OpenClaw Scored 2 Out of 100 on Security. Here's What That Means for Your Data.

!OpenClaw security risks visualization

An AI agent that connects to your email, calendar, Slack, and file system. One that reads your messages, executes shell commands, and makes decisions on your behalf. Now imagine that agent scores 2 out of 100 on a security assessment.

That's OpenClaw.

The open-source personal AI agent crossed 180,000 GitHub stars in weeks. Two million people visited the repository in a single week. The excitement makes sense — OpenClaw turns a local AI model into something that actually does things. It manages emails. Updates calendars. Runs terminal commands. Connects to over 100 services through the Model Context Protocol.

The security picture tells a different story. In testing with Gemini 3 Pro, 84% of data extraction attempts succeeded. 91% of prompt injection attacks went through. System prompts, internal configurations, memory files — nearly everything was exposed.

These aren't theoretical risks. They're measured ones.

Three Doors Left Open

OpenClaw's security problems fall into three categories. Each one is bad on its own. Together, they compound into something worse.

The Skills Problem.

OpenClaw uses "skills" — markdown files that tell the agent how to perform specialized tasks. They look harmless. A few lines of instructions. Maybe a shell command or two. But a skill can include links, executable commands, and tool-call recipes. And the marketplace where users find these skills, ClawHub, has no signing, no auditing, and minimal review.

Snyk researchers scanned 3,984 skills from ClawHub. They found 341 malicious ones — 12% of the entire registry. A separate scan revealed 283 skills exposing API keys, passwords, and credit card numbers in plaintext. That's 7.1% of all published skills leaking credentials by design, not by accident.

The worst campaign, tracked as "ClawHavoc," ran for just three days in late January 2026. Attackers disguised malicious skills as cryptocurrency trackers, YouTube tools, and Google Workspace integrations. One skill called "clawhub" pretended to be an official CLI tool. It dropped reverse shells.

The Protocol Problem.

OpenClaw connects to external services through MCP — the Model Context Protocol. Early MCP specifications didn't require authentication. Developers followed boilerplate code that prioritized speed over safety. The result: a bridge between your AI agent and the outside world, built without guardrails.

mcp-remote, a popular package for bridging local clients to remote MCP servers, had a command injection flaw that let attackers execute arbitrary commands on host systems. gemini-mcp-tool had a similar vulnerability — actively exploited in the wild as of early February 2026. Another package, postmark-mcp, impersonated the legitimate Postmark email server and silently stole emails.

MCP tools can also mutate their own definitions after installation. What looks safe on day one can quietly reroute your API keys to an attacker by day seven.

The Exposure Problem.

Security researchers scanning the internet found over 30,000 exposed OpenClaw instances. Many leaked Anthropic API keys, Slack OAuth tokens, conversation histories, and signing secrets — all in plaintext. The default configuration doesn't enforce authentication on the admin interface.

Token Security reported that 22% of employees at its client companies were already running OpenClaw. Most IT teams had no idea. The agent became shadow IT overnight.

One Click, Full Compromise

In January 2026, researchers disclosed CVE-2026-25253, a vulnerability with a CVSS score of 8.

• The attack chain takes milliseconds.

OpenClaw's server doesn't validate the WebSocket origin header. It accepts requests from any website. The control interface trusts the gateway URL from query strings without validation and auto-connects on page load, sending the stored authentication token to whoever's listening.

An attacker crafts a malicious web page. A user clicks a link. The attacker captures the gateway token, connects to the victim's local OpenClaw instance, disables confirmation prompts, escapes the Docker sandbox, and executes commands directly on the host machine.

One click. Full remote code execution. The vulnerability was patched in version 2026.

1.29, but the architectural pattern — trust by default, verify never — runs throughout the codebase.

When Agents Socialize, Secrets Spill

Moltbook is a social network for AI agents. Not for people who use AI agents. For the agents themselves.

To join, an agent runs external shell scripts that rewrite its own configuration files. Agents post about their work, their users' habits, their errors. Context leakage isn't a bug in Moltbook. It's the admission fee.

Any prompt injection embedded in a Moltbook post cascades through MCP connections into whatever systems the agent touches — email, code repositories, cloud infrastructure, all of it. A single malicious post in an agent's feed can hijack its behavior across every connected service.

What Actually Helps

The security community has moved fast on mitigations. None of them are silver bullets. All of them reduce surface area.

Scope every token.

If your agent needs to read email, don't give it write access to your code repository. Least privilege isn't just a best practice — it's the only thing standing between a prompt injection and a full data breach.

Audit your skills.

Cisco's AI Threat team built scanning tools for OpenClaw skills. Use them. Better yet, write your own skills instead of downloading from ClawHub. A markdown file you wrote is safer than one a stranger published three days ago.

Lock down MCP servers.

Enforce authentication. Validate origins. Pin tool definitions so they can't mutate after installation. Microsoft published specific guidance on protecting against indirect prompt injection in MCP environments.

Scan your network.

Run Shodan queries for OpenClaw, Moltbot, and Clawdbot signatures against your IP ranges. If employees are experimenting — and statistically, they are — find those instances before attackers do.

Treat agents as infrastructure.

Itamar Golan of Prompt Security summed it up: least privilege, scoped tokens, allowlisted actions, strong authentication on every integration, and end-to-end auditability. This is how you'd run a production service. Your AI agent deserves the same standard.

The Real Problem

OpenClaw works. That's not debatable. The agent saves hours of tedious work every week. People adopt it because the value is real.

The security model, though, was designed for a world where software does what programmers tell it. AI agents don't work that way. They process untrusted input — emails, web pages, Moltbook posts — and make decisions. Every piece of data flowing through the agent is a potential instruction.

Traditional security tools miss the threat entirely. Web application firewalls classify agent traffic as normal HTTPS. EDR monitors process behavior, not semantic content. The gap between what agents can do and what security teams can observe is the real vulnerability.

OpenClaw didn't create this problem. It just made it impossible to ignore.