The OpenClaw Security Crisis: What Enterprise Teams Need to Know

What is OpenClaw

OpenClaw is an open-source autonomous AI agent framework that has rapidly become one of the most deployed agent platforms in the ecosystem. Originally released as Clawdbot, later renamed Moltbot, and now operating under the OpenClaw brand, the project has accumulated 145,000+ GitHub stars and 20,000+ forks -- figures that place it among the most popular open-source AI projects worldwide.

The framework operates across 20+ messaging platforms including WhatsApp, Telegram, Discord, Slack, and Microsoft Teams. It ships with 134+ MCP tools, a file-based memory system, and the ability to spawn sub-agents autonomously. In practical terms, a single OpenClaw instance can read your team's Slack channels, access your codebase, query your databases, and take actions across every connected service -- all without human-in-the-loop approval by default.

In February 2026, creator Peter Steinberger announced he was joining OpenAI, raising questions about the project's long-term governance and security posture. The community is large, but the security review infrastructure has not scaled with it.

Key context: OpenClaw is not a toy project. It is running in production environments at startups and enterprises alike, processing source code, credentials, internal documents, and customer data. The security incidents below should be assessed in that context.

The Security Incidents

Over the past several months, multiple independent security research teams have disclosed critical vulnerabilities in OpenClaw. Each incident is distinct, but together they reveal systemic gaps in the project's security architecture.

CVE-2026-25253 -- Remote Code Execution CVSS 8.8

A 1-click RCE vulnerability via the Control UI WebSocket interface. An attacker can steal the authentication token through a crafted link, gaining full control of the agent instance. Internet-wide scanning identified 42,665 exposed instances, of which 5,194 were actively vulnerable at time of disclosure.

Exposed: 42,665 · Vulnerable: 5,194

Authentication Bypass -- Default Configuration Critical

Approximately 1,000 publicly accessible instances were found running without any authentication. OpenClaw's default configuration trusts localhost connections, but many deployments expose the control interface to the internet via reverse proxies or cloud configurations without adding authentication layers.

No-auth instances: ~1,000

ToxicSkills -- ClawHub Supply Chain (Snyk) Critical

Snyk analyzed 3,984 skills from ClawHub, the community skill registry. 36.82% contained security flaws, including command injection, path traversal, and credential exfiltration. 76 confirmed malicious payloads were identified, with 8 still publicly available at time of report.

Malicious payloads: 76 · Still public: 8

Prompt Injection via Discord (CrowdStrike) High

CrowdStrike demonstrated that a crafted Discord message could inject instructions into an OpenClaw agent, causing it to leak private moderator discussions from other channels. The agent had no mechanism to distinguish between user input and injected commands.

Data Leakage Across Sessions (Giskard) High

Giskard identified multiple data leakage vectors: shared scopes between sessions allowed one user's data to bleed into another's context, and the Control UI token could be extracted by a compromised skill, granting full administrative access to the agent.

ClawHub Skill Vulnerabilities (Cisco) High

Cisco's security team analyzed 31,000 skills from the ClawHub ecosystem. 26% contained vulnerabilities ranging from insecure API key handling to arbitrary file read/write capabilities. No formal review process exists for skill submissions.

Skills analyzed: 31,000 · Vulnerable: 26%

Pattern: These are not isolated findings from a single researcher. Six independent teams -- spanning startups, security vendors, and enterprise labs -- arrived at the same conclusion: OpenClaw's security model does not meet the requirements of production deployment.

Enterprise Risk Assessment

For organizations evaluating or already running OpenClaw, the incidents above translate into four primary risk categories.

🔒

Data Exposure

Agents routinely process source code, internal documents, API keys, and database credentials. A compromised instance exposes everything the agent can access -- which, by design, is everything connected to it.

📦

Supply Chain

ClawHub skills are user-contributed with no formal review, signing, or verification process. Installing a skill is functionally equivalent to running arbitrary code from an untrusted source.

