[{"data":1,"prerenderedAt":2507},["ShallowReactive",2],{"blog-post-openclaw-gateway-guide":3,"related-posts-openclaw-gateway-guide":432},{"id":4,"title":5,"author":6,"body":10,"category":410,"date":411,"description":412,"extension":413,"featured":414,"image":415,"meta":416,"navigation":417,"path":418,"readingTime":419,"seo":420,"seoTitle":421,"stem":422,"tags":423,"updatedDate":411,"__hash__":431},"blog/blog/openclaw-gateway-guide.md","OpenClaw Gateway Explained: Setup, Security, and Common Mistakes",{"name":7,"role":8,"avatar":9},"Shabnam Katoch","Growth Head","/img/avatars/shabnam-profile.jpeg",{"type":11,"value":12,"toc":392},"minimark",[13,29,35,38,41,44,49,52,55,58,61,70,74,77,85,93,99,102,111,118,122,141,144,149,152,155,163,167,170,173,176,182,189,193,198,201,204,208,211,214,218,221,224,236,242,246,249,252,255,261,264,272,276,279,282,285,295,299,304,307,312,326,331,334,339,342,347,353,357],[14,15,16],"p",{},[17,18,19,20,24,25,28],"strong",{},"The OpenClaw gateway is the HTTP server that handles every connection to your agent. The single most important setting is the bind address: on a server, set it to ",[21,22,23],"code",{},"127.0.0.1"," (loopback) so only the local machine can reach it, and use SSH tunneling for remote access. The default ",[21,26,27],{},"0.0.0.0"," binding is what exposed 30,000+ OpenClaw instances to the public internet.",[14,30,31],{},[32,33,34],"em",{},"The gateway is how your agent talks to the world. If it's misconfigured, anyone on the internet can talk to your agent too. Here's what you need to know.",[14,36,37],{},"Thirty thousand OpenClaw instances were found exposed on the internet without authentication. Thirty thousand. Censys, Bitsight, and Hunt.io all independently confirmed the number. Every one of those instances had a misconfigured gateway.",[14,39,40],{},"The OpenClaw gateway is the single most important security setting in your entire setup, and it's the one most people never think about. If you get this wrong, anyone on the internet can send messages to your agent, read your conversations, and potentially access whatever your agent has access to (your files, your API keys, your connected platforms).",[14,42,43],{},"Here's what the gateway actually is, why the default configuration is dangerous on a server, and the one change that fixes it.",[45,46,48],"h2",{"id":47},"what-the-openclaw-gateway-actually-is","What the OpenClaw gateway actually is",[14,50,51],{},"Think of the OpenClaw gateway as the front door to your agent. It's the HTTP server that accepts incoming connections and routes them to the agent. When you open the OpenClaw web interface in your browser, you're connecting through the gateway. When Telegram delivers a message to your agent, it arrives through the gateway. When a cron job fires, the gateway processes it.",[14,53,54],{},"Every interaction with your agent flows through the gateway. It handles authentication (or doesn't, depending on your configuration), manages WebSocket connections for real-time chat, processes incoming messages from connected platforms, and serves the web-based TUI interface.",[14,56,57],{},"On your local machine, this is straightforward. The gateway runs on your computer. Only you can access it. The front door is inside your house.",[14,59,60],{},"On a VPS or remote server, the situation changes entirely. The gateway runs on a server connected to the public internet. If the front door is open and facing the street, anyone can walk in.",[14,62,63,64,69],{},"For the ",[65,66,68],"a",{"href":67},"/blog/openclaw-security-risks","complete OpenClaw security checklist",", our security guide covers the gateway alongside nine other security measures.",[45,71,73],{"id":72},"the-127001-vs-0000-problem-this-is-the-dangerous-part","The 127.0.0.1 vs 0.0.0.0 problem (this is the dangerous part)",[14,75,76],{},"This is where most people get it wrong. Stay with me here because this single setting is responsible for the majority of exposed OpenClaw instances.",[14,78,79,84],{},[17,80,81,83],{},[21,82,23],{}," (loopback)"," means the gateway only accepts connections from the same machine it's running on. If someone on the internet tries to connect, they can't. The door only opens from inside the house. This is what you want on a server.",[14,86,87,92],{},[17,88,89,91],{},[21,90,27],{}," (all interfaces)"," means the gateway accepts connections from anywhere. Your machine, your local network, and the entire internet. The door is open to the street. This is the default for some OpenClaw configurations, and it's the default that GitHub Issue #5263 flagged (closed by a maintainer as \"not planned\" to change).",[14,94,95,96,98],{},"Here's the problem: if your gateway binds to ",[21,97,27],{}," on a VPS without a firewall blocking the gateway port, your agent is publicly accessible. No password. No authentication. Anyone who finds your IP address and port can interact with your agent, read your conversation history, and potentially trigger actions through your connected platforms.",[14,100,101],{},"The CVE-2026-25253 vulnerability (CVSS 8.8, one-click remote code execution) was especially dangerous for instances with exposed gateways. An attacker could exploit the WebSocket vulnerability to execute arbitrary code on the host machine. The vulnerability