Why this guide exists (urgent context)
In January-February 2026, OpenClaw became one of the fastest-growing open-source projects in AI history — reaching 145,000+ GitHub stars within weeks. But that explosive growth came with a severe security crisis that caught thousands of users off-guard.
Security researchers discovered CVE-2026-25253 (CVSS 8.8), a one-click remote code execution vulnerability. The ClawHavoc supply chain attack injected 341-1,184+ malicious skills into ClawHub, OpenClaw's official marketplace. Censys tracked 42,000+ publicly exposed instances in under a week. Multiple critical CVEs enabled command injection, authentication bypass, and indirect prompt injection attacks.
If you're running OpenClaw with default settings, you need to read this guide immediately.
This is not fear-mongering. This is a practical, actionable OpenClaw security hardening guide based on incident post-mortems from Adversa.ai, Koi Security, Palo Alto Networks, and official OpenClaw documentation.
Keyword strategy
Primary keyword: OpenClaw security hardening
Secondary keywords:
- CVE-2026-25253 fix
- ClawHavoc attack response
- OpenClaw production deployment
- self-hosted AI agent security
- OpenClaw sandbox configuration
- AI agent security best practices
- OpenClaw gateway authentication
- MCP server security
The threat landscape: why OpenClaw is structurally vulnerable
The lethal trifecta (plus one)
Security researcher Simon Willison identified what makes AI agents uniquely vulnerable. OpenClaw combines all four elements:
- Access to private data — reads emails, files, credentials, browser history, chat messages
- Exposure to untrusted content — browses the web, processes arbitrary messages, installs third-party skills
- Ability to communicate externally — sends emails, posts messages, makes API calls, can exfiltrate data without triggering DLP
- Persistent memory — stores context in SOUL.md and MEMORY.md files, enabling time-shifted prompt injection and memory poisoning attacks
Why this matters
Unlike traditional software where code and data are separate, in LLM-driven agents, instructions and data occupy the same token stream. A malicious email, webpage, or Slack message can contain instructions that the agent interprets as commands. There is no firewall between "data the agent reads" and "instructions the agent follows."
OpenClaw operates with the full privileges of its host user. A compromised agent inherits all permissions of the user who deployed it.
Documented vulnerabilities (February 2026)
CVE-2026-25253: One-Click RCE via Token Exfiltration (CVSS 8.8)
Impact: Remote code execution on the host machine
Attack vector: The Control UI trusted a gatewayUrl parameter from the query string without validation. On page load, it auto-connected to the specified URL and transmitted the stored authentication token via WebSocket.
Kill chain:
- Victim visits malicious URL
- Token exfiltrated in milliseconds
- Cross-site WebSocket hijacking
- Attacker disables sandbox (
exec.approvals.set=off) - Escape Docker (
tools.exec.host=gateway) - Full RCE on host
Status: Patched in v2026.1.29
CVE-2026-24763 and CVE-2026-25157: Command Injection
Two additional command injection vulnerabilities allowing attackers to inject arbitrary commands through improperly sanitized input fields in the gateway.
CVE-2026-22708: Indirect Prompt Injection via Web Browsing
OpenClaw does not sanitize web content before feeding it into the LLM's context window. Attackers can create webpages with hidden CSS-invisible instructions that the agent's scraper reads and executes.
ClawHavoc Supply Chain Attack
Timeline: January 27 - February 3, 2026
Scope: 341-1,184+ malicious skills discovered in ClawHub (12-41% of the registry at various points)
Payload: Primarily Atomic macOS Stealer (AMOS) and Windows credential stealers
Method: Malicious skills posed as cryptocurrency trading automation tools using well-known brand names
Vetting gap: ClawHub required only a 1-week-old GitHub account to publish skills
Step-by-step security hardening checklist
Phase 1: Immediate actions (do these today)
1. Update to the latest version
# Check current version
openclaw --version
# Update (method depends on your installation)
# If installed via npm:
npm update -g openclaw
# If using the installer script:
curl -fsSL https://openclaw.ai/install.sh | bash
Verify you're running v2026.1.29 or later (includes CVE-2026-25253 fix).
