actors quickly exploited this. The AMOS macOS infostealer was found bundled into uploaded skills, and within a short time, hundreds of malicious skills appeared.
Cisco Talos specifically tested a third-party skill called “What Would Elon Do?” and found it performed active data exfiltration and prompt injection without user awareness. The skill explicitly instructed the bot to execute curl commands that sent data to attacker-controlled servers. Their Skill Scanner tool surfaced nine security findings in that single skill, including two critical and five high-severity issues.
An analysis of 31,000 agent skills found that 26% contained at least one vulnerability. The OpenClaw team has since integrated VirusTotal scanning for uploaded skills, but as they openly acknowledge, it’s no silver bullet.
Tens of Thousands of Exposed Instances
The scale of exposure is staggering. Between January 25 and 31, 2026, Censys tracked growth from approximately 1,000 to over 21,000 publicly exposed OpenClaw instances on the internet. Bitsight observed more than 30,000 instances across a broader analysis window. An independent study by security researcher Maor Dayan identified 42,665 exposed instances, of which 5,194 were actively verified as vulnerable — with 93.4% exhibiting authentication bypass conditions.
Many of these instances are connected to corporate services, holding credentials for systems like Salesforce, GitHub, Slack, and cloud platforms.
Prompt Injection: The Fundamental Design Challenge
Perhaps the most concerning issue isn’t a specific CVE but an architectural one. OpenClaw is designed to reason over and act on external content — documents, emails, tickets, webpages, and messaging platform inputs. This makes it inherently susceptible to indirect prompt injection, where malicious instructions embedded in otherwise legitimate data can silently influence the agent’s behavior.
As Sophos describes it, this creates a “lethal trifecta”: an AI agent with access to private data, the ability to communicate externally, and the ability to process untrusted content. Anyone who can message the agent is effectively granted the same permissions as the agent itself.
CrowdStrike warns that a successful prompt injection against an agentic AI system like OpenClaw isn’t just a data leak — it’s a potential foothold for automated lateral movement, where the compromised agent continues executing attacker objectives across infrastructure at machine speed.
What the Major Security Vendors Are Saying
The consensus across the security industry is remarkably consistent:
Cisco Talos described OpenClaw as “groundbreaking” from a capability perspective but “an absolute nightmare” from a security standpoint.
Microsoft Defender recommends treating OpenClaw as “untrusted code execution with persistent credentials” and states it is “not appropriate to run on a standard personal or enterprise workstation.” If organizations must evaluate it, Microsoft recommends fully isolated environments with dedicated, non-privileged credentials.
CrowdStrike has built specific detection capabilities into Falcon for OpenClaw deployments and maintains what they describe as the industry’s most comprehensive taxonomy of prompt injection techniques targeting such agents.
Kaspersky notes that while vulnerabilities can be patched, some of OpenClaw’s security issues are fundamental to its design — the combination of privileged access, autonomous execution, and external data ingestion creates inherent risk.
Sophos has classified OpenClaw as a PUA (Potentially Unwanted Application) and their MDR teams have conducted threat hunts for OpenClaw installations across customer environments.
LangChain’s CEO Harrison Chase revealed that LangChain prohibited its own employees from installing OpenClaw on company laptops due to the security risks.
So, Is OpenClaw Safe to Use?
The honest answer is: it depends on how you define “safe” and how you deploy it.
When OpenClaw Is High Risk
- Running on your primary work machine with access to corporate credentials
- Installed with default configurations (authentication disabled by default)
- Connected to sensitive services (email, cloud platforms, internal tools)
- Using unvetted third-party skills from ClawHub
- Running any version older than 2026.2.17
- Exposed to the public internet
When OpenClaw Can Be Used More Safely
- Deployed in a fully isolated environment (dedicated VM or container)
- Using dedicated, non-privileged credentials with minimal OAuth scopes
- Running the latest version with all patches applied
- Skills restricted to thoroughly vetted options only
- Network access limited and monitored
- Run through OpenClaw’s
openclaw doctorcommand to surface configuration issues - Deployed using hardened images like DigitalOcean’s 1-Click OpenClaw Deploy
For Enterprise Environments
If you’re in an enterprise, the recommendation from virtually every major security vendor is clear: do not deploy OpenClaw in production without significant security controls. Microsoft’s guidance specifically states it should only be evaluated in fully isolated environments with continuous monitoring and a rebuild plan as part of the operating model.
Practical Recommendations
If you decide to use OpenClaw, here’s a security-first checklist:
- Patch immediately. Ensure you’re running version 2026.2.17 or later. Versions prior to 2026.1.30 are confirmed vulnerable to multiple critical CVEs.
- Run in isolation. Use a dedicated VM, container, or sandboxed user account with limited access. Never run it on your primary workstation.
- Enforce least privilege. Restrict filesystem scope, disable broad terminal permissions, and remove unnecessary OAuth scopes. Only grant access to the specific services you truly need.
- Audit connected services. Review every OAuth grant, API key, and token permission. Treat these as always-on access brokers.
- Be paranoid about skills. Only install skills from trusted sources. Run OpenClaw’s security doctor and consider tools like Cisco’s Skill Scanner or the open-source SecureClaw tool.
- Monitor continuously. Use EDR tools to monitor OpenClaw’s behavior. CrowdStrike, Microsoft Defender, and Sophos all have specific detection capabilities for OpenClaw.
- Never expose to the internet. Keep OpenClaw bound to localhost and behind proper authentication. Use Tailscale or similar for remote access if needed.
- Educate your team. As one OpenClaw maintainer candidly stated: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”
The Bigger Picture: What OpenClaw Teaches Us About Agentic AI Security
OpenClaw isn’t just an isolated security incident — it’s a preview of the challenges the entire industry will face as autonomous AI agents become mainstream. The fundamental tension between agent capability (which requires broad access to be useful) and security (which requires minimal access to be safe) isn’t unique to OpenClaw. Every agentic AI system will grapple with this same “lethal trifecta.”
As the project transitions to the OpenClaw Foundation with OpenAI’s backing, there’s hope that dedicated security resources will improve the situation. But the architectural challenges — prompt injection, supply chain trust, and the inherent risks of autonomous execution — remain unsolved problems across the entire AI industry.
For developers and organizations exploring agentic AI, OpenClaw serves as both an inspiration for what’s possible and a cautionary tale about what can go wrong. The butler is brilliant — just make sure you lock the doors.