was patched, but instances with publicly exposed gateways were the easiest targets.",[14,103,104,105,107,108,110],{},"If your OpenClaw gateway binds to ",[21,106,27],{}," on a server, your agent is public. Change it to ",[21,109,23],{},". This is the single most important security setting in your configuration.",[14,112,113],{},[114,115],"img",{"alt":116,"src":117},"OpenClaw gateway loopback vs all-interfaces binding diagram showing 127.0.0.1 keeping the agent private and 0.0.0.0 exposing it to the internet","/img/blog/openclaw-gateway-guide-bind-address.jpg",[45,119,121],{"id":120},"the-one-change-you-must-make-before-exposing-your-gateway","The one change you must make before exposing your gateway",[14,123,124,125,128,129,132,133,136,137,140],{},"Set the gateway bind address to loopback in your OpenClaw config. In your ",[21,126,127],{},"openclaw.json"," (or equivalent config file), the gateway section should have its ",[21,130,131],{},"bind"," setting set to ",[21,134,135],{},"\"loopback\""," or the bind address set to ",[21,138,139],{},"\"127.0.0.1\"",".",[14,142,143],{},"This single change means the gateway only listens for connections from the local machine. External traffic can't reach it directly. Your agent is invisible to the internet.",[14,145,146],{},[17,147,148],{},"But wait, how do I access my agent remotely if it only listens locally?",[14,150,151],{},"SSH tunneling. You create an encrypted tunnel from your personal machine to the server. The tunnel forwards the gateway port from the remote server to your local machine. You open your browser, connect to localhost on the forwarded port, and the traffic travels through the encrypted SSH connection to the server.",[14,153,154],{},"This gives you remote access to the gateway without exposing it to the internet. Only someone with SSH credentials can create the tunnel. Everyone else sees nothing.",[14,156,157,158,162],{},"On ",[65,159,161],{"href":160},"/","BetterClaw, gateway binding is handled and locked down by default",". This isn't something you configure or can accidentally misconfigure. The gateway is never publicly exposed. $29/month per agent, BYOK. The security configuration is part of the platform.",[45,164,166],{"id":165},"how-to-set-up-secure-remote-access","How to set up secure remote access",[14,168,169],{},"The SSH tunnel approach is the standard way to access a loopback-bound gateway remotely.",[14,171,172],{},"From your personal machine, open a terminal and create an SSH connection to your server with port forwarding. You specify which local port on your machine should map to which port on the remote server. The gateway's default port (varies by configuration, commonly 3000 or 4000) gets forwarded to a local port on your machine.",[14,174,175],{},"Once the tunnel is open, you access the OpenClaw web interface by opening your browser and going to localhost on the forwarded port. The traffic travels through the encrypted SSH tunnel to the server, reaches the loopback-bound gateway, and works exactly as if you were sitting at the server.",[14,177,178,181],{},[17,179,180],{},"Why not just open the port publicly and add a password?"," Because OpenClaw's built-in authentication is minimal. The gateway wasn't designed as a public-facing web service. It was designed as a local interface. Adding a reverse proxy with authentication (nginx with HTTP basic auth, for example) is possible but adds complexity. SSH tunneling gives you encrypted, authenticated access with zero additional software.",[14,183,63,184,188],{},[65,185,187],{"href":186},"/blog/openclaw-vps-setup","complete VPS setup walkthrough"," including firewall configuration and SSH hardening, our self-hosting guide covers the full server security stack.",[45,190,192],{"id":191},"common-gateway-errors-and-what-they-mean","Common gateway errors and what they mean",[194,195,197],"h3",{"id":196},"connection-refused","Connection refused",[14,199,200],{},"You're trying to connect to the gateway and getting \"connection refused.\"",[14,202,203],{},"This means nothing is listening on the port you're trying to reach. Either the gateway isn't running (start it), you're using the wrong port (check your config), or the gateway is bound to loopback and you're trying to connect from outside the machine without an SSH tunnel (set up the tunnel).",[194,205,207],{"id":206},"gateway-already-in-use-eaddrinuse","Gateway already in use (EADDRINUSE)",[14,209,210],{},"The port the gateway wants to use is already occupied by another process.",[14,212,213],{},"Something else is running on that port. Check what's using it and either stop that process or change the gateway port in your OpenClaw config. Common culprits: a previous OpenClaw instance that didn't shut down cleanly, another Node.js application, or a system service.",[194,215,217],{"id":216},"timeout-on-remote-connection","Timeout on remote connection",[14,219,220],{},"You can reach the server but the gateway connection times out.",[14,222,223],{},"This usually means a firewall is blocking the port. If you're using SSH tunneling (as you should be), the firewall should block the gateway port from external access. The tunnel bypasses the firewall through the SSH connection. If you're getting timeouts through an SSH tunnel, the gateway isn't running or