2. Run the security audit
# Quick audit
openclaw security audit
# Deep audit with more checks
openclaw security audit --deep
# Auto-fix where possible
openclaw security audit --fix
# JSON output for CI/CD integration
openclaw security audit --json
This flags common footguns: Gateway auth exposure, browser control exposure, elevated allowlists, filesystem permissions.
3. Audit installed skills
# List all installed skills
openclaw skills list
# Remove any skills you don't recognize or no longer need
openclaw skills remove <skill-name>
Critical: Remove any crypto trading, "free tokens," or suspiciously named skills installed between January 27 - February 3, 2026.
4. Enable gateway authentication
If you haven't set gateway auth, do it now:
# Generate a strong token
export OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)
# Add to your environment or config
# In ~/.openclaw/openclaw.json or via environment variable
Never expose the gateway without authentication on any network interface.
Phase 2: Network hardening
5. Bind to localhost only (unless you need remote access)
In your OpenClaw configuration:
{
"gateway": {
"host": "127.0.0.1",
"port": 18789
}
}
Never bind to 0.0.0.0 unless you have:
- Strong authentication (see above)
- Firewall rules restricting access
- HTTPS termination with valid certificates
- A specific need for remote access
6. Use a reverse proxy with authentication
If you need remote access, put OpenClaw behind a reverse proxy:
Example with Caddy:
openclaw.yourdomain.com {
reverse_proxy 127.0.0.1:18789
# Require authentication
basicauth {
youruser $2a$14$yourhashedpassword
}
# Security headers
header {
Strict-Transport-Security "max-age=31536000"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
}
}
Example with Nginx:
server {
listen 443 ssl;
server_name openclaw.yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://127.0.0.1:18789;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Basic auth
auth_basic "OpenClaw Gateway";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
7. Firewall configuration
UFW (Ubuntu/Debian):
# Block external access to OpenClaw port by default
sudo ufw deny 18789/tcp
# If you need remote access from specific IPs only
sudo ufw allow from 192.168.1.0/24 to any port 18789 proto tcp
# Or allow only from your VPN subnet
sudo ufw allow from 10.8.0.0/24 to any port 18789 proto tcp
iptables:
# Allow only localhost
iptables -A INPUT -p tcp --dport 18789 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 18789 -j DROP
Phase 3: Tool and sandbox configuration
8. Enable sandbox mode for exec
In your OpenClaw configuration:
{
"tools": {
"exec": {
"sandbox": true,
"approvals": "on",
"allowlist": ["git", "npm", "docker"],
"denylist": ["rm", "sudo", "curl", "wget"]
}
}
}
Best practices:
- Start with the most restrictive allowlist possible
- Enable approval mode for dangerous operations
- Use
trashinstead ofrmwhere possible - Never allow
sudounless absolutely necessary
9. Restrict browser control exposure
Browser control is operator-level access. Treat it accordingly:
{
"browser": {
"remoteAccess": false,
"allowedOrigins": ["http://127.0.0.1:18789"],
"headless": true
}
}
If you need remote browser control:
- Use a tailnet (Tailscale, ZeroTier) for access
- Never expose browser control to the public internet
- Pair nodes deliberately and review paired devices regularly
10. Configure MCP server security
If using MCP servers:
{
"mcp": {
"servers": [
{
"name": "filesystem",
"command": "npx",
"args": ["-y", "@anthropic/mcp-fs", "/safe/path/only"],
"env": {
"ALLOWED_PATHS": "/home/user/workspace"
}
}
],
"security": {
"injectSecretsAtRuntime": true,
"auditLog": true,
"enforceAllowlists": true
}
}
}
Key principles:
- Never hardcode secrets in config files
- Use environment variables or secret managers
- Enable audit logging for all MCP tool calls
- Enforce path allowlists for filesystem access
Phase 4: Access control and permissions
11. Restrict channel access
In your channel configuration:
{
"channels": {
"discord": {
"allowlist": {
"users": ["user-id-1", "user-id-2"],
"channels": ["channel-id-1"],
"guilds": ["guild-id-1"]
},
"denyDMs": false,
"requirePairing": true
},
"telegram": {
"allowlist": {
"users": ["telegram-user-id-1"]
}
}
}
}
Critical: Do not enable all channels on day one. Start with one high-signal channel, validate behavior, then expand.
