OpenClaw Security Risks in 2026: What You Need to Know
OpenClaw crossed 250,000 GitHub stars in early 2026. Adoption is exploding. But security has not kept up with the growth. A zero-click RCE vulnerability, over 135,000 exposed instances, and hundreds of malicious ClawHub skills have turned OpenClaw into a real target. Here is what you need to know and how to protect yourself.
The ClawJacked Vulnerability (CVE-2026-25253)
In January 2026, security researcher Marcus Chen published a critical vulnerability in the OpenClaw gateway. He called it ClawJacked. The official CVE designation is CVE-2026-25253, and it carries a CVSS score of 9.8 out of 10.
The vulnerability is a zero-click remote code execution (RCE) flaw. That means an attacker does not need any credentials, user interaction, or social engineering. They just need network access to your gateway port.
How It Works (Simplified)
The OpenClaw gateway accepts JSON messages over HTTP on port 18789. Before version 3.1.4, the message parsing logic had a flaw in how it handled nested skill invocation payloads. An attacker could craft a message that:
Sends a malformed skill request
The payload contains a nested object that looks like a normal skill call but includes injected shell commands in the skill parameter field.
Bypasses the permission check
The gateway checks skill permissions at the top-level message, but the nested payload skips this validation layer entirely. The agent process executes the inner payload without verifying it against SOUL.md permissions.
Executes arbitrary code
The injected command runs with the same permissions as the OpenClaw process. If you are running OpenClaw as root (a common mistake on VPS setups), the attacker has full root access to your machine.
# VULNERABLE: All versions before 3.1.4
openclaw --version
# If output is < 3.1.4, update immediately
# FIX: Update to latest
npm install -g openclaw@latest
# VERIFY: Check your version after update
openclaw --version
# Should show 3.1.4 or higherThe OpenClaw team patched this in version 3.1.4 within 48 hours of disclosure. But the damage window was significant. The vulnerability existed since version 2.8.0, which means months of exposure for anyone running an internet-facing gateway.
135,000+ Exposed Instances on the Internet
Researchers at Wiz scanned the internet for OpenClaw gateways in February 2026. They found over 135,000 instances reachable on the public internet, most of them on port 18789. The majority had no authentication enabled.
Let that number sink in. 135,000 machines running OpenClaw with the gateway bound to 0.0.0.0, no token auth, and many still running vulnerable versions. Anyone on the internet could send messages to these agents, trigger skill executions, or exploit ClawJacked for full remote code execution.
| Finding | Count |
|---|---|
| Publicly accessible gateways | 135,000+ |
| No authentication enabled | ~89% |
| Running vulnerable versions (pre-3.1.4) | ~42% |
| Running as root user | ~31% |
Why does this happen? Most tutorials (including some popular YouTube guides) tell beginners to use --host 0.0.0.0 so they can access the gateway from their phone or another device. Without explaining the security implications, this simple flag turns a local development tool into an internet-facing service.
ClawHub Risks: 800+ Malicious Skills Discovered
ClawHub is the community registry for OpenClaw skills. Think of it like npm for agent capabilities. You can install browser automation, file management, API connectors, and hundreds of other skills with a single command. The problem is that ClawHub has minimal vetting.
In a February 2026 audit, security firm Trail of Bits identified over 800 skills on ClawHub that contained malicious or suspicious code. The categories of abuse included:
Credential exfiltration
340+ skillsSkills that read environment variables (API keys, tokens) and send them to external servers. Some disguised the exfiltration as legitimate API health checks.
Crypto miners
210+ skillsSkills that spawn background processes to mine cryptocurrency using your CPU. They often throttle usage to avoid detection through high CPU alerts.
Backdoor shells
120+ skillsSkills that open reverse shells to attacker-controlled servers, giving persistent remote access even after the skill is uninstalled.
Data harvesting
130+ skillsSkills that scan local filesystems for SSH keys, wallet files, browser cookies, and other sensitive data, then upload them to external endpoints.
The names of these malicious skills are often close to legitimate ones. A typosquatting skill named broswer-automation (note the typo) had over 3,000 installs before it was flagged. It functioned normally as a browser skill but also silently exfiltrated any API keys found in the environment.
# BAD: Installing without checking
openclaw skills install some-random-skill
# GOOD: Check the source first
openclaw skills info some-random-skill
# Look at: author, download count, source repo, last updated
# BETTER: Read the actual code
openclaw skills inspect some-random-skill
# This shows the skill's source code before installation
# BEST: Pin to a specific version
openclaw skills install browser-automation@2.1.0
# Prevents supply chain attacks through version updatesGateway Exposure: The Default Port Problem
OpenClaw's gateway runs on port 18789 by default. Every installation uses this same port. Every scanner knows to look for it. This is not a vulnerability per se, but it makes reconnaissance trivial for attackers.
The bigger issue is that the gateway ships with no authentication by default. The reasoning from the OpenClaw team was that since the gateway binds to loopback by default, auth is not strictly necessary for local-only access. That logic breaks down the moment someone changes the bind address to 0.0.0.0 and forgets to add a token.
| Configuration | Risk Level | What Can Go Wrong |
|---|---|---|
| 127.0.0.1 + token | Low | Only local processes with the token can connect |
| 127.0.0.1, no token | Medium | Any local process can interact with your agents |
| 0.0.0.0 + token | Medium | Network accessible, but auth required. Brute-force risk. |
| 0.0.0.0, no token | Critical | Anyone on the network (or internet) can control your agents |
If you are running OpenClaw on a VPS, a cloud server, or any machine with a public IP address, binding to 0.0.0.0 without authentication is equivalent to leaving your front door open with a sign that says "come in."
