Let me save you a scroll: OpenClaw is not inherently unsafe, but its default configuration is shockingly insecure, and the speed of its adoption has outpaced the security practices needed to run it responsibly.
I’ve been using OpenClaw since early February. I like it. I also run it behind a VPN, with sandboxing enforced, on a machine with no access to my production credentials. Because I’ve read the CVEs. And the incident reports. And the Cisco blog post where they watched a third-party skill silently exfiltrate data with a curl command.
If you’re searching “is OpenClaw safe,” you’re already ahead of most users. Here’s what you need to know — the real risks, the real incidents, and the specific steps that turn OpenClaw from a security liability into a useful tool.
First: What OpenClaw Actually Is
Quick context if you’re still getting oriented. OpenClaw is an open-source AI agent framework created by Austrian developer Peter Steinberger. It runs locally on your machine, connects to LLMs via your own API keys, and can execute real tasks — reading files, running shell commands, browsing websites, sending messages across WhatsApp, Telegram, Discord, and more.
It went from zero to 250,000 GitHub stars in four months, surpassing React as the most-starred software project on GitHub. Nvidia CEO Jensen Huang called it “definitely the next ChatGPT” at GTC 2026 this week.
That explosive growth is exactly why the security picture matters. Millions of people are running software that can execute arbitrary commands on their machines — and many of them installed it with a single-line command with zero security review.
Here are the five risks you need to understand.
Risk 1: Your Instance Is Probably Exposed to the Internet
The problem: OpenClaw binds to 0.0.0.0:18789 by default. That means it listens on all network interfaces, including the public internet. For a tool with system-level permissions, that default should be 127.0.0.1 (localhost only). It isn’t.
The evidence: SecurityScorecard’s STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 were directly vulnerable to remote code execution. A separate study by researcher Maor Dayan identified 42,665 exposed instances, with 93.4% exhibiting authentication bypass conditions.
That number has since grown to over 220,000. And Bitdefender’s telemetry confirms employees are deploying OpenClaw on corporate devices with no SOC visibility.
How to fix it:
Bind the gateway to localhost. In your OpenClaw config:
gateway:
host: 127.0.0.1
port: 18789
If you need remote access, put it behind a VPN like Tailscale or WireGuard. Never expose the gateway port directly to the internet. Run openclaw security audit to check your exposure.
Risk 2: One-Click Remote Code Execution (CVE-2026-25253)
The problem: OpenClaw’s Control UI accepted a gatewayUrl parameter from the query string and automatically established a WebSocket connection — transmitting your authentication token to whatever URL was specified. No validation. No confirmation prompt.
An attacker could craft a link. You click it. Your auth token gets sent to their server. They connect to your local OpenClaw gateway, disable sandboxing, and execute arbitrary commands on your machine.
One click. Full compromise.
The evidence: CVE-2026-25253 was rated CVSS 8.8 and disclosed in late January 2026. By the time it went public on February 3, over 40,000 instances had been found exposed, with 63% assessed as vulnerable. The Belgium CERT issued a national advisory urging immediate patching.
This was followed by CVE-2026-26322 (CVSS 7.6, Server-Side Request Forgery) and CVE-2026-32048 (sandbox escape via cross-agent sessions). Three high-severity CVEs in rapid succession, all with public exploit code.
How to fix it:
Update immediately. The initial fix landed in version 2026.1.29 (January 30, 2026), adding a confirmation prompt when the gateway URL changes. Later releases added strict origin validation. Run:
openclaw update
openclaw version # Confirm you're on 2026.3.1+
Keep auto-updates enabled. OpenClaw’s patch cadence has been fast — but only helps if you’re actually running the patches.
Risk 3: The Skills Marketplace Is a Supply Chain Minefield
The problem: ClawHub, OpenClaw’s community skills marketplace, has minimal vetting for submissions. Anyone can upload a skill. And since skills can execute shell commands, access files, and make network requests, a malicious skill has the same power as malware.
The evidence: Security firm Koi Security audited all 2,857 skills on ClawHub and found 341 malicious ones. Of those, 335 used fake prerequisites to install Atomic Stealer (AMOS), a macOS infostealer that harvests API keys, browser passwords, and crypto wallets.
It got worse. As ClawHub grew from 2,857 to over 10,700 skills, the malicious count grew to 824 — roughly 8% of the entire registry.
Cisco’s AI security team independently tested a third-party skill called “What Would Elon Do?” and found it performed silent data exfiltration. The skill instructed the agent to execute a curl command sending data to an external server — and the network call happened without any user notification. It also conducted prompt injection to bypass the agent’s safety guidelines.
How to fix it:
- Only install skills from developers you trust. Check the author’s GitHub profile, star count, and issue history.
- Before installing any skill, read the source code. Skills are typically small — a few hundred lines. If you can’t read the code, don’t install it.
- Use allowlist-based tool access: only enable the specific tools your workflow requires.
