OpenClaw: What You Need to Know Before It Claws Its Way Into Your Organization

tl;dr

• OpenClaw is an open-source AI agent that runs locally and connects to your messaging apps, files, and terminal it can genuinely act on your behalf.
• It has exploded to over 180,000 GitHub stars in a matter of weeks, but its security posture has not kept pace with adoption.
• A high-severity one-click RCE (CVE-2026-25253), 341 malicious skills on ClawHub, and over 40,000 exposed instances tell a story of a project that shipped fast and secured later.
• For home users who know what they're doing, the risk is manageable with precautions. For enterprise environments? Stay well clear, for now.

What Is OpenClaw?

OpenClaw is a self-hosted AI agent that runs on your machine and works through the chat apps you likely already use including WhatsApp, Telegram, Discord, Slack, Teams, and even iMessage. Think of it as a local AI assistant that doesn't just answer questions but actually does things: reading and modifying files, running shell commands, browsing the web, managing your calendar, and installing tools on your behalf.

‍

The project was created by Austrian developer Peter Steinberger as a weekend hack. Originally published as "Clawdbot", a pun on Claude, in November 2025,, which Anthropic's legal team understandably took issue with, the project was renamed to "Moltbot" in late January 2026 (because lobsters molt to grow, apparently), and then it was changed again to "OpenClaw" just days later. The name might have stabilized, but the project's growth certainly hasn't slowed down.

‍

Unlike cloud-hosted AI assistants where your data lives on someone else's infrastructure, OpenClaw runs where you choose your laptop, a homelab, or a VPS. That's a genuinely appealing proposition. Your data stays local, you control the model backend, and you get an AI agent that integrates with the tools you're already using. 

Why Is Everyone Talking About It?

The numbers are staggering. OpenClaw has amassed over 180,000 GitHub stars, drawn 2 million visitors in a single week, and spawned an ecosystem of thousands of third-party skills.

‍

But OpenClaw hasn't just made headlines for its capabilities. The project has attracted the kind of chaotic, anything-goes community energy that tends to follow viral open-source projects. Lovense, a sex toy manufacturer, announced integration with OpenClaw so their devices can be controlled via the AI agent. A developer created "Clawra," an AI girlfriend project built on OpenClaw, which racked up 600,000 views shortly after launch. And in one widely reported incident, a software engineer gave OpenClaw access to iMessage and watched it go rogue   bombarding him and his wife with over 500 messages and spamming random contacts.

‍

These stories are entertaining, but they also illustrate something important: OpenClaw is being given deep access to people's digital lives and the guardrails are not where they need to be.

The Security Picture

This is where it gets uncomfortable. OpenClaw's security track record in its short life has been, to put it diplomatically, rough.

CVE-2026-25253: One-Click RCE

In late January 2026, researchers disclosed CVE-2026-25253, a high-severity vulnerability scoring 8.8 on CVSS. The flaw stemmed from OpenClaw's Control UI accepting a gatewayUrl parameter from the query string and automatically establishing a WebSocket connection to that URL transmitting the user's authentication token in the process, without user confirmation.

‍

The attack is elegant in its simplicity. An attacker crafts a malicious link. The victim clicks it (or simply visits a page containing it). Their authentication token is exfiltrated to an attacker-controlled server. The attacker then connects to the victim's local OpenClaw gateway, modifies configuration to disable sandboxing and tool policies, and executes arbitrary commands. One click, full compromise.

‍

The vulnerability was patched in version 2026.1.29, but this was just one of three high-severity advisories published in rapid succession beginning January 31, 2026, including two additional command injection vulnerabilities (CVE-2026-25157 and CVE-2026-24763). Two more advisories followed on February 4. Five security advisories in under a week suggests a codebase where security was an afterthought during the initial build.

The ClawHub Supply Chain Problem

OpenClaw's extensibility comes through "skills" plugins distributed via ClawHub, the project's community marketplace. Security firm Koi Security conducted an audit of all 2,857 skills available on ClawHub and the findings were alarming: 341 malicious skills across multiple campaigns, with 335 traced back to a single coordinated operation they've dubbed "ClawHavoc."