is bound to a different port than the one you're forwarding.",[14,225,226,227,231,232,235],{},"For the broader ",[65,228,230],{"href":229},"/blog/openclaw-not-working","OpenClaw troubleshooting guide covering all first-hour errors",", our ",[65,233,234],{"href":229},"error guide"," covers the six most common problems new users hit.",[14,237,238],{},[114,239],{"alt":240,"src":241},"OpenClaw gateway error decision flow showing connection refused, EADDRINUSE, and timeout fixes","/img/blog/openclaw-gateway-guide-errors.jpg",[45,243,245],{"id":244},"how-to-know-if-your-gateway-is-exposed-right-now","How to know if your gateway is exposed right now",[14,247,248],{},"If you're running OpenClaw on a server and you're not sure whether your gateway is exposed, check immediately.",[14,250,251],{},"From a different machine (not the server), try to access your server's IP address on the gateway port through a web browser. If you see the OpenClaw web interface or get any response other than a timeout or connection refused, your gateway is publicly exposed.",[14,253,254],{},"If you get a connection timeout or connection refused, the gateway is either not exposed or a firewall is blocking external access. Both are acceptable states.",[14,256,257,260],{},[17,258,259],{},"If your gateway is exposed:"," change the bind setting to loopback immediately. Restart the gateway. Verify the external access no longer works. Then rotate all API keys stored in your configuration, because if the gateway was exposed, someone may have already accessed your setup.",[14,262,263],{},"Check your OpenClaw logs for unfamiliar conversations or requests. If you see messages you didn't send, someone else was using your agent.",[14,265,266,267,271],{},"The ",[65,268,270],{"href":269},"/compare/openclaw","managed vs self-hosted comparison"," covers how different deployment approaches handle gateway security, including which platforms prevent exposure by default.",[45,273,275],{"id":274},"the-honest-takeaway","The honest takeaway",[14,277,278],{},"The OpenClaw gateway is simple in concept (it's the HTTP server your agent uses to communicate) and dangerous in default configuration (it can expose your agent to the entire internet with one wrong setting).",[14,280,281],{},"Bind to loopback. Use SSH tunnels. Block the port in your firewall. These three actions take 10 minutes and prevent the exact exposure that affected 30,000+ instances.",[14,283,284],{},"The OpenClaw maintainer Shadow warned that \"if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely.\" The gateway is the specific thing he's talking about. It's the difference between a private assistant and a public service that anyone can abuse.",[14,286,287,288,294],{},"If gateway security, firewall configuration, and SSH tunnel management isn't something you want to handle, ",[65,289,293],{"href":290,"rel":291},"https://app.betterclaw.io/sign-in",[292],"nofollow","give Better Claw a try",". $29/month per agent, BYOK with 28+ providers. Gateway security is locked down by default. AES-256 encrypted credentials. Docker-sandboxed execution. The infrastructure security is handled so you focus on what your agent does, not on whether someone else is using it.",[45,296,298],{"id":297},"frequently-asked-questions","Frequently Asked Questions",[14,300,301],{},[17,302,303],{},"What is the OpenClaw gateway?",[14,305,306],{},"The OpenClaw gateway is the HTTP server component that handles all communication between your agent and the outside world. It processes incoming messages from connected platforms (Telegram, WhatsApp, Slack), serves the web-based chat interface, manages WebSocket connections, and routes requests to the agent. Every interaction with your OpenClaw agent flows through the gateway.",[14,308,309],{},[17,310,311],{},"What's the difference between 127.0.0.1 and 0.0.0.0 in OpenClaw gateway settings?",[14,313,314,316,317,319,320,322,323,325],{},[21,315,23],{}," (loopback) means the gateway only accepts connections from the local machine. ",[21,318,27],{}," (all interfaces) means it accepts connections from anywhere, including the public internet. On a server, binding to ",[21,321,27],{}," without a firewall makes your agent publicly accessible to anyone who finds your IP. Always bind to ",[21,324,23],{}," on servers and use SSH tunnels for remote access.",[14,327,328],{},[17,329,330],{},"How do I securely access my OpenClaw gateway remotely?",[14,332,333],{},"Use SSH tunneling. Create an SSH connection from your personal machine to the server with port forwarding. This forwards the gateway's local port through the encrypted SSH connection to your machine. You access the gateway through localhost on your personal machine, and the traffic travels securely through the tunnel. This gives you remote access without exposing the gateway to the internet.",[14,335,336],{},[17,337,338],{},"How do I check if my OpenClaw gateway is exposed?",[14,340,341],{},"From a different machine (not the server), try to access your server's IP address and gateway port in a web browser. If you see the OpenClaw interface or get any response other than a timeout, your gateway is publicly accessible. Fix immediately: change the bind setting to loopback, restart the gateway, and rotate all API keys. 30,000+ OpenClaw instances were found exposed this way.",[14,343,344],{},[17,345,346],{},"Is the default OpenClaw gateway configuration secure?",[14,348,349,350,352],{},"On a local machine (your laptop or desktop), the default is generally safe because the machine isn't directly exposed to the internet. On a server or VPS, the default bind to ",[21,351,27],{}," is dangerous. GitHub Issue #5263 requested changing this default, but it was closed as \"not planned.