The Dark Side of OpenClaw: Security Risks Nobody Talks About
Let me tell you a story.
Last month, a security researcher found hundreds of OpenClaw dashboards just... sitting there. On the public internet. No password. No login. Nothing.
Anyone could walk in, read the owner's emails, steal their API keys, and run commands on their computer.
Hundreds of them.
And that's just the start.
What is OpenClaw?
Quick primer if you're new here.
OpenClaw is an AI agent that actually does stuff. It's not just a chatbot. It connects to your WhatsApp, Telegram, Discord, Slack, email—whatever. It runs 24/7 on your server. And it can execute code, read files, browse the web, and automate basically anything.
Tens of thousands of GitHub stars. Viral tweets. Hardware sales spiking because people are buying servers just to run it.
It's incredible.
It's also a security nightmare.
Here's why.
Problem #1: Exposed Dashboards
This is the big one.
OpenClaw has a web dashboard for controlling everything. It's meant for local use only. But people deploy it on cloud servers. They put it behind reverse proxies. They forward ports from their home routers.
And they forget one thing: authentication.
See, OpenClaw trusts "localhost" connections by default. Makes sense for local use. But when you put it behind a proxy that doesn't pass headers correctly? Every request looks like it's coming from localhost.
No password needed. Full access.
What attackers found in exposed dashboards:
- API keys for OpenAI, Anthropic, AWS
- OAuth tokens for connected services
- Complete chat histories
- Signal pairing QR codes (yes, attackers could hijack your Signal)
- The ability to run any command on the host machine
Bitdefender Labs called it "a common misconfiguration with great impact."
That's a nice way of saying: a lot of people got owned.
Problem #2: One-Click Hacks
This one's scarier.
In January 2026, researchers found a vulnerability where just visiting a webpage could give an attacker full control of your OpenClaw.
Here's how it worked:
- Attacker makes a malicious webpage
- You visit it (maybe they send you a link)
- The page hijacks your browser's WebSocket connection to your local OpenClaw
- It steals your auth token
- Attacker now has full remote code execution on your machine
No stolen passwords. No exposed ports. Just one click.
And the kicker? This worked even if your OpenClaw wasn't exposed to the internet. It piggybacked through your own browser.
The developers patched it in two days. But think about how many people were vulnerable before that.
Problem #3: Poisoned Plugins
OpenClaw has a skills repository. Community-made plugins that extend what it can do.
Cool idea. Terrible for security.
A researcher proved this by uploading a backdoored skill to the repository. He artificially boosted its download count to make it look popular. Within hours, dozens of developers had installed it.
His payload was harmless (just a proof of concept). But he made the point clear:
"Had I been malicious, those users would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."
No vetting. No code signing. No protection.
Just a popularity contest where the winner gets to run code on your machine.
Problem #4: It Has Root Access
This isn't a bug. It's a feature.
For OpenClaw to "actually do things," it needs access. Shell access. File access. Network access. The works.
That's the whole point.
But it means when something goes wrong—a prompt injection, a compromised skill, an exposed dashboard—the attacker gets everything.
The official docs literally warn: "Never add OpenClaw to group chats. Every person in that chat can issue commands to your server."
Let that sink in.
Problem #5: Prompt Injection
Here's a real example from the community:
Someone sent an email to an account that OpenClaw was monitoring. The email had hidden instructions. OpenClaw read them, followed them, and deleted every email in the inbox including trash.
The bot was just doing what it was told. The problem? It couldn't tell the difference between a legitimate instruction and a malicious one hidden in an email.
And OpenClaw is always listening. Always processing. Always looking for things to do.
That's the feature that makes it useful. It's also the feature that makes it dangerous.
The Data Problem
Let's talk about what OpenClaw stores:
- Your conversations
- Your emails
- Your calendar
- Your files
- API keys for connected services
Where does it store this? In plaintext. On disk. In a folder anyone with access can read.
If malware lands on your machine, it now has a goldmine of credentials and personal data in one convenient location.
Hudson Rock (a cyber intel firm) warned that info-stealing malware is adapting to target OpenClaw's local storage specifically.
You're not just running an AI agent. You're creating a new attack surface.
So... What Do You Do?
You have three options.
Option 1: Don't run OpenClaw.
Safe. Boring. You miss out on genuinely useful automation.
Option 2: Self-host carefully.
This means:
- Never expose the dashboard to the internet
- Use Tailscale or a VPN for remote access
- Enable container/sandbox mode
- Configure egress allowlists
- Run
openclaw security auditregularly - Monitor your logs
- Stay updated
It's doable. It's also a lot of work. And if you mess up one thing, you're back to being vulnerable.
Option 3: Use Clawctl.
We built Clawctl specifically because we were tired of watching people get this wrong.
| What goes wrong | Self-hosted | Clawctl |
|---|---|---|
| Exposed dashboards | Your problem | Never exposed |
| Auth bypass bugs | You patch it | We patch it |
| Credential storage | Plaintext | Encrypted |
| Prompt injection | Full access | Sandboxed |
| Poisoned skills | You vet them | We vet them |
| Audit logs | DIY | Built-in |
| Kill switch | SSH in | One click |
$49/month. That's less than most people spend on coffee.
The Bottom Line
OpenClaw is powerful. Maybe too powerful for most people to deploy safely.
The risks aren't theoretical:
- Hundreds of exposed instances. Documented.
- One-click remote code execution. Patched, but it happened.
- Poisoned skill repositories. Proven.
- Prompt injection attacks. Confirmed.
Google's security expert Heather Adkins said it best: "My threat model is not your threat model, but it should be."
You can run OpenClaw safely. But you have to actually do the work.
Or you can let someone who's already done it handle the hard parts.
Deploy OpenClaw securely with Clawctl — $49/month