📑

Compliance

No audit trail for agent actions. No identity verification between agents or sub-agents. No mechanism to prove what an agent did, when, or why -- a gap that creates liability under SOC 2, ISO 27001, and emerging AI governance frameworks.

🔗

Lateral Movement

A single compromised agent has access to every connected platform and tool. There is no privilege separation between skills, no network segmentation, and no blast radius containment by default.

The compounding nature of these risks is what makes OpenClaw deployments particularly challenging to secure. A supply chain attack via a malicious skill can lead to data exposure, which creates compliance violations, which enable lateral movement into connected systems. The attack surface is not additive -- it is multiplicative.

Mitigation Strategies

Organizations that need to continue running OpenClaw -- or that are evaluating it for future deployment -- should implement the following controls. These are not theoretical recommendations; they reflect the minimum security posture required to operate autonomous agents in a production environment.

Static Analysis

Scan every skill before installation. Automated analysis should flag command injection patterns, credential access, network exfiltration, and path traversal. No skill should reach production without passing a security gate. Tools like Aguara provide structured skill scanning with deterministic rule sets.

Runtime Isolation

Execute agents and skills inside sandboxed environments. Docker sandboxes alone are not sufficient -- they must be paired with network proxies that intercept and inspect all outbound traffic, and credentials should be injected at the proxy level rather than stored in the agent's environment.

Agent Identity

Every inter-agent message should be cryptographically signed. Without identity verification, there is no way to distinguish a legitimate sub-agent request from a prompt injection or a spoofed message. This is table stakes for any multi-agent deployment.

Policy Enforcement

Define allowed communication patterns between agents, tools, and external services. Block any message or action that violates the policy. This includes rate limiting, destination allowlisting, and payload inspection. Configuration itself becomes a security liability when left to defaults.

Audit Trail

Log every message, tool invocation, and agent decision for forensic and compliance purposes. Logs must be immutable, timestamped, and stored outside the agent's own environment. Without this, incident response is guesswork.

How Oktsec Addresses These Risks

Oktsec was built specifically for this problem space: securing autonomous AI agent communication and deployment. For organizations running OpenClaw, we provide dedicated tooling that addresses every risk category identified above.

Dedicated OpenClaw Security Coverage

Oktsec ships with 15 OCLAW rules specifically designed for OpenClaw deployments, plus 6 NanoClaw audit checks for lightweight agent configurations. Our deployment audit runs 41 checks across OpenClaw, NanoClaw, and Oktsec configurations, generating SARIF-formatted output that integrates directly with GitHub Advanced Security, VS Code, and CI/CD pipelines.

153+ Detection rules

15 OCLAW rules

41 Deployment checks

31K+ Skills monitored

The entire detection engine is built on Aguara, our open-source static analysis engine with 153+ rules spanning 15 security categories. Aguara scans every skill before deployment -- no LLM in the loop, fully deterministic, self-hosted. For runtime protection, Oktsec provides a forward proxy mode for Docker Sandboxes that intercepts, inspects, and logs all agent traffic.

Aguara Watch continuously monitors 31,000+ skills across 5 registries, providing early warning when new malicious or vulnerable skills appear. This is the same dataset that informed the Snyk and Cisco findings referenced above -- but running continuously, not as a one-time audit.

The Bottom Line

OpenClaw is a powerful framework with legitimate use cases. But its security model was designed for local development, not enterprise production. The incidents documented here are not edge cases -- they are the predictable result of deploying an agent with broad system access and minimal security controls.

For teams that need to run OpenClaw in production, the path forward is not to abandon the framework but to layer security around it: static analysis before deployment, runtime isolation during execution, cryptographic identity for every message, and a complete audit trail for every action.

That is exactly what Oktsec provides.

Secure your OpenClaw deployment

Oktsec provides static analysis, runtime isolation, agent identity, and audit trail for AI agent communication. Open source, self-hosted, no LLM.

Learn more at oktsec.com View on GitHub