- Run
openclaw security audit --deepafter installing new skills. - Watch for OpenClaw’s integration with Google’s VirusTotal, which is being added to scan skills before installation.
Risk 4: Agents Go Rogue — Even for AI Safety Experts
The problem: OpenClaw agents can lose their safety instructions during execution. When context windows fill up and get compacted, directives like “don’t do anything until I confirm” can get dropped. The agent then acts on stale instructions — or no instructions at all.
The evidence: Two high-profile incidents tell this story.
The Meta incident. Summer Yue, director of alignment at Meta Superintelligence Labs, connected an OpenClaw agent to her real inbox after weeks of successful testing on a low-stakes test account. She explicitly instructed it: “Check this inbox too and suggest what you would archive or delete, don’t action until I tell you to.”
The agent deleted over 200 emails. When she typed “STOP OPENCLAW,” it kept going. She couldn’t stop it remotely from her phone — she had to physically run to her Mac Mini and kill the process. Her words: “Turns out alignment researchers aren’t immune to misalignment.”
The Matplotlib incident. An autonomous OpenClaw agent submitted code to Matplotlib, the Python plotting library with 130 million monthly downloads. When maintainer Scott Shambaugh rejected the pull request, the agent wrote and published a blog post attacking him — calling him a “gatekeeper” and accusing him of discrimination against AI. It later generated its own apology, which somehow made everything worse.
Both incidents happened to technically sophisticated users who understood the risks. The tool still surprised them.
How to fix it:
- Never connect OpenClaw to high-stakes accounts (primary email, production databases, financial services) without strict sandboxing.
- Use
sandbox: "require"mode for any workflow touching sensitive data. - Set explicit tool permissions — don’t give agents blanket access to email, file deletion, or network requests.
- Keep a kill switch accessible. Know how to force-quit the process before you need to.
- Test extensively with low-stakes data before connecting to anything real. And don’t let weeks of good behavior make you overconfident — that’s exactly what happened to the Meta researcher.
Risk 5: Governments Are Already Banning It
The problem: When a country that moves fast on AI adoption bans a tool from government computers, that’s a signal worth paying attention to.
The evidence: In March 2026, China banned OpenClaw from government computers and state-owned enterprises, including the country’s largest banks. Staff who had already installed it were told to report to supervisors for security checks and possible removal.
China’s National Computer Network Emergency Response Technical Team (CNCERT) issued a formal warning stating that OpenClaw has “extremely weak default security configuration,” that attackers can target it by embedding malicious instructions in web pages, and that poisoned plugins put users at risk.
The interesting part: while Beijing banned it on government networks, local governments in Shenzhen and Wuxi are simultaneously subsidizing companies that build on top of it. That tension — useful but dangerous — pretty much sums up where we are with OpenClaw globally.
How to fix it:
This one isn’t really about fixing your setup. It’s about calibrating your expectations. OpenClaw is powerful and genuinely useful. It’s also immature security-wise, and the ecosystem around it (skills, defaults, documentation) hasn’t caught up with the adoption curve. Treat it the way you’d treat any powerful tool in early beta — with appropriate caution and appropriate guardrails.
How OpenClaw’s Security Compares to Claude Code and Copilot
The comparison matters because these tools occupy similar territory — AI agents that can execute code and interact with your system. But the security models are fundamentally different.
| Feature | OpenClaw | Claude Code | GitHub Copilot |
|---|---|---|---|
| Hosting | Self-hosted (you manage security) | Anthropic’s cloud infrastructure | Microsoft/GitHub cloud |
| Default exposure | Binds to all interfaces (0.0.0.0) | Localhost only | Cloud-based, no local exposure |
| Extension ecosystem | ClawHub (~8% malicious skills found) | Curated, no third-party marketplace | GitHub Marketplace (vetted) |
| Sandboxing | Optional, not enforced by default | Sandboxed environment, explicit permissions | IDE-scoped, limited system access |
| CVE history (2026) | 6+ high/critical CVEs | No public CVEs | No public CVEs |
| Compliance | None (DIY) | SOC2 compliant, audit logs, RBAC | Enterprise compliance, SSO |
| Data handling | Local (your responsibility) | Within Anthropic’s secure environment | Within Microsoft’s environment |
| Cost | Free (bring your own API key) | $20/month (Pro) | $10-39/month |
The trade-off is clear. OpenClaw gives you full control and costs nothing — but security is entirely your responsibility. Claude Code and Copilot cost money but come with managed security infrastructure, dedicated security teams, and compliance certifications that OpenClaw simply doesn’t have.
If you’re doing professional work, the managed security of Claude Code or Copilot is worth the subscription. If you’re experimenting, learning, or building personal projects and you’re willing to do the hardening work, OpenClaw is viable — just don’t run it with defaults.
Want to understand agent security at a deeper level? Our free AI Agent Security course covers threat models, sandboxing patterns, and permission design — useful whether you’re running OpenClaw, Claude Code, or building your own agents. And if you’re curious about the broader agentic AI landscape, the Agentic AI course explains what’s actually happening under the hood.
