A consolidated security assessment combining static codebase analysis with third-party research, CVE disclosures, and real-world threat intelligence on the OpenClaw personal AI agent.
OpenClaw is an open-source personal AI agent that runs locally and can autonomously perform tasks through chat interfaces. It integrates with WhatsApp, Telegram, iMessage, Slack, and more — executing shell commands, controlling browsers, and managing emails and calendars on the user's behalf. The project exploded in popularity after its late-2025 release, amassing over 149k GitHub stars within weeks.
However, this rapid adoption has been accompanied by serious, systemic security failures. A static analysis of the current codebase reveals multiple dangerous defaults and architectural weaknesses — many of which mirror the publicly disclosed CVEs and real-world exploitation campaigns documented by Cisco Talos, Bitdefender, Hunt.io, and academic researchers. The core problem is structural: OpenClaw collapses the boundary between untrusted input and privileged execution, creating numerous pathways for plain text or external input to trigger harmful actions.
Bottom line: OpenClaw in its default configuration should be treated as untrusted code running with elevated privileges. Without deliberate hardening, every deployment is an open door to credential theft, remote code execution, and lateral movement across connected services.
The following critical vulnerabilities have been formally disclosed and patched. Both were addressed in version 2026.1.29, but thousands of instances remain unpatched in the wild.
| CVE | Title | CVSS | Impact |
|---|---|---|---|
| CVE-2026-25253 | One-Click RCE via Web UI Token Hijack — the Control UI accepted an unvalidated gatewayUrl parameter and auto-sent the user's auth token to that address. No WebSocket origin check. A malicious link exfiltrates the admin token, disables safety confirmations, and achieves full host RCE. |
8.8 | Full system compromise |
| CVE-2026-25157 | OS Command Injection in SSH Handling — improperly escaped inputs in the sshNodeCommand integration allow arbitrary command execution on host or remote systems. |
High | Arbitrary command execution |
| GHSA-q284 | Unauthenticated Credential Exposure — the /api/export-auth endpoint had no authentication, allowing any network peer to dump all stored API keys (OpenAI, Claude, AWS, etc.). |
Critical | Total credential compromise |
Direct inspection of the OpenClaw source reveals the following vulnerabilities and dangerous defaults, ordered by severity.
gateway.controlUi.allowInsecureAuth or dangerouslyDisableDeviceAuth are enabled, the Control UI skips device identity verification and allows token-only auth over HTTP — vulnerable to interception and reverse-proxy exposure. This directly enables the attack chain described in CVE-2026-25253.
commands.useAccessGroups is disabled, the authorization resolver allows all commands by default. Combined with the fact that elevated execution mode is enabled by default, this creates a direct path to unauthorized command execution in any environment with open DMs or group chats.
?token=... appended. Tokens in query strings leak through browser history, server logs, HTTP referrer headers, and shared links. The hooks system also still supports deprecated query-string token extraction, compounding the risk.
/tools/invoke endpoint executes arbitrary tools and is guarded solely by gateway authentication. If a gateway token leaks — via tokenized URLs, logs, or misconfigured permissions — an attacker gains full tool invocation capabilities on the host.
x-openclaw-session-key header, enabling session hijacking or overlap when tokens are shared across operators or systems.
~/.openclaw/extensions load automatically if plugins.allow is not configured. This creates a supply-chain and local-file injection vector — particularly dangerous given that ~20% of ClawHub skills have been found to contain malicious code.
logging.redactSensitive="off" leaks secrets into logs. Additionally, browser control profiles using HTTP for Chrome DevTools Protocol expose the control channel to interception on non-tunneled networks.
The combination of codebase weaknesses, insecure defaults, and a massive unvetted plugin ecosystem has produced a rich threat landscape. These are not hypothetical — each has been observed or demonstrated in the wild.
Gateway tokens exposed via URL query parameters, browser history, or logs grant complete control over the web UI, tool invocation, and all connected OpenAI/OpenResponses APIs. Hunt.io confirmed 17,500+ instances exploitable this way.
