OpenClaw Security: How to Harden Your AI Agent
SecurityScorecard's STRIKE team found over 135,000 OpenClaw instances across 82 countries running with their Gateway port exposed to all network interfaces. Earlier versions of OpenClaw defaulted to binding the Gateway on 0.0.0.0 (all interfaces). Current versions (v2026.4.x+) default to 127.0.0.1 (loopback only). Always verify your Gateway bind address in openclaw.config.json and restrict to loopback or a specific interface in production. A misconfigured instance that binds to all interfaces means anyone on your network can talk to your agent. OpenClaw grants access to your terminal, filesystem, and root-level execution paths. A misconfigured instance doesn't just leak data; it hands attackers an AI-powered backdoor into your machine.
This guide covers the full attack surface: multiple patched CVEs (including three critical CVSS 9.9), the ClawHub supply chain problem documented by Koi Security, Bitdefender, Snyk, VirusTotal, and Cisco, credential storage risks, prompt injection mechanics, and a 10-step hardening checklist sourced directly from OpenClaw's own security documentation.
The Real Risk: 135,000 Exposed Instances
OpenClaw crossed 369,000 GitHub stars (at the time of the CrowdStrike security report) as security researchers were already examining it - rapid growth that created a large attack surface before the community had time to establish hardening norms. Bitsight independently confirmed over 30,000 instances in the same window. By late March 2026, a Censys scan still found 63,070 live instances. This isn't a worst-case scenario; it's a snapshot of the actual internet.
Earlier versions of OpenClaw defaulted to binding the Gateway on 0.0.0.0:18789, exposing it to every network interface - LAN, WiFi, VPN, and any publicly routable IP your machine has. Current versions (v2026.4.x+) default to 127.0.0.1 (loopback only). Always verify your Gateway bind address in openclaw.config.json and restrict to loopback or a specific interface in production. Changing this single setting eliminates the primary remote attack vector without changing how the agent functions for you locally.
Known Vulnerabilities: Critical CVEs (All Patched)
CVE-2026-25253 - CVSS 8.8 (High)
Status: Patched in version 2026.1.29. A malicious web page could exploit OpenClaw's Gateway WebSocket connection to leak the auth token, then use that token to execute arbitrary commands on the host machine. CVSS 8.8 is High severity - not the absolute ceiling, but serious enough that the time to patch was immediate on discovery. If you're on any version before 2026.1.29, this vulnerability is present on your system.
Localhost Trust Flaw (March 2026)
Status: Patched in version 2026.2.25. OpenClaw failed to distinguish trusted local applications from malicious websites. JavaScript running in a browser could open a WebSocket to the Gateway, brute-force the password, and register malicious scripts - all without any user action beyond visiting a webpage. The fix requires strict origin allow-listing and rate limiting on the Gateway endpoint.
Both vulnerabilities center on the same attack surface: the Gateway WebSocket. Binding to loopback (below) addresses this at the network layer, independently of version patching - but you need both controls in place.
CVE-2026-32922 - CVSS 9.9 (Critical)
Status: Patched in version 2026.3.11. A privilege escalation vulnerability where the device token rotation failed to constrain new token scopes to the caller's existing scope set. This allowed an attacker to gain full system access through self-escalation. CVSS 9.9 is Critical severity - the highest-impact CVE disclosed against OpenClaw to date. No confirmed public proof-of-concept at time of disclosure. Update to v2026.3.11 or later to patch this vulnerability.
CVE-2026-28363 - CVSS 9.9 (Critical)
Status: Patched in version 2026.3.1. A remote code execution vulnerability via crafted skill manifest. An attacker could submit a specially constructed skill manifest to the ClawHub registry that, when parsed by the OpenClaw runtime, executed arbitrary code on the host machine. CVSS 9.9 is Critical severity. Mitigation: Update to v2026.3.1 or later and enable mandatory skill signing in your configuration.
Beyond these four highlighted CVEs, OpenClaw has disclosed 60+ CVEs and GHSAs across multiple waves as of April 2026. The latest stable version is v2026.4.2. Running outdated versions should be treated as exposed attack surface, not a low-priority update.