‍

These malicious skills masqueraded as legitimate tools, cryptocurrency trading bots, productivity utilities and delivered information-stealing malware. Atomic Stealer targeting macOS, credential harvesters for Windows, and ClickFix-style social engineering instructions were all present. One skill posing as a Polymarket trading tool opened an interactive reverse shell back to the attacker's server, granting full remote control.

‍

The numbers have since worsened.Findings from multiple security firms, including Koi Security's ClawHavoc campaign, Snyk's discovery of 283 skills leaking API keys, and others, uncovered nearly 900 malicious or dangerously flawed skills across ClawHub. OpenClaw has responded by integrating VirusTotal scanning and adding a skill reporting mechanism, but the fundamental problem remains: ClawHub is an unvetted software supply chain, and users are installing skills with the same level of access as the agent itself.

Exposed Instances Everywhere

Security researchers scanning the internet have found over 40,000 OpenClaw instances exposed with unsafe defaults, with subsequent scans by SecurityScorecard identifying over 135,000 internet-exposed instances in total. Of those, over 12,800 were found directly exploitable via the already-patched RCE. These exposed instances were leaking API keys, chat histories, and account credentials, available to anyone who knew where to look.

‍

The root cause is a split personality in OpenClaw's defaults. The desktop CLI installation binds to 127.0.0.1:18789 (loopback only), which is sensible. But the official Docker deployment path   which is how most cloud and VPS instances are set up   defaults to 0.0.0.0:18789 via the docker-setup.sh script, meaning the gateway listens on all network interfaces including the public internet.

‍

Combine that with cloud deployment tutorials actively recommending LAN mode and a target audience that values easy setup over hardened configuration. Nearly 80% of exposed instances are still running outdated Clawdbot or Moltbot builds that predate recent authentication hardening. The result is exactly this kind of mass exposure.

Is It Safe for Home Use?

Honestly? It depends!

‍

If you're a technically competent user who understands what you're granting access to, keeps the software patched, carefully vets any skills before installing them, and ideally runs OpenClaw on a non-critical machine or in a sandboxed environment, the risk is manageable. You'll get a genuinely useful AI agent that can automate tedious tasks across your messaging apps and local system.

‍

But let's be realistic about what maintaining "manageable risk" actually requires here. You need to:

‍

• Keep OpenClaw updated religiously, the project is shipping patches at pace.
• Never expose the instance to the internet. Run it locally, behind your firewall.
• Treat ClawHub skills with the same suspicion you'd give a random npm package from a new author. Check the source. Check the publisher. Preferably, read the code.
• Understand that you're giving an AI agent the ability to execute commands and modify files on your system. If it gets compromised, your machine is compromised.
• Avoid connecting it to anything containing sensitive credentials, financial data, or anything you wouldn't want exfiltrated.

‍

For the tinkerer who treats it as an interesting project and keeps it appropriately isolated, go for it. For the average home user who just wants a clever assistant and won't think twice about security? I'd say hold off until the project matures.

Why Enterprise Should Stay Away

This is where my position is unambiguous: organizations should not be deploying OpenClaw in any capacity connected to corporate systems or data. The risk profile is simply too high in its current state.

Shadow AI Is Already Happening

Bitdefender's GravityZone telemetry has provided concrete evidence of what security teams have feared. Employees are deploying OpenClaw agents directly onto corporate machines using single-line install commands. This is Shadow AI in its purest form: unmanaged, unmonitored AI agents with broad system access, deployed outside of any IT governance process.

‍

The appeal is obvious. An employee discovers they can connect an AI agent to their work Slack, their email, and their file system, and suddenly they've got an assistant that can draft responses, summarise threads, and automate routine tasks. The problem is that they've also just created a new attack surface that your security team doesn't know about and your tooling isn't monitoring.