\" You must manually change the bind to loopback on any server deployment. Managed platforms like BetterClaw handle this automatically.",[45,354,356],{"id":355},"related-reading","Related Reading",[358,359,360,368,374,380,386],"ul",{},[361,362,363,367],"li",{},[65,364,366],{"href":365},"/blog/openclaw-security-checklist","OpenClaw Security Checklist"," — Nine more security measures alongside gateway binding",[361,369,370,373],{},[65,371,372],{"href":67},"OpenClaw Security Risks Explained"," — Why 30,000+ instances were exposed and what attackers do with them",[361,375,376,379],{},[65,377,378],{"href":186},"OpenClaw VPS Setup: The Real Cost of $8/Month Hosting"," — Full server security stack including firewall and SSH hardening",[361,381,382,385],{},[65,383,384],{"href":229},"OpenClaw Not Working: Every Fix in One Guide"," — Connection errors and other first-hour issues",[361,387,388,391],{},[65,389,390],{"href":269},"BetterClaw vs Self-Hosted OpenClaw"," — How managed deployment handles gateway security automatically",{"title":393,"searchDepth":394,"depth":394,"links":395},"",2,[396,397,398,399,400,406,407,408,409],{"id":47,"depth":394,"text":48},{"id":72,"depth":394,"text":73},{"id":120,"depth":394,"text":121},{"id":165,"depth":394,"text":166},{"id":191,"depth":394,"text":192,"children":401},[402,404,405],{"id":196,"depth":403,"text":197},3,{"id":206,"depth":403,"text":207},{"id":216,"depth":403,"text":217},{"id":244,"depth":394,"text":245},{"id":274,"depth":394,"text":275},{"id":297,"depth":394,"text":298},{"id":355,"depth":394,"text":356},"Security","2026-04-08","30,000+ OpenClaw instances were found exposed because of one gateway setting. Here's what the gateway does and how to secure it properly.","md",false,"/img/blog/openclaw-gateway-guide.jpg",{},true,"/blog/openclaw-gateway-guide","11 min read",{"title":5,"description":412},"OpenClaw Gateway: Setup, Security, Common Mistakes","blog/openclaw-gateway-guide",[424,425,426,427,428,429,430],"OpenClaw gateway","OpenClaw gateway security","OpenClaw gateway setup","OpenClaw 127.0.0.1","OpenClaw 0.0.0.0","OpenClaw gateway exposed","OpenClaw remote access","K_bOzwW0f0YQkEJO4Q4Z2_H4syBNwerAut8LQ_OEi8E",[433,972,1873],{"id":434,"title":435,"author":436,"body":437,"category":410,"date":953,"description":954,"extension":413,"featured":414,"image":955,"meta":956,"navigation":417,"path":957,"readingTime":958,"seo":959,"seoTitle":960,"stem":961,"tags":962,"updatedDate":953,"__hash__":971},"blog/blog/clawhub-skills-directory.md","ClawHub Skills Directory - The Complete 2026 Guide to Finding, Vetting, and Using OpenClaw Skills",{"name":7,"role":8,"avatar":9},{"type":11,"value":438,"toc":926},[439,444,447,450,457,460,464,467,470,473,479,485,492,496,499,503,506,512,516,519,525,529,532,538,542,545,551,557,561,564,568,571,574,580,584,587,593,597,600,606,612,624,628,631,637,643,649,655,661,667,670,674,677,681,687,693,699,703,709,715,721,727,734,738,741,745,748,752,755,758,766,772,776,779,785,791,797,808,814,820,824,827,833,839,845,851,857,863,867,870,873,876,884,886,891,894,899,902,907,910,915,918,923],[14,440,441],{},[17,442,443],{},"13,700+ skills. 824 were malicious. Here's how to navigate the marketplace without becoming a statistic.",[14,445,446],{},"I found the perfect Notion integration skill on ClawHub last month. Clean description. Recent updates. 3,200+ downloads. I installed it, connected my workspace, and watched my OpenClaw agent sync tasks from Telegram directly into Notion boards.",[14,448,449],{},"Two days later, I noticed API requests on my Anthropic dashboard that I hadn't made. Someone was using my key. The skill had been reading my config file and sending credentials to an external server while functioning exactly as advertised.",[14,451,452,453,456],{},"That skill was part of the ClawHavoc campaign. ",[17,454,455],{},"824 malicious skills discovered on ClawHub, roughly 20% of the entire registry."," One compromised package had 14,285 downloads before it was pulled. ClawHub responded by purging 2,419 suspicious packages and partnering with VirusTotal for automated scanning.",[14,458,459],{},"This guide covers everything you need to know about the ClawHub skills directory in 2026: what's available, what's dangerous, how to find good skills, and how to protect yourself from bad ones.",[45,461,463],{"id":462},"what-clawhub-actually-is-and-isnt","What ClawHub actually is (and isn't)",[14,465,466],{},"ClawHub is the official skill registry for OpenClaw. Think of it like npm for Node.js packages or PyPI for Python libraries, except the packages add capabilities to your AI agent instead of your codebase.",[14,468,469],{},"Skills are what turn OpenClaw from a chatbot into an agent. Without skills, your agent can only have conversations. With skills, it can search the web, manage your calendar, read and write files, automate browser tasks, send