Someone on your team is probably already running OpenClaw. The open-source AI agent rocketed past 100,000 GitHub stars in weeks, and its appeal is obvious: a personal AI assistant that can read your email, write code, manage files, and execute commands on your machine — all for free. But that same power is exactly what makes it dangerous. Security researchers have already found over 135,000 OpenClaw instances exposed to the public internet, and a critical vulnerability allows attackers to take full control of a machine with a single click. Here’s what you need to understand about OpenClaw’s security risks and what to do about them.
What Is OpenClaw?
OpenClaw is a free, open-source AI agent created by developer Peter Steinberger. Unlike a simple chatbot, OpenClaw runs locally on your computer and can actually take actions — executing shell commands, reading and writing files, browsing the web, managing your calendar, and sending messages through services like Slack, Signal, and email.
Users interact with OpenClaw through a messaging interface (Telegram, Discord, WhatsApp), while the agent itself runs on a dedicated machine — a laptop, a Mac Mini, a Raspberry Pi, or a cloud server. It connects to large language models like Claude, GPT, or DeepSeek to process requests, and it can install community-built “skills” from a marketplace called ClawHub to extend its capabilities.
What sets OpenClaw apart from other AI tools is its agentic autonomy. It maintains memory across conversations, can write its own code to create new skills, and operates with whatever system permissions you give it. That autonomy is both its selling point and its biggest liability.
Why OpenClaw Is a Security Problem
The core issue is straightforward: OpenClaw requires broad system access to be useful, but its security defaults don’t match the level of access it demands. Here are the specific risks your business should know about.
1. Critical Vulnerabilities with Real Exploits
In January 2026, security researcher Mav Levin disclosed CVE-2026-25253 — a one-click remote code execution vulnerability with a CVSS score of 8.8 out of 10. The attack works like this: a victim visits a malicious webpage, which silently steals their OpenClaw authentication token via JavaScript and establishes a WebSocket connection to their gateway. Within milliseconds, the attacker can disable security sandboxes and run arbitrary commands on the victim’s machine.
Two additional command injection vulnerabilities (CVE-2026-24763 and CVE-2026-25157) were discovered around the same time. While patches have been released, the window of exposure was significant — and many instances remain unpatched.
2. Tens of Thousands of Exposed Instances
Researchers at Bitdefender found over 135,000 OpenClaw instances directly accessible from the internet as of mid-February 2026. Of those, 63% were running vulnerable configurations, and over 12,800 were directly exploitable via RCE.
The problem? OpenClaw’s default configuration binds to all network interfaces (0.0.0.0) rather than localhost, and authentication is disabled by default. Deploying an exposed, unauthenticated instance takes less effort than securing one.
Example: A developer at a 50-person company spins up OpenClaw on a cloud VM to automate some DevOps tasks. They skip authentication because it’s “just for internal use.” Within minutes of deployment, researchers observed probes arriving from known threat actor infrastructure — including groups associated with Kimsuky and APT28.
3. A Poisoned Skills Marketplace
OpenClaw’s extensibility comes from ClawHub, a community marketplace for skills. According to Snyk’s ToxicSkills study, 13.4% of all ClawHub skills contain at least one critical-level security issue. Researchers identified 76 confirmed malicious payloads designed for credential theft, backdoor installation, and data exfiltration. Between January 27 and February 2, 2026, the number of malicious skills grew from 28 to over 400.
These aren’t theoretical risks. The Register reported that malicious skills hide commands inside Markdown comments, which OpenClaw executes without displaying them to the user. One common pattern: a skill that appears to be a cryptocurrency price tracker actually downloads and runs a bash script that installs a backdoor.
4. Prompt Injection Attacks
Because OpenClaw processes content from emails, documents, and web pages, it’s vulnerable to indirect prompt injection — hidden instructions embedded in content that redirect the AI agent’s behavior.
Example: An attacker shares a Google Doc with a team member. Hidden in white-on-white text is a prompt injection payload that instructs OpenClaw to add a new Telegram integration under the attacker’s control. When the user asks OpenClaw to summarize the document, it silently follows the hidden instructions and gives the attacker a persistent backdoor into the user’s OpenClaw environment.
Worse, researchers demonstrated that attackers can modify OpenClaw’s persistent memory file (SOUL.md) to create scheduled tasks that periodically re-inject attacker-controlled logic — surviving even after the malicious skill or document is removed.
5. Infostealers Are Already Targeting OpenClaw
This isn’t a future risk — it’s happening now. The Hacker News reported that the AMOS macOS infostealer has been updated to specifically target OpenClaw configuration files. These files contain API keys, authentication tokens, and connection credentials for every service OpenClaw is connected to. One compromised OpenClaw config file can hand an attacker access to your email, cloud accounts, code repositories, and internal messaging.
The Shadow AI Agent Problem
Here’s the risk that most security content about OpenClaw misses: you may not have deployed OpenClaw, but your employees might have.
A 2026 report from Gravitee found that only 14.4% of AI agents go live with full security and IT approval. Over half of AI tools inside companies now operate as “shadow agents” without IT knowledge.