12. Understand the trust model
OpenClaw assumes a personal assistant security model:
- One trusted operator boundary per gateway
- NOT designed for hostile multi-tenant operation
- If multiple untrusted users can message one tool-enabled agent, they share the same permission set
If you need adversarial-user isolation:
- Run separate gateways per trust boundary
- Use separate OS users or hosts
- Do not share credentials across boundaries
13. File and directory permissions
Secure your OpenClaw configuration directory:
# Set restrictive permissions on ~/.openclaw
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod 600 ~/.openclaw/**/*.md
# Ensure state/config/credentials are not group/world-readable
find ~/.openclaw -type f -exec chmod 600 {} \;
find ~/.openclaw -type d -exec chmod 700 {} \;
Phase 5: Ongoing monitoring and maintenance
14. Enable audit logging
{
"logging": {
"level": "info",
"auditTrail": true,
"logToolCalls": true,
"logSessionMetadata": true,
"outputPath": "/var/log/openclaw/"
}
}
Review logs regularly for:
- Unexpected tool calls
- Unusual session patterns
- Failed authentication attempts
- Unknown device pairings
15. Set up automated security checks
Add to your crontab:
# Daily security audit
0 6 * * * cd /path/to/workspace && openclaw security audit --json >> /var/log/openclaw/security-audit.log 2>&1
# Weekly version check
0 7 * * 0 curl -s https://api.github.com/repos/openclaw/openclaw/releases/latest | grep tag_name
16. Monitor for exposed instances
Use Censys, Shodan, or similar services to check if your instance is accidentally exposed:
# Check if your public IP has OpenClaw exposed
curl -s https://censys.io/api/v2/hosts/YOUR_PUBLIC_IP
Production deployment architecture
Recommended setup for business use
┌─────────────────────────────────────────────────────────┐
│ Public Internet │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ Cloudflare / WAF Layer │
│ (Rate limiting, bot protection, DDoS) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ Reverse Proxy (Caddy/Nginx) │
│ (HTTPS termination, basic auth, headers) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ Tailscale / ZeroTier (Optional) │
│ (Private network access) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ OpenClaw Gateway (localhost only) │
│ (Auth enabled, sandbox on, audit logging) │
└─────────────────────────────────────────────────────────┘
│
┌───────────────┼───────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Docker │ │ gVisor │ │ Firecracker │
│ Sandbox │ │ Sandbox │ │ MicroVM │
└──────────────┘ └──────────────┘ └──────────────┘
(for exec) (for exec) (for exec)
Docker hardening
If running in Docker:
version: '3.8'
services:
openclaw:
image: openclaw/openclaw:latest
container_name: openclaw
restart: unless-stopped
# Security settings
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
read_only: true
tmpfs:
- /tmp
- /var/tmp
# Resource limits
deploy:
resources:
limits:
cpus: '2.0'
memory: 4G
# Network
networks:
- openclaw-net
# Volumes (restrict to necessary paths only)
volumes:
- ./config:/home/openclaw/.openclaw:ro
- ./workspace:/home/openclaw/workspace:rw
- ./logs:/var/log/openclaw:rw
# Environment (use secrets, not plaintext)
environment:
- OPENCLAW_GATEWAY_TOKEN=${OPENCLAW_GATEWAY_TOKEN}
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
# No port exposure - access via reverse proxy only
# ports:
# - "18789:18789" # DO NOT DO THIS IN PRODUCTION
networks:
openclaw-net:
driver: bridge
internal: true # No external access
Common security mistakes to avoid
❌ Mistake 1: Exposing gateway without authentication
Wrong:
{
"gateway": {
"host": "0.0.0.0",
"port": 18789,
"auth": null
}
}
Right:
{
"gateway": {
"host": "127.0.0.1",
"port": 18789,
"auth": {
"enabled": true,
"token": "${OPENCLAW_GATEWAY_TOKEN}"
}
}
}
❌ Mistake 2: Installing skills without review
Wrong: Installing any skill from ClawHub without checking:
- Author reputation
- Code review
- Required permissions
- Recent updates/issues
Right:
- Review skill source code before installation
- Check author's GitHub history
- Start with officially maintained skills
- Use a curated, pre-audited skills repository in corporate environments
❌ Mistake 3: Running on host OS without isolation
Wrong: Running OpenClaw directly on your main workstation with full user privileges
Right:
- Use Docker with restricted capabilities
- Consider gVisor for syscall interception
- Run on a dedicated VPS or VM
- Use a separate OS user account
❌ Mistake 4: Treating sessions as authorization boundaries
Wrong: Assuming sessionKey or session IDs provide security isolation
Right: Understand that session identifiers are routing selectors, not authorization tokens. Operators with read/control-plane access can inspect gateway session metadata by design.