emails, interact with APIs, and execute shell commands.",[14,471,472],{},"As of March 2026, ClawHub hosts over 13,700 skills. A separate community-curated registry (awesome-openclaw-skills on GitHub) tracks another 5,400+ skills that have been independently reviewed. The ecosystem is massive and growing fast, driven by OpenClaw's 1.27 million weekly npm downloads.",[14,474,475,478],{},[17,476,477],{},"What ClawHub is:"," An open registry where anyone can publish a skill package. Think app store with minimal review.",[14,480,481,484],{},[17,482,483],{},"What ClawHub isn't:"," A curated, security-reviewed marketplace. Until the VirusTotal partnership, there was effectively no automated security scanning. Publishers could upload anything. And 20% of them uploaded something malicious.",[14,486,487,488,491],{},"For the full timeline of ",[65,489,490],{"href":67},"documented OpenClaw security incidents"," including the ClawHavoc campaign, CrowdStrike advisory, and Cisco's data exfiltration discovery, our security guide covers each event.",[45,493,495],{"id":494},"the-clawhub-skills-categories-worth-knowing","The ClawHub skills categories worth knowing",[14,497,498],{},"The directory organizes skills into categories, though the boundaries are loose and many skills span multiple categories. Here's what's available and what's genuinely useful.",[194,500,502],{"id":501},"communication-skills","Communication skills",[14,504,505],{},"These connect your agent to external messaging and communication tools. Email reading and drafting (Gmail, Outlook), calendar management (Google Calendar, CalDAV), messaging integrations beyond the platforms OpenClaw already supports natively, and notification routing.",[14,507,508,511],{},[17,509,510],{},"The risk level is high."," Communication skills need access to your email, calendar, or messaging accounts. A compromised email skill can read every message in your inbox and forward copies to an external server. The Meta researcher Summer Yue incident is the cautionary tale here: her agent mass-deleted emails while ignoring stop commands. Even legitimate email skills need strict permission boundaries.",[194,513,515],{"id":514},"search-and-research-skills","Search and research skills",[14,517,518],{},"Web search (Brave API, Google Custom Search, Tavily), academic paper search, news aggregation, and data retrieval from specific sources. These are among the most commonly installed skills because they give your agent access to real-time information.",[14,520,521,524],{},[17,522,523],{},"The risk level is moderate."," Search skills make outbound API calls to retrieve information. The main concern is whether they're sending your query data (which might contain sensitive context from your conversations) to unexpected destinations alongside the legitimate search requests.",[194,526,528],{"id":527},"productivity-skills","Productivity skills",[14,530,531],{},"File management, note-taking integrations (Notion, Obsidian), project management connections (Linear, Asana, Jira), and document processing. These skills let your agent interact with your work tools.",[14,533,534,537],{},[17,535,536],{},"The risk level is moderate to high."," Productivity skills typically need OAuth tokens or API keys for external services. A compromised productivity skill has access to whatever tools it connects to.",[194,539,541],{"id":540},"developer-tools","Developer tools",[14,543,544],{},"Code execution, Git operations, CI/CD integrations, database queries, and API testing. These are popular among developers who use OpenClaw as a coding assistant.",[14,546,547,550],{},[17,548,549],{},"The risk level is very high."," Developer tool skills often have shell access or can execute arbitrary code. A malicious developer skill with shell access can do anything on your machine. Cisco's discovery of a skill performing data exfiltration was in this category.",[14,552,553],{},[114,554],{"alt":555,"src":556},"ClawHub skills categories organized by risk level","/img/blog/clawhub-skills-directory-categories.jpg",[45,558,560],{"id":559},"how-to-find-good-skills-on-clawhub","How to find good skills on ClawHub",[14,562,563],{},"The ClawHub interface shows skill name, description, publisher, download count, last update date, and version history. Here's how to use that information to filter for quality.",[194,565,567],{"id":566},"publisher-reputation-matters-most","Publisher reputation matters most",[14,569,570],{},"The OpenClaw core team maintains a set of official skills. These are the safest options because they're maintained by the same developers who build the framework. Look for the official organization badge.",[14,572,573],{},"After official skills, established community developers with multiple published packages, active GitHub profiles, and real identities are the next safest tier. A publisher who has maintained three skills for six months with regular updates is very different from an account created last week with one package.",[14,575,576,579],{},[17,577,578],{},"Red flags on publishers:"," Account created recently with only one skill. Username that mimics official accounts (like \"opencIaw\" with a capital I instead of lowercase L). No GitHub profile linked. Generic or AI-generated skill