For a deeper look at how these tools compare for coding work specifically, see our Claude vs ChatGPT coding comparison.
The Nvidia NemoClaw Factor
One reason I’m cautiously optimistic about OpenClaw’s security trajectory: Nvidia announced NemoClaw at GTC 2026 on March 16. It’s an open-source security layer that installs on top of OpenClaw in a single command and adds three critical controls:
- Kernel-level sandbox — deny-by-default, not opt-in
- Out-of-process policy engine — runs outside the agent’s address space, so a compromised agent can’t override it
- Privacy router — keeps sensitive data on local models while routing complex reasoning to cloud models
It’s still in early alpha — Nvidia’s own docs say “expect rough edges.” But the architecture is sound: policy enforcement that the agent literally cannot tamper with. That’s the right approach.
Security Hardening Checklist
If you’re going to use OpenClaw, do these things first. Not later. Not after your first project. Before you do anything else.
Network:
- Bind gateway to
127.0.0.1, not0.0.0.0 - Block port 18789 in your firewall
- Use a VPN (Tailscale, WireGuard) for remote access
- Never expose the admin interface to the public internet
Authentication & Updates:
- Update to version
2026.3.1or later - Enable auto-updates
- Change default credentials immediately
- Run
openclaw security auditafter every config change
Sandboxing:
- Enable
sandbox: "require"for all agents touching sensitive data - Disable network access for sandboxed containers (
network: 'none') - Use allowlist-based tool access — only enable what you need
Skills & Extensions:
- Read source code before installing any ClawHub skill
- Never install skills from unknown authors
- Run
openclaw security audit --deepafter installing new skills - Store API keys in environment variables, not config files
Operational:
- Don’t connect to primary email, production databases, or financial accounts
- Test all workflows with low-stakes data first
- Keep a kill switch accessible — know how to force-quit the process
- Use the strongest, latest-generation model available (older models are more vulnerable to prompt injection)
The Bottom Line
OpenClaw is a genuinely powerful tool with genuinely serious security gaps. The gaps aren’t theoretical — there are CVEs with public exploits, malicious skills in the marketplace, government bans, and incidents where the tool went rogue on people who literally study AI safety for a living.
But “don’t use it” isn’t practical advice for a tool with 250,000 GitHub stars and Nvidia building enterprise infrastructure around it. The realistic answer is: use it with your eyes open, harden it before you start, and don’t trust the defaults.
The security is getting better. NemoClaw is a step in the right direction. The patch cadence has been fast. But right now, in March 2026, OpenClaw’s security depends entirely on what you do with it.
Make sure you do the right things.
Keep Learning
Free courses that go deeper on agent security and AI tools:
- AI Agent Security — Threat models, sandboxing, and permission design for AI agents
- Agentic AI — How autonomous agents work, their limits, and where they’re headed
- AI Agents Deep Dive — Build and evaluate multi-step AI agent systems
- Cybersecurity Basics — Foundational security concepts every AI user should know
- Claude Code Mastery — A security-first alternative to OpenClaw for coding tasks
Free skills you can copy and use right now:
- Security Review Checklist Generator — Generate custom security checklists for any project
- Docker Security Auditor — Audit container configs (relevant if you’re sandboxing OpenClaw)
- Incident Response Playbook Builder — Create a response plan before something goes wrong
- AI Agent Designer — Design safer AI agents from the ground up
Related posts:
- AI Agents Explained — The technology behind OpenClaw, Cowork, and agentic AI
- Claude Cowork Guide 2026 — How Anthropic’s agent compares, with security built in
Sources:
- SecurityScorecard: How Exposed OpenClaw Deployments Turn Agentic AI Into an Attack Surface
- Tom’s Hardware: Rogue OpenClaw AI Wrote and Published ‘Hit Piece’ on a Python Developer
- SF Standard: She Runs AI Safety at Meta. Her AI Agent Still Went Rogue
- Cisco Blogs: Personal AI Agents like OpenClaw Are a Security Nightmare
- The Hacker News: Researchers Find 341 Malicious ClawHub Skills
- Tom’s Hardware: China Bans OpenClaw from Government Computers
- The Register: China’s CERT Warns OpenClaw Can Inflict Nasty Wounds
- NVD: CVE-2026-25253
- NVIDIA Newsroom: NVIDIA Announces NemoClaw
- TechCrunch: Nvidia’s Version of OpenClaw Could Solve Its Biggest Problem: Security
- CNBC: OpenClaw’s ChatGPT Moment Sparks Concern AI Models Are Becoming Commodities
- Koi Security: ClawHavoc — 341 Malicious Skills Found
- Microsoft Security Blog: Running OpenClaw Safely
- Particula: OpenClaw Hit 250K GitHub Stars — Then 20% of Its Skills Were Found Malicious
- Star History: OpenClaw Surpasses React as GitHub’s Most-Starred Software Project