New to OpenClaw? Get the CAIO Blueprint href="/blueprint">See your Chief AI Officer in action →rarr;
Guide

Is OpenClaw Safe? Complete Security Guide (2026)

OpenClaw has 187K GitHub stars and millions of users. It also has critical vulnerabilities, malicious plugins, and 135K exposed instances. Here is what you need to know before installing it.

February 11, 2026 · 14 min read · By Espen

OpenClaw has significant security risks that you need to understand before installing it. In January 2026, researchers disclosed CVE-2026-25253, a critical remote code execution vulnerability that let attackers take full control of exposed OpenClaw instances through WebSocket hijacking. Security firms found over 135,000 OpenClaw installations exposed to the public internet across 82 countries. And 341 malicious skills were discovered on ClawHub, OpenClaw's community marketplace, including one that deployed the Atomic Stealer malware on macOS systems.

That does not mean you cannot use OpenClaw safely. But it does mean you need to understand the risks, apply the right configuration, and take ongoing responsibility for your own security. This guide covers every known vulnerability, who is sounding the alarm, and exactly how to lock down your installation.

The Security Track Record

OpenClaw's security history is concerning. Here is a timeline of the major incidents:

Date Incident Severity
January 2026 CVE-2026-25253: Remote code execution via WebSocket hijacking CVSS 8.8 (Critical)
January 2026 135,000+ exposed instances discovered across 82 countries High
December 2025 ClawHavoc campaign: 341 malicious skills found on ClawHub High
November 2025 Cleartext credential storage vulnerability in default config Medium
October 2025 Multiple enterprise bans (Naver, Kakao, Karrot in South Korea) N/A

OpenClaw is not inherently malicious. It is a powerful open-source tool with a massive community. But its self-hosted architecture means every user is their own security team, and most users are not security professionals.

How OpenClaw Security Works

Before diving into the vulnerabilities, it helps to understand OpenClaw's security model.

OpenClaw is local-first. It runs on your machine (or your server), processes everything locally, and stores data on your filesystem. The only external connections it makes are API calls to your configured AI providers (OpenAI, Anthropic, Google, etc.).

In theory, this is good for privacy. Your conversations, files, and data stay on your hardware. No third party sees your messages or tasks.

In practice, this means:

The core tension: OpenClaw gives you full control and full responsibility. That is great if you are a security-conscious engineer. It is dangerous if you followed a YouTube tutorial and have not thought about firewall rules.

Known Vulnerabilities

CVE-2026-25253: Remote Code Execution via WebSocket Hijacking

CVE-2026-25253 -- Critical (CVSS 8.8)

Discovered: January 2026

Patched: OpenClaw v2026.1.29

Attack vector: Network-accessible WebSocket gateway

Impact: Full remote code execution on the host machine

This is the most serious OpenClaw vulnerability to date. The OpenClaw gateway (the component that connects messaging platforms to the AI engine) uses WebSocket connections for real-time communication. Researchers found that the authentication check on WebSocket upgrade requests could be bypassed with a crafted handshake.

In plain language: if your OpenClaw gateway was accessible from the internet, an attacker could connect to it, skip the login, and run any command on your machine. One click. Full access. No password needed.

The vulnerability was patched in version 2026.1.29, released within 48 hours of disclosure. But here is the problem: thousands of users are still running older versions.

Action required: If you are running any OpenClaw version before 2026.1.29, update immediately. Run openclaw --version to check. This is not optional.

ClawHub Malware: 341 Malicious Skills

ClawHub is OpenClaw's community marketplace where users publish and install "skills" -- plugins that extend OpenClaw's capabilities. In December 2025, security researchers from CrowdStrike identified 341 malicious skills disguised as legitimate utilities (Source: CrowdStrike Threat Intelligence, December 2025).

The most notable was the "ClawHavoc" campaign. It worked like this:

  1. Attackers published skills with appealing names like "Smart Email Pro," "Calendar Sync Plus," and "Weather Premium"
  2. The skills worked as advertised -- they actually provided the promised functionality
  3. Hidden in the code was a payload that downloaded and executed the Atomic Stealer malware on macOS systems
  4. Atomic Stealer exfiltrated browser passwords, cryptocurrency wallet keys, SSH keys, and saved credentials

The skills looked legitimate. They had positive reviews (likely from fake accounts). They passed basic code review. The malicious payload was obfuscated and only triggered after a 72-hour delay, making it harder to connect the infection to the skill installation.

Before installing any ClawHub skill: Check the author's profile and history. Read the source code (skills are open source). Look for recent reviews from established accounts. Run the skill through openclaw skill audit <skill-name> before installing. Never install skills with fewer than 100 downloads and less than 3 months of history.