descriptions.",[194,581,583],{"id":582},"download-count-needs-context","Download count needs context",[14,585,586],{},"High download count alone doesn't mean safe. The most-downloaded malicious skill in the ClawHavoc campaign had 14,285 downloads before removal. Download count tells you popularity, not quality.",[14,588,589,592],{},[17,590,591],{},"What matters more:"," the ratio of downloads to the skill's age. A skill published last week with 5,000 downloads either went viral organically (rare) or had its count artificially boosted (more common). A skill published six months ago with 5,000 downloads grew naturally through genuine adoption.",[194,594,596],{"id":595},"last-update-date-signals-maintenance","Last update date signals maintenance",[14,598,599],{},"Skills that haven't been updated in more than three months are concerning. OpenClaw releases multiple updates per week. Skills that don't keep up with the framework eventually break or develop compatibility issues.",[14,601,602,605],{},[17,603,604],{},"The sweet spot:"," skills updated within the last 30-60 days with a consistent version history showing incremental improvements rather than a single large dump of code.",[14,607,608],{},[114,609],{"alt":610,"src":611},"How to evaluate ClawHub skill listings","/img/blog/clawhub-skills-directory-evaluation.jpg",[14,613,614,615,619,620,623],{},"For our curated list of ",[65,616,618],{"href":617},"/blog/best-openclaw-skills","the best community-vetted OpenClaw skills"," that have passed security review, our ",[65,621,622],{"href":617},"skills guide"," ranks options by reliability, safety, and usefulness.",[45,625,627],{"id":626},"the-5-step-vetting-process-before-you-install-anything","The 5-step vetting process before you install anything",[14,629,630],{},"Finding a skill on ClawHub is step one. Vetting it before installation is what separates safe users from compromised ones.",[14,632,633,636],{},[17,634,635],{},"Step 1: Check the publisher."," Verify their identity, account age, and other published packages. Official skills from the core team are safest.",[14,638,639,642],{},[17,640,641],{},"Step 2: Read the source code."," Every ClawHub skill is JavaScript or TypeScript. You're looking for network calls to unexpected domains, file reads outside the skill's workspace (especially reads of your config file where API keys live), obfuscated or minified code (legitimate skills are readable), and environment variable access beyond what's needed.",[14,644,645,648],{},[17,646,647],{},"Step 3: Search community reports."," Check GitHub issues and the OpenClaw Discord for the skill name. If others have reported problems, you'll find them.",[14,650,651,654],{},[17,652,653],{},"Step 4: Test in a sandboxed workspace."," Never install a new skill directly into your production agent. Create a test workspace, install the skill there, run it for 24-48 hours, and monitor your API usage dashboards for unexpected activity.",[14,656,657,660],{},[17,658,659],{},"Step 5: Set limits."," After installation, configure iteration limits and context token caps to contain the blast radius if a skill misbehaves.",[14,662,663],{},[114,664],{"alt":665,"src":666},"5-step skill vetting process","/img/blog/clawhub-skills-directory-vetting.jpg",[14,668,669],{},"The vetting process takes 5-10 minutes per skill plus a 24-hour monitoring window. That's 5-10 minutes compared to hours of damage control if something goes wrong. The math is obvious.",[45,671,673],{"id":672},"what-changed-after-clawhavoc","What changed after ClawHavoc",[14,675,676],{},"The ClawHavoc campaign was a wake-up call for the entire ecosystem. Here's what ClawHub has done since, and what's still missing.",[194,678,680],{"id":679},"what-improved","What improved",[14,682,683,686],{},[17,684,685],{},"VirusTotal partnership."," ClawHub now runs automated security scans on all new skill submissions. Known malware signatures and suspicious patterns trigger review before publication. This catches known attack patterns but not novel ones.",[14,688,689,692],{},[17,690,691],{},"Mass purge."," 2,419 suspicious packages were removed from the registry. This cleaned up the worst offenders but happened after the damage was done. The most-downloaded malicious package had already been installed by thousands of users.",[14,694,695,698],{},[17,696,697],{},"Publisher verification."," ClawHub introduced optional publisher verification. Verified publishers have confirmed identities. The problem: verification is optional, and most publishers haven't bothered.",[194,700,702],{"id":701},"whats-still-missing","What's still missing",[14,704,705,708],{},[17,706,707],{},"Mandatory code review."," There's no human review of skill code before publication. VirusTotal catches known malware patterns, but sophisticated exfiltration techniques (like the Cisco-discovered skill that looked perfectly legitimate) can slip through automated detection.",[14,710,711,714],{},[17,712,713],{},"Permission scoping."," Skills currently have access to whatever OpenClaw has access to. There's no granular permission system where a calendar skill can only access calendar APIs, not your file system. This means every skill is either trusted with everything or not installed at all.",[14,716,717,720],{},[17,718,719],{},"Dependency auditing."," Skills can include npm