OpenClaw (formerly ClawdBot) has 149,000 GitHub stars and 84,000+ active installs. It's also had 512 vulnerabilities identified, 820+ malicious skills discovered on its marketplace, and a critical flaw that lets websites hijack your local agent. Here's what you actually need to know.
TL;DR — The security picture
- 512 vulnerabilities found, 8 critical
- 820+ malicious skills on ClawHub (7.6% of total)
- ClawJacked flaw: websites can hijack your local agent via WebSocket
- No built-in access controls, audit logging, or encryption at rest
- Fine for personal experimentation with precautions
- Not ready for business environments with sensitive data
The 512 vulnerabilities
After OpenClaw's viral surge in January 2026, multiple security firms conducted independent audits. The combined findings: 512 distinct vulnerabilities across the codebase, gateway API, skill system, and messaging integrations.
| Severity | Count | Key issues |
|---|---|---|
| Critical | 8 | Unauthenticated WebSocket (ClawJacked), skill code execution without sandboxing, API key exposure in logs |
| High | 47 | Path traversal in file skills, SSRF in web scraper, insufficient input validation on Gateway endpoints |
| Medium | 189 | Insecure default configurations, missing rate limiting, verbose error messages leaking internals |
| Low | 268 | Dependency vulnerabilities, missing security headers, informational disclosures |
CrowdStrike, Kaspersky, Trend Micro, Cisco, Malwarebytes, Dark Reading, and The Hacker News all published analyses. The overall assessment: OpenClaw is innovative but was built for functionality first, with security bolted on later.
ClawJacked: the critical WebSocket flaw
The most dangerous vulnerability is called ClawJacked. Here's how it works:
OpenClaw runs a local WebSocket server
When the Gateway starts, it opens a WebSocket listener on localhost (typically port 18789) to receive commands from connected channels and the web UI.
The WebSocket has no authentication
Any process on your machine — or any webpage you visit — can connect to this WebSocket. There's no token, no origin check, no authentication of any kind.
Malicious website sends commands
You visit a compromised or malicious webpage. JavaScript on that page connects to ws://localhost:18789 and sends commands to your OpenClaw agent.
Your agent executes them
The agent receives the commands and executes them with the same permissions as the user running OpenClaw — reading files, running shell commands, exfiltrating data.
This is a textbook localhost attack vector. It's not theoretical — security researchers demonstrated working exploits. The fix is conceptually simple (add authentication to the WebSocket) but wasn't in place at launch.
820+ malicious skills on ClawHub
ClawHub is OpenClaw's skill marketplace — think of it like an app store for agent capabilities. As of February 2026, it hosted 10,700+ skills. Security researchers found that 820+ of them (roughly 7.6%) were malicious.
Data exfiltration
Skills that silently send your files, API keys, or conversation history to external servers. Often disguised as legitimate utilities like "file organizer" or "backup manager".
Backdoor installation
Skills that create persistent access to your machine — adding SSH keys, opening reverse shells, or installing secondary payloads.
Credential harvesting
Skills that scan your filesystem for .env files, browser cookies, SSH keys, and cloud credentials, then exfiltrate them.
Cryptomining
Skills that use your CPU/GPU for cryptocurrency mining while appearing to perform legitimate tasks.
The root problem: ClawHub had minimal vetting when it launched. Skills are essentially code that runs with the same permissions as your OpenClaw process — which typically has full user-level access to your machine. There's no sandboxing, no permission model, and no code review requirement.
What's missing for business environments
Beyond the specific vulnerabilities, OpenClaw lacks several fundamental security features that business environments require:
| Security Feature | Status | Why it matters |
|---|---|---|
| Multi-user access control | Not available | Can't restrict which employees use which capabilities |
| Audit logging | Not available | No record of what the agent did, when, or who asked it to |
| Encryption at rest | Not available | Conversation history and cached data stored in plaintext |
| Skill sandboxing | Not available | Skills run with full user permissions — no isolation |
| Rate limiting | Minimal | No protection against runaway API costs or resource abuse |
| SSO / SAML integration | Not available | Can't integrate with corporate identity providers |
| Data retention policies | Not available | No automatic purging of sensitive data |
| Compliance certifications | None | No SOC 2, HIPAA, GDPR compliance |
How to use OpenClaw safely (if you still want to)
OpenClaw is a genuinely impressive piece of technology. If you want to experiment with it, here's how to minimize risk:
Run it in a container or VM
Docker is the safest option. If the agent is compromised, the blast radius is limited to the container. Don't mount your home directory or sensitive volumes.
Use a dedicated API key with spending limits
Create a separate API key for OpenClaw with a hard spending cap. If a malicious skill starts burning through your API budget, the damage is capped.
Only install verified skills
Stick to skills with significant GitHub stars, known maintainers, and community reviews. Avoid anything published in the last few days with few users.
Don't give it access to credentials
Keep .env files, SSH keys, cloud credentials, and browser profiles outside the directories OpenClaw can access. Use a separate user account if possible.
Disable the WebSocket when browsing
Until the ClawJacked vulnerability is properly patched, stop the Gateway when browsing untrusted websites, or bind the WebSocket to a non-standard port with firewall rules.
Monitor outbound network traffic
Watch for unexpected outbound connections. Tools like Little Snitch (macOS) or ufw logging (Linux) can catch skills phoning home.
Keep it updated
The OpenClaw foundation is actively patching vulnerabilities. Run the latest version and subscribe to their security advisories.
The bigger picture: agentic AI security is unsolved
OpenClaw's security issues aren't unique — they're symptoms of a fundamental challenge with agentic AI. When you give an AI model the ability to take real-world actions (run commands, access files, call APIs), you're creating a new attack surface that traditional security models weren't designed for.
The questions OpenClaw raises are the same ones every business will face as AI agents become mainstream:
- How do you sandbox an agent that needs system access to be useful?
- How do you vet third-party skills/plugins when anyone can publish them?
- How do you audit what an autonomous agent did and why?
- How do you prevent prompt injection from turning your agent against you?
- How do you set boundaries on what an agent can do without crippling it?
These aren't theoretical questions anymore. With 84,000+ OpenClaw installs and 770,000 agents spawned in a single week, they're urgent ones.
Need secure AI agents for your business?
We build enterprise-grade AI agents with proper access controls, audit logging, skill sandboxing, and compliance. Same autonomous capabilities as OpenClaw, but built for environments where security isn't optional.