The ClawHub Supply Chain Problem
ClawHub is OpenClaw's skill marketplace. It has no code signing, no mandatory security review, and no default sandboxing. Skills are executable code that runs with the same permissions as the OpenClaw process - in many deployments, that's full user-level or root access.
Four independent security organizations audited ClawHub and found consistent results across different methodologies:
| Auditor | Scope | Finding |
|---|---|---|
| Koi Security | 2,857 skills scanned | 341 malicious entries (~12%) - ClawHavoc campaign distributed AMOS infostealer |
| Bitdefender | Full registry scan | ~20% of packages flagged; one skill opened a reverse shell to attacker server |
| Snyk | Full registry analysis | 36% contain security flaws; 1,467 vulnerable skills; 76 confirmed malicious payloads |
| VirusTotal | 3,016+ skills analyzed | 820+ showing malicious characteristics; single publisher 'hightower6eu' uploaded 314+ malicious skills |
| Cisco | Top-ranked community skill audit | 9 security vulnerabilities (2 critical) in top-ranked skill - data exfiltration + prompt injection |
The Koi Security audit identified a campaign called ClawHavoc, in which attackers used professional-looking names like solana-wallet-tracker and youtube-summarize-pro - with fake documentation - to distribute the AMOS (Atomic macOS) infostealer. The Cisco finding is particularly notable: the top-ranked community skill at the time of audit had 9 security vulnerabilities including data exfiltration and prompt injection built in.
Treat every ClawHub skill as executable supply chain code. The name, documentation, and download count tell you nothing about what the code actually does.
Credential Risks: Your ~/.openclaw/ Directory
OpenClaw stores API keys, OAuth tokens, WhatsApp credentials, and Telegram credentials in ~/.openclaw/ as plaintext Markdown and JSON files. This is the default storage location for all channel integrations - not an obscure edge case.
RedLine and Lumma, two of the most active credential-stealing malware families, have already added targeting rules for this directory structure. If any process on your machine has read access to your home directory, those credentials are one infostealer infection away from exfiltration.
Bitdefender telemetry shows employees deploying OpenClaw on work machines as "Shadow AI" - unmonitored, high-privilege entry points that corporate security teams have no visibility into. The fix: use OAuth where possible instead of long-lived API keys, and move remaining credentials to your system keychain or a secrets manager.
Prompt Injection: Two Attack Vectors
Prompt injection is the attack category where malicious instructions get mixed into the data your agent processes, causing it to take actions the user never authorized.
Direct injection: An attacker submits malicious instructions directly to your exposed agent, forcing it to leak data or take unauthorized system actions. This requires the attacker to reach your agent - which is why network hardening matters so much.
Indirect injection: Malicious instructions are embedded in content your agent fetches from external sources - emails, websites, support tickets, social media posts. The agent ingests the content and executes the embedded instructions without any user intervention.
CrowdStrike documented a concrete indirect injection demonstration: an attacker posted hidden prompt instructions in a public Discord channel. When an OpenClaw agent with Discord integration processed that channel, it exfiltrated private #moderators conversations to the public channel. A separate incident involved an injection attempt embedded in a public Moltbook post designed to drain crypto wallets connected to the agent.
CrowdStrike Falcon AIDR, tested as a validation layer, analyzed prompts before agent execution and blocked the Discord injection attack in controlled testing. This is validated test data from a controlled environment, not a claim of field-wide deployment at scale.
Network Hardening: Close the Front Door
The single highest-impact hardening step is changing where OpenClaw's Gateway binds.
# Legacy default (pre-v2026.4.x) - exposes Gateway to all interfaces
gateway.bind: '0.0.0.0'
gateway.port: 18789
# Hardened - loopback only
gateway.bind: 'loopback'
gateway.port: 18789Binding to loopback means only processes running on the same machine can connect to the Gateway. Remote access requires routing through an SSH tunnel or a Zero Trust Network Access tool like Tailscale. This eliminates the primary attack vector that the WebSocket-based CVEs exploited.
Access Controls: Minimal Permissions, Minimal Risk
Each capability you enable - filesystem access, shell execution, browser automation, database connections - is an attack surface that prompt injection or a malicious skill can reach. The least-privilege rule: only enable the tools your specific use case actually requires.