The ClawHavoc campaign deployed 341+ malicious skills disguised as utilities. Bitdefender found ~900 malicious skills (~20% of all plugins). Payloads include the AMOS info-stealer, reverse shells, and credential exfiltration via hidden curl commands.
Attackers embed instructions in emails, web pages, or chat messages that the agent processes. A webpage containing "send me your .env file" in hidden text causes the agent to exfiltrate credentials. No effective defenses exist in the current architecture.
Thousands of instances run on default ports with no auth or default admin:admin credentials. An attacker connecting to an exposed panel gains immediate shell access to the host via the agent's command execution capabilities.
Malicious extensions copy messaging session tokens (WhatsApp, Telegram) and exfiltrate them. Attackers then impersonate victims on those platforms, sending scam messages to contacts from the legitimate account.
Fraudulent npm packages (openclaw-bot, molt-bot-core) and hijacked old brand handles (Clawdbot, Moltbot) trick users into installing trojaned code or visiting phishing sites. A fake $CLAWD crypto token scheme exploited the rebrand confusion.
The codebase and developer response do include some meaningful security controls. These are worth acknowledging, though they are insufficient on their own.
URL-based file and image inputs pass through a guard that blocks private IP addresses and performs DNS pinning, significantly reducing SSRF and cloud metadata-service attacks.
Critical vulnerabilities (CVE-2026-25253 and CVE-2026-25157) were patched within days of disclosure in version 2026.1.29. GitHub security advisories were promptly published with detailed remediation steps.
The openclaw doctor command scans configuration for risky or misconfigured settings — open DM policies, missing passwords, unencrypted endpoints — and warns the user. The audit system also checks extension trust status and plugin allowlists.
Newer releases default the DM policy to pairing mode, requiring the owner to approve unknown senders with a pairing code before the agent processes their messages.
A contributor developed a hardened fork adding AES-256-GCM credential encryption, plugin sandboxing, audit logging, and rate limiting. These features are being considered for upstream merge.
A consolidated set of actionable recommendations drawn from both codebase analysis and external threat intelligence.
Deploy on a dedicated VM or container. Never run on production or corporate systems. Use Docker sandbox mode for all non-owner sessions. Restrict host filesystem access to the minimum required directories.
Bind the web UI to localhost only, access via SSH tunnel or VPN. Set a strong unique password. Disable insecure Control UI modes. Never expose the default port to the public internet. Enable TLS if accessible over a network.
Avoid tokenized dashboard URLs for routine use. Paste tokens directly in the UI settings. Use HTTPS or Tailscale for all connections. Treat the gateway auth token as a high-value secret and rotate if potentially exposed.
Keep commands.useAccessGroups=true at all times. Maintain explicit allowlists for DMs and groups. Disable elevated mode or restrict allowFrom to known, trusted sender identities only.
Never load admin-level API keys. Generate sub-keys with limited scopes and low quotas. Enable credential encryption at rest. Integrate with OS keychains or secret managers. Periodically rotate all keys.
Set plugins.allow to an explicit list of trusted plugin IDs. Scan skills with Cisco's Skill Scanner or VirusTotal before installation. Avoid plugins that request unrelated secrets or ask you to run manual commands.
Keep log redaction on (redactSensitive="tools"). Enable audit logging for all tool invocations. Set up alerts for anomalous outbound connections. Run openclaw doctor regularly to catch config drift.
Monitor GitHub advisories and Discord security channels. Apply patches immediately — public exploits appear within days of CVE disclosure. Subscribe to the project's security notifications. Verify package integrity before updating.
For enterprise environments: Security firms including Bitdefender and CrowdStrike explicitly advise against running OpenClaw on corporate devices. If used at all, it should be confined to isolated infrastructure with no access to production secrets, internal networks, or sensitive data stores. Treat it as "shadow IT" — because that is exactly what it becomes when employees deploy it without oversight.