135,000+ Exposed Instances

In January 2026, researchers at Cisco Talos performed a global scan and found over 135,000 OpenClaw instances with their gateway ports exposed to the public internet (Source: Cisco Talos Intelligence, January 2026). These were spread across 82 countries, with the highest concentrations in the United States, Germany, China, South Korea, and Brazil.

Many of these instances were running with:

An exposed OpenClaw instance with default credentials is essentially an open door to everything it is connected to: your messages, your email, your API keys, and your filesystem.

Cleartext Credential Storage

By default, OpenClaw stores API keys and messaging platform tokens in its configuration file at ~/.openclaw/config.yaml. The file has 600 permissions (only the owner can read/write), which is the correct Unix practice.

However, the credentials are stored in cleartext. There is no encryption at rest. If an attacker gains read access to your filesystem (through a separate vulnerability, social engineering, or physical access), every API key and token is immediately visible.

OpenClaw added optional encrypted credential storage in v2025.11, but it is not enabled by default. Most users never turn it on.

Who's Sounding the Alarm

The warnings about OpenClaw's security are not coming from random bloggers. Major cybersecurity firms and AI researchers have flagged concerns:

When Cisco, CrowdStrike, Kaspersky, Trend Micro, CyberArk, and Snyk all flag the same product, that is a signal worth paying attention to.

Enterprise Bans

Several organizations have explicitly banned OpenClaw from corporate environments:

Organization Action Stated Reason
Naver (South Korea) Banned from all corporate devices Data leakage and uncontrolled API key exposure
Kakao (South Korea) Banned from corporate networks Messaging account compromise risk
Karrot (South Korea) Banned from all employee devices Credential theft via malicious skills
Google Cloud VP (US) Internal warning memo to teams "Unacceptable attack surface for corporate messaging"
China CNCERT National security advisory Flagged as potential data exfiltration vector

The South Korean tech industry was particularly aggressive. Naver, Kakao, and Karrot all issued bans within the same two-week period in October 2025, after internal audits found employees had connected corporate messaging accounts to personal OpenClaw instances (via Korean tech press reports, October 2025).

Google Cloud's VP of Infrastructure Security issued an internal warning that OpenClaw creates an "unacceptable attack surface" when connected to corporate messaging platforms, particularly Slack and email (via Google internal memo, reported by The Register).

How to Secure Your OpenClaw Installation

If you still want to use OpenClaw (and many people do -- it is genuinely useful), here is how to minimize your risk. Follow every step.

1. Run the Security Audit

OpenClaw includes a built-in security audit tool. Run it first:

openclaw security audit --fix

This scans your installation for known misconfigurations and fixes what it can automatically. It checks file permissions, gateway exposure, credential storage, and installed skill integrity. Always run this after installation and after every update.

2. Keep Behind a Firewall (Loopback Only)

The single most important security step. Bind the gateway to localhost only:

# In ~/.openclaw/config.yaml
gateway:
  host: "127.0.0.1"    # NEVER use "0.0.0.0"
  port: 3456
  ssl: true

This ensures the OpenClaw gateway only accepts connections from your own machine. It cannot be reached from the internet, your local network, or any other device. If you need remote access, use a VPN or SSH tunnel -- never expose the gateway port directly.

3. Use Docker Containerization

Run OpenClaw in a Docker container to limit what it can access on your system:

docker run -d \
  --name openclaw \
  --network host \
  --read-only \
  -v openclaw-data:/data \
  -v openclaw-config:/config:ro \
  --security-opt no-new-privileges \
  --cap-drop ALL \
  openclaw/openclaw:latest

Docker containerization means that even if OpenClaw is compromised, the attacker is trapped inside the container. They cannot access your host filesystem, other applications, or network services beyond what you explicitly allow.

4. Vet ClawHub Skills Before Installing

Never blindly install skills from ClawHub. Follow this checklist:

5. Use Strong Gateway Authentication

Change the default gateway password immediately. Use a strong, unique password:

# In ~/.openclaw/config.yaml
gateway:
  auth:
    method: "token"
    token: "your-long-random-token-here"  # Use: openssl rand -hex 32
    rate_limit: 10   # requests per second
    lockout_after: 5  # failed attempts

Never use the default credentials. Never use a simple password. Generate a random token with openssl rand -hex 32 and store it in your password manager.

6. Monitor API Key Usage

Set up usage alerts on every API key you connect to OpenClaw:

If a compromised OpenClaw instance is using your API keys, you will see unexpected usage spikes. Alerts let you catch this quickly and revoke the keys before costs escalate.

