OpenClaw Security Risks: What Security Teams Need to Know About AI Agents Like OpenClaw in 2026

🔊 Listen to Post

OpenClaw, the open-source AI agent formerly known as Clawdbot and Moltbot, went from zero to over 180,000 GitHub stars in two weeks. It also went from zero to a documented security nightmare in roughly the same timeframe. Cisco called it a cybersecurity disaster. CrowdStrike published detection guidance. Gartner labeled it “a dangerous preview of agentic AI.” And researchers found over 40,000 exposed OpenClaw instances sitting on the public internet, many with no authentication whatsoever.

This article provides a thorough breakdown of every significant OpenClaw security risk documented to date, the best practices security teams need to implement immediately, and the enterprise-grade tools that can help organizations manage the emerging risk that AI agents like OpenClaw represent. Whether your employees have already deployed OpenClaw without permission or you are proactively building your AI governance strategy, this guide covers what matters most.

What Is OpenClaw and Why Is It a Significant Security Concern?

OpenClaw is an open-source personal AI assistant that runs locally on a user’s machine and connects to large language models like Claude from Anthropic, ChatGPT from OpenAI, or DeepSeek. Unlike typical chatbots, OpenClaw is a true AI agent that can execute shell commands, browse the web, send emails, manage calendars, and read or write files on the host system. Users interact with it through messaging platforms including Telegram, WhatsApp, Discord, and Slack, making it feel less like enterprise software and more like texting a helpful coworker.

The project was originally published as Clawdbot in November 2025 by Austrian developer Peter Steinberger. After trademark complaints from Anthropic, it was renamed Moltbot and then OpenClaw in rapid succession. The viral AI assistant exploded in popularity in late January 2026 when Moltbook, a social network built exclusively for AI bots, launched alongside it. OpenClaw rapidly became one of the fastest-growing repositories in GitHub history. On February 14, 2026, Steinberger announced he was joining OpenAI, with the project transitioning to an independent foundation.

The security concerns are not theoretical. Within weeks of OpenClaw’s viral adoption, security researchers documented critical vulnerabilities, malicious skills in the ClawHub marketplace, plaintext credential storage, and tens of thousands of misconfigured instances exposed to the public internet. Every cybersecurity vendor with an AI practice has since published guidance. The scale of the problem is growing faster than the community’s ability to patch it.

What Are the Most Critical OpenClaw Security Risks in 2026?

The most severe documented risk is CVE-2026-25253, a vulnerability rated CVSS 8.8 that enables remote code execution through the victim’s browser. The attack chain is elegant and devastating: an attacker creates a webpage containing malicious JavaScript, then lures the OpenClaw agent into visiting or rendering that page. The gateway authentication token leaks, and the attacker gains full administrative control in milliseconds. No prior access is required. The vulnerability was patched in version 2026.1.29, but any unpatched OpenClaw instances should be assumed compromised.

Beyond this critical CVE, OpenClaw security risks span multiple categories. The gateway ships with authentication disabled by default, meaning any newly deployed instance is immediately accessible from the internet. Credential storage relies on plaintext config files that contain API keys, OAuth tokens, and bot credentials for every connected service. Infostealers including RedLine, Lumma, and Vidar have already added the agent’s file paths to their collection targets. Kaspersky documented that these stealers are specifically harvesting its configuration data alongside traditional browser credential theft.

The ClawHub skill marketplace represents a supply chain attack surface that has already been extensively exploited. At peak, 12% of the entire repository contained malicious skills. Cisco’s security research team tested a skill called “What Would Elon Do?” and found it functioned as outright malware, executing data exfiltration via curl commands to external servers. Snyk scanned nearly 4,000 ClawHub skills and found 283 containing flaws that expose sensitive credentials. The skills do not need to contain traditional malware to be dangerous; many simply instruct the AI agent to mishandle secrets by passing API keys and passwords through the LLM’s context window in plaintext.

How Does Prompt Injection Threaten OpenClaw Deployments?