dependencies. Those dependencies can include their own dependencies. The supply chain attack surface extends well beyond the skill code itself.",[14,722,723],{},[114,724],{"alt":725,"src":726},"ClawHub security improvements timeline","/img/blog/clawhub-skills-directory-security.jpg",[14,728,729,730,733],{},"If managing skill security, vetting, and permission boundaries sounds like more work than you want, ",[65,731,732],{"href":160},"BetterClaw's curated skill marketplace"," audits every skill before publication. Docker-sandboxed execution means even a compromised skill can't access your host system or credentials. $29/month per agent, BYOK. Zero unvetted code running on your infrastructure.",[45,735,737],{"id":736},"the-alternative-registries-worth-knowing","The alternative registries worth knowing",[14,739,740],{},"ClawHub isn't the only place to find OpenClaw skills. Two alternatives are worth mentioning.",[194,742,744],{"id":743},"awesome-openclaw-skills-github","awesome-openclaw-skills (GitHub)",[14,746,747],{},"A community-curated list tracking 5,400+ skills with basic quality annotations. It's not a registry (you still install skills from ClawHub or GitHub). It's a curation layer that filters the noise. The maintainers remove skills that are reported as malicious or abandoned. It's not a security guarantee, but it's a better starting point than browsing ClawHub's unfiltered listing.",[194,749,751],{"id":750},"direct-github-installation","Direct GitHub installation",[14,753,754],{},"You can install skills directly from GitHub repositories without going through ClawHub at all. Clone the repo, review the code, and copy it into your OpenClaw skills directory. This bypasses ClawHub entirely and gives you complete visibility into what you're installing.",[14,756,757],{},"The trade-off: no auto-updates. When the skill author pushes a new version, you need to manually pull the changes. ClawHub-installed skills update automatically, which is both convenient and risky (an update could introduce new malicious code that wasn't in the version you vetted).",[14,759,760,761,765],{},"For guidance on ",[65,762,764],{"href":763},"/blog/openclaw-setup-guide-complete","the full OpenClaw installation and skill configuration process",", our setup guide covers where skills fit into the deployment sequence.",[14,767,768],{},[114,769],{"alt":770,"src":771},"Alternative OpenClaw skill registries comparison","/img/blog/clawhub-skills-directory-alternatives.jpg",[45,773,775],{"id":774},"the-skills-most-people-should-start-with","The skills most people should start with",[14,777,778],{},"After reviewing the ecosystem extensively, here are the skill categories that provide the most value with the least risk for new OpenClaw users.",[14,780,781,784],{},[17,782,783],{},"Web search."," The official web search skill or Brave Search API integration. Essential for any agent that needs to look up information. Maintained by the core team. Low risk because it only makes outbound search queries.",[14,786,787,790],{},[17,788,789],{},"File operations."," OpenClaw's built-in file read/write capabilities handle most basic file tasks without requiring an external skill. Start with the native tools before adding third-party file management skills.",[14,792,793,796],{},[17,794,795],{},"Calendar."," Google Calendar or CalDAV integrations from verified publishers with established track records. These need OAuth access to your calendar, so choose carefully. Only install from publishers with real identities.",[14,798,799,802,803,807],{},[17,800,801],{},"Custom internal skills."," If you need your agent to interact with a proprietary API (your Shopify store, your CRM, your internal tools), building a custom skill is safer than finding a generic one on ClawHub. You control every line of code. For ecommerce-specific agent configurations, our ",[65,804,806],{"href":805},"/blog/openclaw-agents-for-ecommerce","ecommerce guide"," covers the most common integrations.",[14,809,810,813],{},[17,811,812],{},"Email (with extreme caution)."," Email skills are the highest-risk category. Start with read-only access. Only enable send with explicit confirmation requirements. Never give an agent unsupervised email send permissions. The Summer Yue incident is the permanent reminder of why.",[14,815,816],{},[114,817],{"alt":818,"src":819},"Recommended starter skills for OpenClaw","/img/blog/clawhub-skills-directory-starter.jpg",[45,821,823],{"id":822},"what-to-do-if-youve-already-installed-unvetted-skills","What to do if you've already installed unvetted skills",[14,825,826],{},"If you've been installing ClawHub skills without vetting them (most people have in the beginning), here's the damage control sequence.",[14,828,829,832],{},[17,830,831],{},"First: rotate all API keys immediately."," Every key in your OpenClaw config. Anthropic, OpenAI, Telegram bot tokens, OAuth credentials. All of them. If any skill has exfiltrated your keys, rotating them invalidates the stolen copies.",[14,834,835,838],{},[17,836,837],{},"Second: review your API usage dashboards."," Check the last 30 days for requests you didn't make. Unusual patterns (requests at odd hours, high-volume calls you don't recognize) indicate compromise.",[14,840,841,844],{},[17,842,843],{},"Third: audit every installed