How to Secure Your OpenClaw Setup
The good news: every risk described above is preventable. Here are six concrete steps to lock down your OpenClaw installation.
Never expose the gateway to the public internet
Keep the default 127.0.0.1 bind address. If you need remote access, use Tailscale or a VPN. Never bind to 0.0.0.0 on a machine with a public IP unless you have a reverse proxy with TLS, rate limiting, and authentication in front of it.
Use authentication tokens
Set OPENCLAW_GATEWAY_TOKEN in your environment. Even on loopback, token auth prevents rogue local processes from talking to your agents.
# Generate a secure token
openssl rand -hex 32 > ~/.openclaw/gateway-token
# Add to your .env
OPENCLAW_GATEWAY_TOKEN=$(cat ~/.openclaw/gateway-token)
# All requests now require: Authorization: Bearer <token>Audit ClawHub skills before installing
Use openclaw skills inspect to read the source code before every installation. Check the author, verify the repository link, and look at download counts. Avoid skills with no source repo, very few downloads, or names that are close to popular skills (typosquatting).
Keep OpenClaw updated
Run npm install -g openclaw@latest regularly. Security patches like the ClawJacked fix (3.1.4) only protect you if you actually install them. Subscribe to the OpenClaw GitHub releases feed to get notified of security updates.
Run in Docker with limited permissions
Docker containers isolate OpenClaw from your host system. If an agent or skill is compromised, the blast radius is limited to the container. Never run containers as root.
# Run OpenClaw in Docker with restricted permissions
docker run -d \
--name openclaw-agent \
--user 1000:1000 \
--read-only \
--tmpfs /tmp \
-p 127.0.0.1:18789:18789 \
-v ./agents:/app/agents:ro \
-v ./data:/app/data \
--cap-drop ALL \
openclaw/openclaw:latestUse firewall rules
Even if you accidentally bind to 0.0.0.0, firewall rules act as a safety net. Block port 18789 from external access at the OS level.
# Linux (ufw)
sudo ufw deny in on eth0 to any port 18789
# macOS (pf) - add to /etc/pf.conf
block in on en0 proto tcp from any to any port 18789
# Cloud provider: Use security groups to block 18789 from 0.0.0.0/0Government Warnings: China Restricts OpenClaw on Office Computers
In February 2026, China's Ministry of Industry and Information Technology issued guidance restricting the use of OpenClaw on government and state-owned enterprise office computers. The stated concerns were about data leakage through LLM API calls to foreign providers and the lack of centralized audit logging in the default configuration.
This is not an OpenClaw-specific ban. It is part of a broader policy restricting AI tools that send data to external servers. But it highlights a real concern: even in a self-hosted framework, the LLM API calls are the weak link. Every prompt you send to Anthropic, OpenAI, or Google leaves your machine and goes to their servers.
For organizations with strict data sovereignty requirements, the answer is local inference. Running OpenClaw with Ollama and a local model (Qwen, Llama, DeepSeek) eliminates all external API calls. The tradeoff is reduced model capability, but for many compliance-driven use cases, it is the only viable option.
Several other countries and large enterprises have issued similar internal guidance. The pattern is clear: as AI agent adoption grows, so does scrutiny from security and compliance teams. If you are deploying OpenClaw in a corporate environment, expect to answer questions about data flow, audit logging, and access control.
The Bigger Picture: Open Source + Speed = Security Gaps
None of these problems are unique to OpenClaw. They are the natural consequence of a fast-growing open-source project that prioritized developer experience and rapid feature delivery over security hardening. The same pattern played out with Docker, Kubernetes, and Redis before it.
The OpenClaw team has been responsive. The ClawJacked patch shipped in 48 hours. ClawHub is getting a verification system for skill publishers. The default gateway configuration is being reviewed. But these fixes only matter if users actually update and configure their installations properly.
The responsibility falls on you as the operator. OpenClaw gives you the tools to build powerful AI agents. It also gives you the rope to hang yourself if you do not understand the security implications of every configuration choice.
Frequently Asked Questions
Is OpenClaw safe to use in 2026?
OpenClaw can be safe if you configure it correctly. The framework itself is open-source and auditable. The risks come from misconfigurations: exposed gateways, unaudited ClawHub skills, and outdated versions with known vulnerabilities like ClawJacked. Follow the hardening steps in this guide to reduce your attack surface significantly.
What is the ClawJacked vulnerability (CVE-2026-25253)?
ClawJacked is a zero-click remote code execution vulnerability discovered in January 2026. It affects OpenClaw versions prior to 3.1.4. An attacker can send a specially crafted message to an exposed gateway that bypasses skill permission checks and executes arbitrary code on the host machine. No user interaction is required. The fix is to update to version 3.1.4 or later.
How do I know if my OpenClaw gateway is exposed to the internet?
Run 'openclaw gateway status' and check the bind address. If it shows 0.0.0.0 instead of 127.0.0.1, your gateway accepts connections from any network interface. You can also use an external port scanner to check if port 18789 is reachable from outside your network. If you are on a VPS or cloud server with a public IP, binding to 0.0.0.0 means your gateway is publicly accessible.
Can ClawHub skills steal my API keys or data?
Yes, a malicious ClawHub skill can access anything the agent process can access, including environment variables (where API keys are stored), local files, and network connections. This is why you should always audit skill source code before installing, pin skills to specific versions, and run agents in Docker containers with limited permissions to contain potential damage.
Want a Safer Deployment Path?
CrewClaw packages handle security defaults for you. Gateway token auth, loopback binding, skill pinning, and Docker configs are all baked into every template. 103 templates with secure configurations, ready to deploy in 60 seconds.
Deploy a Ready-Made AI Agent
Skip the setup. Pick a template and deploy in 60 seconds.