Prompt injection is arguably the most fundamental and unsolvable threat facing OpenClaw and all agentic AI systems. A malicious prompt can be embedded in any content the agent processes: an email, a Google Doc, a Slack message, a webpage, or even metadata in a file. When OpenClaw ingests that content, the hidden instructions can hijack the agent’s behavior, causing it to exfiltrate data, create new integrations, or execute arbitrary commands on the host system.

Zenity’s research team demonstrated a particularly alarming proof-of-concept where a prompt injection payload hidden in a Google Document directed OpenClaw to create a new Telegram bot integration, effectively giving the attacker a persistent backdoor into the victim’s environment. The attack requires no direct access to the OpenClaw instance. It only requires that the agent reads a document containing the malicious instructions. Any trusted third-party integration, not just Google Workspace, can serve as the delivery mechanism. This is what makes prompt injection so dangerous for agentic systems: the attack surface extends to every piece of content the agent can access.

The agent’s own security documentation acknowledges that prompt injection “can still happen via any untrusted content the bot reads” including web search results, browser pages, emails, documents, attachments, and pasted logs or code. There is currently no complete technical solution to prompt injection in systems where the agent must process external content to be useful. Adding guardrail layers can reduce risk but cannot eliminate it. This architectural reality is why Sophos and others recommend treating the platform as unsuitable for environments with sensitive data.

Why Are Exposed OpenClaw Instances Such a Massive Problem?

Independent scanning by multiple research teams has identified over 40,000 exposed OpenClaw instances on the public internet. Censys tracked growth from roughly 1,000 to over 21,000 instances in a single week. Bitsight observed more than 30,000. Security researcher Maor Dayan independently verified 42,665 exposed instances, of which 5,194 were actively confirmed vulnerable, with 93.4% exhibiting authentication bypass conditions. The exposure spans 52 countries, with the United States and China hosting the largest concentrations.

The majority of these deployments run on cloud infrastructure, primarily DigitalOcean, Alibaba Cloud, and Tencent. Many operators use reverse proxies like Nginx or Caddy, or Cloudflare Tunnels, to enable remote access, but misconfiguration of these intermediaries frequently negates their protective benefit. Because the gateway ships with authentication disabled by default and broadcasts critical configuration parameters via mDNS, simply spinning up an instance without hardening it immediately creates an endpoint that any attacker can discover and control.

For enterprises, the more insidious risk is internal. Bitdefender GravityZone telemetry confirms that employees are deploying the agent on corporate devices using single-line install commands with no approval process and no SOC visibility. This constitutes a shadow AI risk that traditional security monitoring may not detect. If an employee connects the assistant to their corporate email, Slack workspace, or cloud storage, the agent can access everything those services contain. A single compromised instance then becomes a pivot point with broad system access across the organization.

What OpenClaw Security Best Practices Should Organizations Implement?

The first and most important step is to identify installations across your environment. CrowdStrike’s Falcon platform allows security teams to identify OpenClaw deployments through agent-based endpoint inspection. Organizations without that tooling can use osquery to search for related processes on managed endpoints. Any discovery should be treated as a potential incident requiring investigation, not a routine software finding.

For organizations that choose to permit controlled experimentation, the following best practices represent the minimum acceptable security posture. Bind the gateway exclusively to localhost. Require strong authentication tokens on all connections. Disable high-risk tools including shell execution, browser control, web fetch, and web search by default. Run the agent inside Docker containers with read-only workspace access. Never expose the gateway to the public internet; use a VPN or Tailscale for remote access. Rotate all API keys and credentials regularly. Prohibit unvetted skills from ClawHub entirely, and audit any skill before installation using tools like Cisco’s open-source Skill Scanner or similar security tools.

At the policy level, organizations should establish explicit AI governance frameworks that address agentic AI. CISA and other regulatory bodies have been increasingly vocal that any AI systems with autonomous execution capabilities require the same governance rigor as privileged access tools. Define which data categories are acceptable for AI agent processing and which are strictly off-limits. Brief employees using real-world examples, because abstract warnings about “data leakage” do not create lasting behavioral change. A policy of “yes, but with guardrails” is always received better than a blanket ban that drives experimentation underground and worsens the shadow AI risk.

