OpenClaw Security: What Enterprise Teams Must Do Before Deploying AI Agents

Your team just evaluated OpenClaw. Someone ran a demo, the autonomous agent connected to Slack, executed a shell command on request, and everyone in the room was impressed. Now the question lands on your desk: can we deploy this in production? The honest answer is: not yet — not without deliberate hardening. Here is what you need to know before that conversation goes any further.

What OpenClaw Actually Does — and Why That Shapes the Risk

OpenClaw is an open-source AI agent that runs locally and connects to messaging platforms — Slack, Teams, WhatsApp, Telegram, Signal — to take autonomous actions. It executes shell commands, controls browsers, manages email and calendar, and operates on a heartbeat scheduler that allows it to act without being prompted.

That combination — persistent execution, messaging channel access, and shell privileges — is powerful. It is also exactly the profile that makes security teams uncomfortable. Every capability the agent has is a capability an attacker wants to reach.

The project grew from zero to 201,000 GitHub stars and over two million visitors in a single week in early 2026. That kind of adoption velocity meant the security community had almost no time to audit the codebase before enterprises started piloting it.

Critical Vulnerabilities Already Being Exploited

Several critical vulnerabilities were discovered within weeks of the tool reaching mainstream awareness. These are not theoretical edge cases — exploitation is active and documented at scale.

• CVE-2026-25253 (CVSS 8.8 — Critical): The Control UI reads a gateway URL directly from the query string and auto-connects, sending the stored authentication token in the process. A single crafted link — sent over email or embedded in a webpage — is enough to hand an attacker full access to the local gateway. From there they can modify configuration and invoke privileged actions. This is one-click remote code execution, with no user interaction beyond clicking a link. Patched in v2026.1.29.
• CVE-2026-24763, CVE-2026-25157, CVE-2026-25475: Command injection and authentication token theft vulnerabilities across multiple components.
• Exposure at scale: SecurityScorecard found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 were directly vulnerable to remote code execution at the time of the research.

These numbers are not projections. They are observed in the wild.

The Supply Chain Problem: Malicious Skills

OpenClaw's functionality is extended through skills — plugins available on marketplaces like ClawHub and SkillsMP. This is where the risk compounds significantly.

Researchers analyzed 10,700 skills on ClawHub and found over 820 were malicious. The ClawHavoc campaign in January 2026 distributed skills carrying Atomic Stealer payloads that harvested API keys and installed keyloggers silently on target machines.

For enterprise teams, this means the skills marketplace cannot be treated like a curated app store. Every skill is a potential supply chain entry point. There is no baseline vetting that protects you from installing a skill that looks legitimate.

Default Configuration Is a Security Failure

Out of the box, OpenClaw ships with settings that would fail any standard enterprise security review:

• Authentication is disabled by default
• The gateway is accessible from the internet by default
• WebSocket connections are accepted without origin verification

These are not obscure settings buried in documentation. They are the defaults that every developer and pilot deployment starts with. If your team spun up a test instance without explicitly changing these, it was exposed from the moment it started running.

Prompt Injection: The Risk You Cannot Patch Away

Because OpenClaw processes instructions from messaging platforms, adversarially crafted messages can inject commands. An attacker who can get a message into a channel the agent monitors — or who can manipulate content the agent reads — can instruct it to exfiltrate data, delete files, or move laterally across internal networks.

This class of threat does not have a CVE number or a patch release. It is architectural. The agent trusts its input channels by design, and that trust must be managed through policy and configuration, not just software updates.

For organizations in regulated industries — healthcare, finance, legal — this has direct compliance implications. An AI agent processing messages that contain personally identifiable information, and that can be manipulated by external input, creates exposure under GDPR, HIPAA, and SOC 2 requirements.

The Enterprise Hardening Checklist

If your team is moving forward with OpenClaw — whether in a pilot or production context — these ten steps form the minimum viable security baseline. None of them are optional in an enterprise environment.

1. Update to v2026.1.29 or later immediately. CVE-2026-25253 is remotely exploitable with no user interaction beyond clicking a link. This is the first action, not the last item on a list.
2. Bind the gateway to loopback only. Set gateway.bind to 127.0.0.1. Route all external access through an authenticated reverse proxy with TLS. Block all inbound traffic except SSH via firewall.
3. Enable token authentication. It is off by default. Enable it, then rotate all tokens immediately after updating.
4. Run in Docker containers. Container isolation is the single most impactful security improvement available. If a malicious skill executes code, the blast radius stays inside the container rather than reaching the host or the internal network.
5. Enable tool sandboxing. Set sandbox.mode: all to restrict what tools can access on the host filesystem and network.
6. Vet every skill before installing. Review source code, check author history on ClawHub, run VirusTotal scans on downloaded archives. Prefer skills with signed commits and active maintainers. Treat any unvetted skill as an untrusted binary.
7. Implement DM pairing policies and allowlists. Enable pairing on all channels. Use mention-gating in group chats. Treat all links, attachments, and pasted content in any channel as potentially hostile by default.
8. Monitor gateway logs continuously. Alert on WebSocket connections from non-loopback addresses. Log all tool invocations. Treat anomalous connection patterns as incident indicators, not background noise.
9. Apply least privilege at the OS level. Run the agent process with minimal permissions. Never run as root. Restrict shell access to only what the agent legitimately needs to function.
10. Enable full-disk encryption. LUKS2 on Linux, FileVault on macOS. Stored tokens and configuration files are high-value targets at rest.

The Decision Your Security Team Needs to Make

OpenClaw is genuinely capable software. The adoption numbers reflect real utility — teams are solving real problems with it. The question for enterprise security and IT leaders is not whether the tool works, but whether it can be operated safely inside your environment and compliance boundary.

The answer is conditional. An instance hardened against the checklist above, running containerized, with skills reviewed and channels allowlisted, presents a manageable risk profile that can be argued for in a security review. The default installation cannot.

Treat OpenClaw the same way you treat any privileged service that touches production systems: isolate it, authenticate it, audit it, and monitor it continuously. The vulnerabilities are real, the exploitation is active, and the hardening steps are not complex — but they must be deliberate. The defaults are a liability. The hardened version is a tool. Only one of those belongs in your environment.