OpenClaw is particularly prone to shadow adoption because it’s free, easy to install, and genuinely useful. A marketing coordinator uses it to draft emails. A developer uses it to automate deployments. A project manager uses it to summarize meeting notes. None of them tell IT. Each of those installations is a potential entry point into your network — running with the user’s full system permissions, connected to their corporate accounts, and likely configured with default (meaning absent) security settings.
For small and midsize businesses without dedicated security teams, this is a serious governance gap. You can’t secure what you don’t know exists.
What to Do About It
Whether you want to allow OpenClaw in your organization or block it entirely, you need a plan. Here are practical steps.
If You’re Blocking OpenClaw
- Add OpenClaw to your endpoint management policy. Use your endpoint management tools (Intune, Jamf, or similar) to detect and prevent OpenClaw installations on managed devices.
- Update your acceptable use policy. Explicitly address AI agents — not just AI chatbots — in your security policies. Employees need to understand that installing software that can execute system commands is fundamentally different from using ChatGPT in a browser.
- Monitor for indicators. OpenClaw’s gateway runs on port 3000 by default. Network monitoring can flag unexpected traffic on this port or WebSocket connections to unfamiliar endpoints.
If You’re Allowing OpenClaw (With Controls)
- Bind to localhost only. Configure OpenClaw to listen on 127.0.0.1, not 0.0.0.0. Use SSH tunneling or a VPN for remote access.
- Enable authentication and use strong credentials. OpenClaw’s authentication is off by default. Turn it on. Set a real password — researchers found that even “a” is accepted as a valid password.
- Run OpenClaw in a container. Docker or another sandboxing mechanism limits blast radius if the agent is compromised. The attacker stays inside the container instead of gaining access to the host machine.
- Vet every skill before installation. Only install skills from verified authors on ClawHub. Review source code. Run untrusted skills in sandbox mode. Treat ClawHub with the same skepticism you’d apply to any third-party package manager.
- Restrict tool access. Only enable the MCP tools OpenClaw actually needs. Don’t grant broad filesystem or network access unless there’s a specific use case.
- Enable logging. Without logs, you can’t detect or investigate incidents. Enable comprehensive session and action logging to track what OpenClaw executes and who triggered it.
- Patch immediately. Keep OpenClaw updated. The RCE vulnerability was patched in version 2026.1.29, but many instances remain on older versions.
Regardless of Your Policy
- Inventory AI agents across your environment. You need visibility into what’s running. This is part of broader security and compliance hygiene that many SMBs overlook until an incident forces the issue.
- Treat AI agents as identity-bearing entities. Only 21.9% of teams do this today. If an AI agent has access to your email, your code repos, and your cloud console, it needs to be managed like any other privileged account.
- Brief your team. A five-minute conversation about why AI agents are different from AI chatbots can prevent a lot of pain. Your employees aren’t trying to create risk — they’re trying to be productive. Give them guardrails, not just rules.
FAQs
1. Is OpenClaw safe to use for business? Not in its default configuration. OpenClaw ships with authentication disabled, binds to all network interfaces, and accepts weak passwords. With proper hardening — containerization, authentication, network restrictions, and skill vetting — the risk can be reduced significantly, but the security burden falls entirely on you.
2. What is CVE-2026-25253 and does it affect my OpenClaw instance? CVE-2026-25253 is a critical vulnerability (CVSS 8.8) that allows one-click remote code execution. If a user with an unpatched OpenClaw instance visits a malicious webpage, an attacker can steal their auth token and gain full control of their machine. It was patched in version 2026.1.29. If you’re running an earlier version, update immediately.
3. How do I know if employees are running OpenClaw without approval? Monitor for OpenClaw’s default gateway port (3000), scan for the OpenClaw process in endpoint management tools, and check for WebSocket traffic to unfamiliar destinations. Adding AI agents to your acceptable use policy also creates a reporting obligation that helps surface shadow deployments.
4. Can OpenClaw be used safely in a business environment? With significant hardening, yes — but it requires technical expertise to configure properly. For most small and midsize businesses, the safer approach is to work with managed IT services providers who can evaluate the risk, implement controls, and monitor for issues on an ongoing basis.
The Bottom Line
OpenClaw represents a new category of risk that most businesses aren’t prepared for. It’s not a SaaS app your IT team can evaluate and approve through normal channels. It’s a locally installed, fully autonomous agent with system-level access that any employee can set up in minutes. The combination of insecure defaults, a poisoned skills marketplace, active exploitation in the wild, and rampant shadow adoption makes it one of the most pressing security concerns of early 2026.
The good news: the risks are manageable if you act deliberately. Inventory what’s running, set clear policies, harden any approved deployments, and make sure your team understands why this matters.
Need help getting ahead of AI agent security risks in your organization? Exodata’s security and compliance team can assess your exposure, implement endpoint controls, and build policies that keep your business productive without leaving the door open. Our approach is simple: no sales, just engineers who understand the problem. Contact us to schedule a security assessment.