How Can Security Teams Audit an OpenClaw Deployment?

OpenClaw includes a built-in audit command that flags common misconfigurations. Running “openclaw security audit” checks for gateway authentication exposure, browser control settings, elevated allowlists, filesystem permission issues, and other known risk factors. The “–deep” flag performs a more thorough analysis, while “–fix” attempts automatic remediation of identified issues. These audits should be run after any configuration change and before exposing any network surfaces.

Beyond the built-in audit, several external tools have emerged specifically for this platform’s security assessment. Cisco released an open-source Skill Scanner that analyzes ClawHub skills for malicious behavior. Snyk’s research identified credential leakage patterns across the entire marketplace. Giskard offers adversarial AI red teaming that performs multi-turn prompt injection attacks against deployments to surface vulnerabilities before real attackers do. For enterprises serious about understanding their exposure, combining the native audit with at least one external assessment tool provides a more complete picture.

The audit should also extend to network-level monitoring. Examine DNS requests from devices running the agent to identify unexpected external connections. Monitor for unusual spikes in API token usage. Check whether instances are communicating with known malicious domains associated with ClawHub supply chain attacks. A comprehensive audit is not a one-time exercise; it must be repeated regularly as the threat landscape around OpenClaw evolves weekly.

How Does Trend Micro Help Protect Against Agentic AI Threats Like OpenClaw?

Trend Micro has published extensive research on the platform through their TrendAI Digital Assistant Framework, mapping its capabilities and risk surface in detail. More importantly, they offer enterprise-grade tooling specifically designed for the agentic AI threat landscape. TrendAI Vision One AI Application Security inspects AI traffic in real time, identifying and blocking prompt injection attempts before they can steer agent behavior. This addresses the most fundamental vulnerability in any OpenClaw deployment: the fact that malicious instructions hidden in content can hijack the agent’s actions.

For organizations developing their own agentic systems or evaluating tools like OpenClaw internally, the TrendAI Vision One AI Scanner component functions as an automated red team. It proactively tests for prompt injection vulnerabilities before deployment goes live, providing the kind of adversarial testing that most organizations lack the internal expertise to perform. Additionally, Trend Micro’s AI Application Security applies data loss prevention to both prompts and responses, filtering sensitive information before it leaves the user’s environment. This protection extends to agent-to-agent communication channels, addressing a vector that conventional DLP solutions were never designed to monitor.

PacGenesis partners with Trend Micro to deliver these cybersecurity capabilities as part of comprehensive security implementations for enterprise customers. Integrating Trend Micro’s AI Application Security with existing endpoint security and file transfer workflows provides layered protection that addresses the agentic AI attack surface at multiple points. Organizations that need to evaluate their exposure to agentic AI threats or implement protective controls can contact PacGenesis for a consultation tailored to their specific environment and risk profile.

What Does OpenClaw Adoption Mean for Enterprise Cybersecurity Strategy?

OpenClaw represents more than a single product risk. It signals a paradigm shift in how employees will interact with AI tools, and that shift has profound security implications. The appeal is genuine: a powerful AI agent that can automate tedious tasks, remember context across weeks, and operate autonomously through familiar messaging platforms. Employees are not deploying it because they want to create security problems. They are deploying it because it genuinely makes them more productive. That motivation is not going away, and banning the tool without addressing the underlying demand simply pushes the problem into less visible corners of the organization.

The strategic response requires treating agentic AI as a new category of privileged access. Every integration represents a credential, a permission, and a potential blast radius. Email integration means the agent can access everything in the inbox. Calendar integration reveals operational patterns. Cloud storage integration exposes confidential documents. Browser control inherits all active sessions. The security implications of each integration compound, and most users grant them without understanding what they are authorizing. Enterprise cybersecurity strategy must now account for the reality that employees will use agentic AI tools whether IT approves them or not, and build detection, governance, and response capabilities accordingly.

Is OpenClaw Safe to Use?