Keep DM pairing enabled for all channels. Only approve known users via pairing codes. Separate personal and company workspaces so a compromised personal channel has no path into business systems. Do not run OpenClaw on corporate devices without IT approval - the Bitdefender telemetry on Shadow AI deployments shows how widespread and invisible this risk has become.
Enterprise Hardening: NemoClaw
For teams running OpenClaw in production or at scale, NVIDIA NemoClaw adds a four-layer sandbox:
- Network layer - Blocks unauthorized egress. All outbound connections must be explicitly listed in a declarative YAML policy file, hot-reloadable at runtime.
- Filesystem layer - Sandboxed file access. The agent can only read and write within defined boundaries.
- Process layer - Landlock and seccomp system call filtering blocks privilege escalation attempts.
- Inference layer - Reroutes API calls to controlled backends, preventing the agent from calling arbitrary external endpoints.
CrowdStrike Falcon Next-Gen SIEM provides visibility into OpenClaw deployments via a DNS monitoring dashboard - giving security teams a view of what domains the agent contacts, which skills are installed, and what tool calls are being made. Human-in-the-Loop (HITL) approval gates for high-impact actions (database writes, financial transactions, infrastructure changes) remain the most effective control against prompt injection attacks that slip past detection layers.
Compliance Considerations
OpenClaw's default configuration creates compliance exposure in regulated environments. Plaintext credential storage in ~/.openclaw/ violates secrets management requirements under SOC 2 Type II and PCI-DSS. No audit logging by default means there's no record of what tool calls the agent made - a gap for GDPR data access logs and HIPAA audit trails. Shadow AI deployment on corporate devices creates data residency and processing consent issues under GDPR and CCPA.
NemoClaw's network egress policy-as-code and CrowdStrike Falcon's DNS visibility dashboard directly address the audit logging gap. For SOC 2 environments, combining NemoClaw policy files with Falcon SIEM logging provides the evidentiary trail compliance auditors require.
Security Event Timeline
Key Security Limitations
~/.openclaw/ as plaintext files. RedLine and Lumma infostealers already target this directory. Move credentials to system keychain or secrets manager.loopback before first use.The Hardening Checklist
Ten steps sourced from OpenClaw's security documentation and independent audit findings. Work through them top to bottom - the highest-impact items are first.
gateway.bind: 'loopback'. Access remotely via SSH tunnel or Tailscale. Never expose port 18789 publicly.curl | bash from skill documentation.~/.openclaw/.OpenClaw config auto-reloads on file change; no restart is required for most configuration updates. However, a full restart is needed for Gateway port changes. After changing gateway.bind to 'loopback', verify with netstat -an | grep 18789. If it still shows 0.0.0.0, restart the Gateway process.
Disable the skill immediately. Review the skill's source code - look for encoded payloads, base64 strings, or curl calls to external domains. If you find evidence of data transmission, rotate all API keys and OAuth tokens stored in ~/.openclaw/credentials/, then audit connected account activity. Report the skill to OpenClaw's security team.
This is indirect prompt injection. Identify the injected instruction payload and the channel it came through. Short-term: disable the affected channel integration. Long-term: implement human-in-the-loop approval gates for high-impact actions. CrowdStrike Falcon AIDR can be deployed as a prompt validation layer.
If before v2026.1.29: CVE-2026-25253 (CVSS 8.8, WebSocket RCE). Before v2026.2.25: localhost trust flaw. Before v2026.3.1: CVE-2026-28363 (CVSS 9.9, RCE via skill manifest). Before v2026.3.11: CVE-2026-32922 (CVSS 9.9, privilege escalation). Update to v2026.4.2 and set gateway.bind: 'loopback'.
Who This Guide Is For
Yes - if properly configured. All known CVEs are patched. The default configuration is not secure; the hardened configuration is. Start with loopback binding and version update, then work through the full checklist.
If you're running version 2026.4.2 (latest stable as of April 2026), all known CVEs are patched. Check your version before assuming you're current.
Rankings reflect community activity, not security review. The Cisco audit found 9 security vulnerabilities (2 critical) in the top-ranked community skill. Treat all third-party skills as untrusted code.
Stop and talk to your IT security team. Document installed skills, stored credentials in ~/.openclaw/, and connected channels.
NemoClaw is designed for enterprise and production deployments. Check the GitHub reference stack for compatibility requirements.