OpenClaw, a developer of AI agent technology, has performed a recently released security analysis. To do that, they looked at 3,984 skills that were listed on their ClawHub marketplace. That’s what this investigation uncovered — 283 skills with egregious security holes. This poses serious threats to user safety and data integrity. These vulnerabilities we’ve identified represent a clear and present danger. Malicious actors would be able to use sensitive personal information to execute commands on end users’ devices without their permission.
That August security analysis went on to note some pretty scary things about OpenClaw’s abilities. Sensitive credentials have a way of getting stuck in plaintext—often accidentally. Through the context window and output logs of the large language models (LLMs) that power them. Moreover, these issues leave gaps through which adversaries can exploit the agents’ access to tools and data. This misuse opens their platform to immense risk for the platform’s users.
Given the rising security threats, OpenClaw is doing its part. To amplify their work, the company has partnered with Google-owned VirusTotal. Collectively, they are parachuting security skills uploaded to ClawHub to increase the toughness and security of the ClawHub marketplace. We intend to monitor all active skills every day and detect when their status changes. This way, we make sure that formerly benign skills don’t suddenly become evil while we are looking the other way.
Security Flaws Uncovered
To facilitate this analysis, OpenClaw identified multiple critical vulnerabilities in the ecosystem of OpenClaw. A notable issue is the default binding of OpenClaw’s gateway to 0.0.0.0:18789, which exposes the full API to any network interface. According to our data dashboards, there are more than 30,000 deployed examples of OpenClaw that are publicly accessible around the world through the internet. That privileged exposure greatly increases the chances of unauthorized access and attack.
An exposed, misconfigured Supabase database owned by Moltbook could be linked to. This opened a loophole that let anyone access the secret API keys of every agent registered on the site without any restrictions or authentication. This misconfiguration is a reminder of the cloud security vulnerabilities related to cloud-based storage solutions if not secured correctly.
Another shocking vulnerability is OpenClaw’s indirect prompt injection ability. This vulnerability allows an attacker to inject harmful instructions into a web page. Because of this, OpenClaw is able to add these dangerous commands to important files, including the ~/.openclaw/workspace/HEARTBEAT.md file. This would allow attackers to send additional commands from a remote server, potentially even remotely and unbeknownst to the user.
“OpenClaw stores credentials in cleartext, uses insecure coding patterns including direct eval with user input, and has no privacy policy or clear accountability.” – Moshe Siman Tov Bustan and Nir Zadok
Global Response and Regulatory Concerns
The global impact of these vulnerabilities has triggered concern from international standard setters and regulators. For example, China’s Ministry of Industry and Information Technology recently rang alarm bells over misconfigured OpenClaw instances. That’s why they haven’t instituted more robust protections to protect users from the onslaught of cyber attacks and data breaches. This pronouncement highlights that the dangers of unsafe AI technologies have been acknowledged on a world stage.
Cybersecurity experts have written extensively on what happens when these kinds of vulnerabilities are unleashed at scale. Tomer Yahalom noted the pervasiveness of OpenClaw and similar tools, stating, “OpenClaw and tools like it will show up in your organization whether you approve them or not.” This feeling is indicative of the larger challenge organizations face when it comes to unauthorized AI tools that may undermine their security posture.
Similarly, Ian Ahl emphasized the gravity of granting AI agents access to sensitive information: “AI agents get credentials to your entire digital life.” Given this access and the extensive capabilities they have, we must ask how easily adversaries could hijack these agents for nefarious purposes.
Challenges in Mitigation
Even with persistent attempts to improve these challenges inside OpenClaw, security issues are still dominant. A recently patched flaw would have let attackers run remote code at will. At worst, they might have duped users into navigating to nefarious domains that exfiltrated authentication tokens using WebSocket channels. These kinds of vulnerabilities are able to exploit user behavior and can result in significant impact if left unremediated.
Experts stress that users need to take the initiative and enable OpenClaw’s Docker-based tool sandboxing feature. Failing to do so, full system-wide access will continue to be the default setting. These default security measures are integral in keeping users protected. Without them, users are exposing themselves to hazards they may not even be aware of in their configurations.
“When agent platforms go viral faster than security practices mature, misconfiguration becomes the primary attack surface.” – Ensar Seker
In fact, security analysts have flagged certain popular uninstall approaches for their inability to completely remove sensitive data. Moshe Siman Tov Bustan and Nir Zadok stated, “Common uninstall methods leave sensitive data behind – and fully revoking access is far harder than most users realize.” This highlights the urgent need for improved user education on how to effectively control permissions and access to sensitive data.