❌ Mistake 5: Broad tool permissions from day one
Wrong:
{
"tools": {
"exec": {
"sandbox": false,
"approvals": "off"
}
}
}
Right:
{
"tools": {
"exec": {
"sandbox": true,
"approvals": "on",
"allowlist": ["git", "npm"]
}
}
}
Start restrictive, widen only as needed.
Incident response: what to do if you're compromised
Immediate actions
- Disconnect from network — If you suspect active compromise, isolate the machine
- Rotate all credentials — API keys, passwords, tokens that OpenClaw had access to
- Review audit logs — Identify what tools were called and when
- Check for persistence — Look for unauthorized cron jobs, startup scripts, SSH keys
- Scan for malware — Use tools like detect-secrets, clamav, or commercial EDR
- Rebuild from scratch — If in doubt, wipe and reinstall on a fresh system
Credential rotation checklist
- Model provider API keys (Anthropic, OpenAI, etc.)
- Channel credentials (Telegram bot token, Discord bot token, etc.)
- Email credentials (if email integration was enabled)
- Cloud provider credentials (AWS, GCP, Azure)
- Database passwords
- SSH keys (if agent had SSH access)
- OAuth tokens (Google, Microsoft, GitHub, etc.)
- Any secrets stored in MCP server configurations
FAQ
Is OpenClaw safe to use in production?
Yes, if you follow security hardening guidelines. The vulnerabilities discovered in early 2026 have been patched, but default configurations remain risky. Treat OpenClaw like any powerful tool: it's safe when used correctly, dangerous when misconfigured.
Should I use ClawHub skills?
Exercise extreme caution. After the ClawHavoc incident, OpenClaw implemented better vetting, but the marketplace remains a potential attack vector. Prefer:
- Officially maintained skills
- Skills from trusted authors with established reputations
- Self-audited skills you've reviewed yourself
- Corporate environments should consider blocking ClawHub and using a curated internal repository
Can I run OpenClaw in a multi-tenant environment?
Not recommended. OpenClaw is designed for a personal assistant security model (one trusted operator per gateway). For multi-tenant scenarios:
- Run separate gateway instances per tenant
- Use separate OS users or hosts
- Consider alternative frameworks designed for multi-tenant operation
What's the minimum secure configuration?
At absolute minimum:
- Update to latest version
- Enable gateway authentication
- Bind to localhost only
- Enable sandbox mode for exec
- Use channel allowlists
- Run
openclaw security auditregularly
How do I monitor for future vulnerabilities?
- Watch the OpenClaw GitHub repository for security advisories
- Subscribe to security mailing lists (Censys, Palo Alto Networks, etc.)
- Run
openclaw security auditdaily or weekly - Follow security researchers who track AI agent vulnerabilities
Conclusion
OpenClaw is a powerful tool that brings real security trade-offs. The January-February 2026 security crisis demonstrated what happens when explosive growth outpaces security maturity.
The good news: all known critical vulnerabilities have been patched. The bad news: default configurations remain dangerous, and the fundamental architectural challenges of AI agent security persist.
Your action items:
- Update immediately if you haven't already
- Run the security audit and fix all flagged issues
- Review installed skills and remove anything suspicious
- Harden your configuration using this guide
- Set up monitoring for ongoing security
OpenClaw can be run securely in production — but it requires deliberate effort. The personal assistant security model works well when you understand its boundaries and respect them.
Start with the smallest access that still works, then widen only as you gain confidence. Your future self (and your credentials) will thank you.
Related resources
- OpenClaw Official Security Documentation
- Adversa.ai OpenClaw Security Post-Mortem
- Koi Security ClawHavoc Analysis
- Censys Internet Exposure Report
- Palo Alto Networks AI Agent Security Framework
Last updated: February 26, 2026. This guide reflects the security landscape as of this date. Always verify against the latest official OpenClaw documentation and security advisories.