It Creates Ungoverned Access Paths

OpenClaw connects directly to email, files, messaging platforms, and system tools. It creates persistent non-human identities and access paths that fall entirely outside traditional IAM and secrets management controls. Your carefully configured RBAC policies, your conditional access rules, your MFA requirements, none of them apply to an AI agent that's been handed a set of API tokens and told to get on with it.

Prompt Injection Is a Real Threat

An AI agent that processes external data emails, documents, messages, is inherently susceptible to prompt injection. An attacker who can get a crafted message into an employee's inbox could potentially manipulate the OpenClaw agent into performing actions on their behalf. This isn't theoretical; it's a well-documented attack class against agentic AI systems, and OpenClaw's architecture leaves it particularly exposed.

The Skill Ecosystem Is an Unvetted Supply Chain

With the aforementioned  nearly 900 malicious or dangerously flawed skills across ClawHub, installing a skill is effectively running unreviewed third-party code with the same permissions as the agent itself. In an enterprise context, that's equivalent to letting employees install arbitrary software from an unmoderated marketplace, something most organisations spent the last two decades building controls to prevent.

No Enterprise-Grade Controls

OpenClaw lacks the audit logging, access controls, compliance tooling, and governance features that enterprise deployments require. There's no centralized management, no role-based access, no integration with enterprise identity providers, and no way for a security team to maintain visibility over what agents are doing across the estate.

What Organisations Should Be Doing Right Now

Even if you haven't sanctioned OpenClaw, there's a reasonable chance it's already running somewhere in your environment. Here's what to do about it.

‍

Inventory your estate. Use your EDR and EASM tooling to scan for OpenClaw instances. Bitdefender has added specific detection capabilities to GravityZone, and runZero can identify exposed instances. Know where it is before you decide what to do about it.

‍

Update your acceptable use policies. Most AUPs were written before agentic AI tools existed. Explicitly address tools that can execute commands, access files, and connect to messaging platforms on behalf of employees. Make the boundaries clear.

‍

Block or monitor installation vectors. If your organization uses application allowlisting or endpoint controls, add OpenClaw to the block list. At minimum, monitor for its installation and flag it for review.

‍

Educate your teams. Many employees installing OpenClaw genuinely don't understand the security implications. They see a productivity tool, not an attack surface. A clear, non-judgemental communication explaining the risks will go further than a blanket ban with no context.

‍

If you must evaluate it, isolate it completely. Run it in a sandboxed environment with no access to production data, corporate credentials, or internal networks. Treat it as you would any untrusted software under security evaluation.

‍

Watch the project's maturity. OpenClaw is moving fast. The VirusTotal integration, the skill reporting mechanism, and the rapid patching cadence all suggest a project that's taking security more seriously. But "taking it more seriously" and "ready for enterprise" are very different things.

My Take

The concept of a self-hosted, open-source AI agent that integrates with your existing tools is compelling. The execution of an agent that can genuinely automate tasks across messaging platforms, file systems, and the web is impressive for a project that started as a weekend hack.

‍

But impressive engineering and enterprise readiness are not the same thing. OpenClaw has had a critical RCE vulnerability, a supply chain riddled with malware, tens of thousands of exposed instances, and no enterprise governance tooling   all within weeks of its initial release. The project is iterating fast, but it's iterating in public, on production systems, with real data at stake.

‍

AI agents are powerful tools, and this category is only going to grow. But power without adequate security controls is just risk by another name. For organizations with data worth protecting, the calculus is straightforward: OpenClaw is not ready for your environment. Revisit it in six months. By then, the security model may have caught up with the ambition.

‍

For home users who understand the trade-offs and can manage the risk appropriately   enjoy the ride. Just keep it patched, keep it local, and keep it away from anything you can't afford to lose.

‍

OpenClaw is just one example. Vulnerabilities like CVE-2026-25253 are patched, but the threat of prompt injection is permanent. Are your defenses ready? Try your hand at our AI Prompt Injection Attack Lab and test your skills against real-world scenarios.

‍