Here are the OpenClaw security risks you should know about
Date:
Wed, 01 Apr 2026 10:46:39 +0000
Description:
OpenClaw can browse the web, run shell commands, and send emails on your behalf, but it comes with documented security risks that every user should understand before deploying it.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter OpenClaw gives an AI agent access to your files, email, calendar, and command line, running around the clock without waiting to be asked. That's a useful setup for a lot of professionals. It's also a significant amount of trust to place in software that launched in late 2025 and is still patching security holes.
We've gone through the research, CVE disclosures, and security audits published since OpenClaw went viral. Here's what you should know before you hand it access to anything that matters. Prompt injection attacks Prompt injection is the most documented risk in the OpenClaw ecosystem, and it's not a problem the team can fully engineer away. It happens when malicious instructions are hidden inside content the agent reads an email, a shared document, a webpage and the language model treats them as legitimate
commands from you. You may like How to safely experiment with OpenClaw What
is OpenClaw? Agentic AI that can automate any task Chinese government cracks down on in-office OpenClaw use over potential security risks
Because OpenClaw processes incoming messages, browses websites, and reads files as part of normal operation, it's constantly handling untrusted input. Cisco's AI security research team tested a third-party OpenClaw skill and found it performed data exfiltration and prompt injection without the user's knowledge.
OpenClaw's own blog described prompt injection as "still an industry-wide unsolved problem" and recommends using a strong, latest-generation model to lower your risk. Better models are harder to manipulate, but that's a reduction, not a solution. Keep the agent's access limited to what it
actually needs, and be cautious about which content sources you let it
process unsupervised. Malicious skills in the community repository Skills are modular add-ons that extend what OpenClaw can do. They're shared through ClawHub, the platform's community repository, and the agent can search for
and install them automatically. The problem is that skills are code from strangers, and there's no effective sandbox to contain what they do.
Cisco's security team examined a skill called "What Would Elon Do?" that had been artificially pushed to the top of the repository. It turned out to be malware: it used prompt injection to bypass safety checks and sent user data to an external server. Cisco found nine vulnerabilities in that single skill, two of them critical, and a broader audit of 31,000 agent skills across multiple platforms found that 26% contained at least one vulnerability. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro
newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Before you install any skill you didn't write yourself, treat it as untrusted code. Fork it, read it, then install it. Download counts and star ratings are not a reliable safety signal here. The WebSocket hijacking vulnerability (CVE-2026-25253) In January 2026, security researcher Mav Levin disclosed CVE-2026-25253, a cross-site WebSocket hijacking bug rated 8.8 on the CVSS severity scale. Any website could steal your authentication token and run arbitrary code on your machine through a single malicious link.
The vulnerability was patched in version 2026.1.29. Before that patch landed, Censys found over 21,000 OpenClaw instances publicly exposed on the internet, many over plain HTTP. If you're running an older build or haven't reviewed your network configuration, that's the first thing to address. What to read next Microsoft says OpenClaw is "not appropriate to run on a standard
personal or enterprise workstation" so should you be worried? OpenClaw is making terrifying mistakes showing AI agents aren't ready for real responsibility 'A human-chosen password doesn't stand a chance': OpenClaw has yet another major security flaw here's what we know about "ClawJacked"
Update to at least version 2026.1.29, and don't expose the gateway port directly to the internet. If you need remote access, route it through a VPN
or SSH tunnel. Credential and configuration theft via infostealers Most infostealers go after browser passwords and session cookies. Hudson Rock documented the first known case where an infostealer grabbed an entire OpenClaw configuration file from an infected machine, which is a more
damaging outcome than a stolen password.
An OpenClaw config contains API keys and authentication tokens for every service the agent is connected to. An attacker who gets that file doesn't
just have your credentials; they have a working agent they can run as you. Malwarebytes researchers have noted that adversaries are increasingly targeting AI systems at this level, harvesting not just login details but the full configuration of a personal AI agent.
Keep your machine's endpoint protection current. Rotate API keys
periodically, and set short token lifetimes wherever your providers allow it. Autonomous actions without human approval OpenClaw's heartbeat system wakes the agent on a set schedule and lets it take action without being prompted. That autonomy is intentional. It also means the agent can do consequential things before you've had a chance to weigh in.
A Meta employee working in AI safety publicly shared that she was unable to stop OpenClaw from deleting a large portion of her email inbox. In a separate case, a user found his agent had drafted and sent a legal rebuttal to his insurance company without being asked. That one happened to work in his
favor, but the underlying issue is the same either way: the agent acts on
what it judges to be helpful, and its judgment isn't always right.
OpenClaw's tool policies let you require human confirmation before certain action types. Use those settings for anything irreversible, including deletions, outbound messages, and anything involving payments. Exposed instances and misconfigured deployments OpenClaw connects to email,
calendars, file storage, and messaging platforms. When it's misconfigured or left publicly accessible, the exposure can be severe.
The clearest example came from Moltbook, a third-party platform built on OpenClaw. A database misconfiguration left its entire backend open to the internet four days after launch, exposing 1.5 million agent API keys, over 35,000 email addresses, and thousands of private messages. That was a
separate project, but it shows what happens when OpenClaw-based deployments move quickly without locking down access controls.
The Dutch data protection authority advised organizations not to deploy experimental agents like OpenClaw on systems handling sensitive or regulated data , citing the combination of broad local access and an immature security model. If you're running it professionally, keep it isolated on a dedicated
VM or container with strict controls over what it can reach. Steps to reduce your risk Microsoft published recommendations for deploying self-hosted
agents with durable credentials, and they translate well to OpenClaw specifically. Run it on a dedicated machine or isolated container rather than your primary computer, and give it only the minimum permissions it needs to
do its job.
Set spending limits at the API provider level, not just within OpenClaw's settings. A misconfigured heartbeat can accumulate a significant bill overnight, and provider-level caps are more reliable. Gate irreversible actions behind human approval, and review the agent's memory and behavior
logs periodically, especially after it has processed content from outside sources.
OpenClaw's developer Peter Steinberger has said security is the team's top priority, and the project has shipped machine-checkable security models alongside several hardening patches. That's real progress for a project this young. Even so, conservative configuration is a reasonable trade-off for the capabilities it offers, and the defaults alone are not enough. What this
means for you OpenClaw is a capable platform, and the community around it is growing quickly. Broad system access and a rapidly expanding third-party
skill ecosystem are also exactly what make careful setup essential, particularly in a professional context.
Most of the risks here are manageable if you address them before they become
a problem. Restrict access, audit what you install, and don't give the agent authority over anything you'd be uncomfortable losing. The platform will likely harden as it matures, but until then, the work of securing it is yours to do.
======================================================================
Link to news story:
https://www.techradar.com/pro/here-are-the-openclaw-security-risks-you-should- know-about
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)