7. Enable Encrypted Credential Storage

Turn on the optional credential encryption:

openclaw config set credentials.encryption enabled
openclaw config set credentials.encryption_key "$(openssl rand -hex 32)"

This encrypts your API keys and messaging tokens at rest. Even if an attacker reads your config file, the credentials are encrypted.

8. Keep Updated

OpenClaw does not auto-update. Set a reminder to check weekly:

openclaw update check
openclaw update apply

Security patches are released frequently. The CVE-2026-25253 fix was shipped within 48 hours of disclosure, but users who did not update remained vulnerable for weeks.

Minimum security checklist

At the absolute minimum, do these three things: (1) bind to 127.0.0.1 only, (2) change the default credentials, and (3) update to the latest version. These three steps eliminate the vast majority of real-world attacks against OpenClaw.

Should You Use OpenClaw?

It depends on your risk tolerance and technical ability. Here is a framework:

Your Profile Recommendation
You understand firewalls, Docker, and credential management Go for it. Follow the hardening steps above.
You followed a YouTube tutorial and that is the extent of your server experience Use extreme caution. Consider managed hosting instead.
You want to connect corporate messaging accounts Do not use OpenClaw. The risk to your organization is too high.
You want a coding agent specifically Use Claude Code instead. Better security, built for coding.
You want personal automation with minimal security hassle Consider NanoClaw or managed OpenClaw hosting.

OpenClaw is a powerful tool. But power without security is a liability. Be honest about your technical ability before committing.

Safer Alternatives

NanoClaw

NanoClaw is a fork of OpenClaw designed specifically for security. It runs every skill in an isolated container, restricts filesystem access by default, encrypts all credentials at rest, and enforces loopback-only gateway binding out of the box. It sacrifices some of OpenClaw's flexibility for a significantly smaller attack surface.

The trade-off: fewer ClawHub skills are compatible, and advanced integrations may require more configuration. But for most personal automation use cases, NanoClaw provides 90% of OpenClaw's functionality with a fraction of the risk.

Managed OpenClaw Hosting

Several providers now offer managed OpenClaw hosting with security hardening included. These services handle updates, firewall configuration, credential encryption, and monitoring for you. Typical pricing runs $15-30/month.

You lose the "self-hosted" benefit (your data lives on their servers), but you gain professional security management. For users who are not comfortable managing their own server security, this is the pragmatic choice.

Claude Code (For Coding Tasks)

If your primary need is software development and coding automation, Claude Code is a fundamentally safer option. It runs in a sandboxed environment with granular permission controls, never stores your credentials, and is managed by Anthropic's security team. It does not do messaging or personal automation, but for coding work, it is the more secure choice.

FAQ

Is OpenClaw safe to use?

OpenClaw has significant security risks including a critical RCE vulnerability (CVE-2026-25253), 135,000+ exposed instances, and malicious ClawHub skills. It can be made safer with proper configuration (firewall, Docker, credential encryption), but it requires technical security knowledge to run safely.

What is CVE-2026-25253 in OpenClaw?

CVE-2026-25253 is a critical remote code execution vulnerability (CVSS 8.8) that allows attackers to execute arbitrary code on your machine via WebSocket hijacking when the OpenClaw gateway is exposed to the internet. It was patched in version 2026.1.29. Update immediately if you have not already.

Has OpenClaw been hacked?

Yes. The ClawHavoc campaign used 341 malicious ClawHub skills to deploy the Atomic Stealer malware on macOS systems, stealing browser passwords, cryptocurrency wallets, and SSH keys. Additionally, 135,000+ instances were found exposed with default credentials across 82 countries.

How do I secure my OpenClaw installation?

Run openclaw security audit --fix, bind the gateway to 127.0.0.1 only, use Docker containerization, vet all ClawHub skills before installing, use strong gateway authentication, enable encrypted credential storage, monitor API key usage, and keep the software updated.

What are safer alternatives to OpenClaw?

NanoClaw offers container-isolated execution with strict sandboxing. Managed OpenClaw hosting providers handle security hardening for you. For coding tasks specifically, Claude Code provides sandboxed execution with granular permissions out of the box.

Related Guides

Install Your Chief AI Officer

Claude Code runs in a sandboxed environment with granular permissions. Watch a 10-minute demo to see how it works.

Get the Free Blueprint href="/blueprint" class="cta-btn">Watch the Free Setup Video →rarr;

Related Articles

What Is OpenClaw? Complete Beginner's Guide
10 min read
How to Install OpenClaw Safely
8 min read
Best OpenClaw Alternatives in 2026
11 min read