The agent is not safe to use in its default configuration. The gateway ships without authentication, credentials are stored in plaintext, and the ClawHub skill marketplace has been repeatedly compromised. The project’s own documentation states “there is no ‘perfectly secure’ setup,” and one of its maintainers has publicly warned that it is “far too dangerous” for users who cannot manage command-line security. However, with significant hardening, isolation (such as running in Docker with read-only access on a dedicated device), and careful restriction of permissions and integrations, experienced users can reduce risk to acceptable levels for personal experimentation. It should not be deployed on any system with access to sensitive enterprise data.

What Is OpenClaw Used For?

OpenClaw is used as a personal AI assistant that can automate a wide range of tasks including email triage, calendar management, flight check-ins, code deployment, web browsing, file management, smart home control, and project coordination across tools like Notion, Obsidian, and Trello. Users interact with it through messaging platforms they already use, such as Telegram, WhatsApp, Discord, and Slack. The agent runs continuously and can execute scheduled tasks via cron jobs, giving it the ability to work proactively without waiting for user input. Developers also use it to manage coding sessions, run tests autonomously, capture errors, and open pull requests on GitHub.

Is OpenClaw an Agent?

Yes, OpenClaw is a true agentic AI system, not simply a chatbot. The distinction is critical: a chatbot responds to questions within a contained sandbox, while an AI agent can take autonomous action in the real world. OpenClaw can execute shell commands, control browsers, send messages on behalf of the user, interact with APIs, and modify files on the host system. It also features a heartbeat scheduler that wakes the agent at configurable intervals, allowing it to act proactively without being prompted. This autonomous capability is what makes OpenClaw useful and what makes it a significant security concern.

Who Makes OpenClaw?

OpenClaw was created by Peter Steinberger, an Austrian software developer previously known as the founder of PSPDFKit. The project was originally published as Clawdbot in November 2025, then renamed to Moltbot after trademark complaints from Anthropic (whose Claude chatbot inspired the original name), and finally to OpenClaw. On February 14, 2026, Steinberger announced he was joining OpenAI to lead personal agent development. The OpenClaw project is transitioning to an independent, OpenAI-sponsored foundation, with ongoing community development. The project is open source under the MIT license and is hosted on GitHub.

The Bottom Line on OpenClaw Security for Enterprise Teams

• OpenClaw (previously known as Clawdbot and Moltbot) is an open-source AI agent that runs locally, connects to LLMs like Claude and ChatGPT, and can execute real-world actions autonomously through messaging platforms including Telegram, WhatsApp, and Discord.
• Critical vulnerabilities including CVE-2026-25253 (CVSS 8.8) enable remote code execution, and over 40,000 exposed OpenClaw instances have been identified on the public internet, many without authentication.
• The ClawHub skill marketplace has been heavily compromised, with up to 20% of skills found to contain malicious payloads including credential theft, data exfiltration, and backdoor installation.
• Prompt injection is an architectural vulnerability that cannot be fully solved. Any content the agent processes, including emails, documents, web pages, and Slack messages, can contain hidden malicious instructions.
• Plaintext credential storage means API keys, OAuth tokens, and bot credentials are exposed if the host is compromised. Infostealers are already specifically targeting OpenClaw configuration files.
• Security teams should immediately inventory OpenClaw deployments across managed endpoints, treat discoveries as potential incidents, and implement network-level monitoring for AI agent traffic.
• Minimum best practices include binding the gateway to localhost, enabling authentication, running inside Docker containers, disabling unnecessary high-risk tools, rotating all credentials, and blocking unvetted ClawHub skills.
• Trend Micro’s Vision One AI Application Security provides real-time prompt injection detection, data loss prevention for AI traffic, and automated red teaming through the AI Scanner component. PacGenesis can help enterprises implement these protections as part of a comprehensive cybersecurity strategy.
• CISA and industry analysts agree: agentic AI tools require the same governance rigor as any privileged access system. Build policy, detection, and response capabilities now, because OpenClaw adoption is accelerating regardless of whether IT has approved it.