skill."," List everything your agent currently has installed. For each skill, run through the 5-step vetting process. Remove anything that doesn't pass.",[14,846,847,850],{},[17,848,849],{},"Fourth: set up monitoring going forward."," Check API usage weekly. Review logs after installing any new skill. Set spending caps on all provider accounts.",[14,852,853],{},[114,854],{"alt":855,"src":856},"Damage control steps for unvetted skills","/img/blog/clawhub-skills-directory-damage-control.jpg",[14,858,266,859,862],{},[65,860,861],{"href":67},"managed vs self-hosted security comparison"," covers how platforms like BetterClaw handle skill security versus what you're responsible for when self-hosting.",[45,864,866],{"id":865},"the-bigger-picture-where-the-clawhub-ecosystem-is-heading","The bigger picture: where the ClawHub ecosystem is heading",[14,868,869],{},"The skills ecosystem is at an inflection point. The ClawHavoc campaign forced the community to take supply chain security seriously. VirusTotal scanning and the publisher verification system are steps in the right direction. But the fundamental challenge remains: an open registry with minimal review will always have a security tail risk.",[14,871,872],{},"The likely evolution is a tiered system. A \"verified\" tier with mandatory code review and publisher identity verification. An \"unverified\" tier with automated scanning only. And eventually, permission scoping that limits what each skill can access regardless of trust level.",[14,874,875],{},"Until that happens, the responsibility is on you. Every skill you install is executable code running with your agent's permissions and access to your API keys. Treat ClawHub like you'd treat any package registry: with appreciation for the ecosystem and suspicion toward anything you haven't personally reviewed.",[14,877,878,879,883],{},"If you want a deployment where skills are security-audited before they reach your agent, where Docker sandboxing prevents compromised code from accessing your host system, and where you don't carry the vetting burden yourself, ",[65,880,882],{"href":290,"rel":881},[292],"give BetterClaw a try",". $29/month per agent, BYOK. Every skill in our marketplace is reviewed. Sandboxed execution means even a problematic skill can't reach beyond its container. You build workflows. We handle the security.",[45,885,298],{"id":297},[14,887,888],{},[17,889,890],{},"What is ClawHub?",[14,892,893],{},"ClawHub is the official skill registry for OpenClaw, hosting over 13,700 installable skill packages as of March 2026. Skills add capabilities to your OpenClaw agent: web search, calendar management, email, file operations, browser automation, and API integrations. ClawHub functions like npm or PyPI but for AI agent capabilities. Anyone can publish skills, and since the ClawHavoc cleanup, all submissions go through VirusTotal automated scanning.",[14,895,896],{},[17,897,898],{},"How does ClawHub compare to awesome-openclaw-skills?",[14,900,901],{},"ClawHub is the official registry with the largest collection (13,700+ skills) and auto-update support, but it's an open marketplace with minimal human review. awesome-openclaw-skills is a community-curated GitHub list tracking 5,400+ skills with basic quality filtering and maintainer oversight. Neither is a security guarantee. ClawHub has more skills and convenience. awesome-openclaw-skills has better curation. Use both as discovery tools, but always vet skills yourself before installation.",[14,903,904],{},[17,905,906],{},"How do I install skills from ClawHub safely?",[14,908,909],{},"Follow a 5-step process: check the publisher's identity and account history, read the source code for suspicious network calls and file access patterns, search community reports on GitHub and Discord, test in a sandboxed workspace for 24-48 hours while monitoring API usage, and set iteration limits and context caps after installation. The active vetting takes 5-10 minutes per skill plus a 24-hour monitoring window.",[14,911,912],{},[17,913,914],{},"How much do ClawHub skills cost to use?",[14,916,917],{},"Skills themselves are free to install from ClawHub. The cost comes from the API tokens they consume when your agent uses them. A web search skill adds roughly 1,000-3,000 tokens per search call. Browser automation can use 500-2,000 tokens per step. On Claude Sonnet ($3/$15 per million tokens), typical skill usage adds $5-20/month to your API bill depending on frequency. Set iteration limits to prevent runaway costs from skills that loop.",[14,919,920],{},[17,921,922],{},"Are ClawHub skills secure enough for business use?",[14,924,925],{},"Not without vetting. The ClawHavoc campaign found 824 malicious skills (roughly 20% of the registry). ClawHub has since purged 2,419 suspicious packages and added VirusTotal scanning, but automated detection doesn't catch everything. Cisco independently found a legitimate-looking skill performing data exfiltration. For business use, either vet every skill manually using the 5-step process, use a managed platform with a curated skill marketplace (like BetterClaw), or build custom skills for sensitive integrations.",{"title":393,"searchDepth":394,"depth":394,"links":927},[928,929,935,940,941,945,949,950,951,952],{"id":462,"depth":394,"text":463},{"id":494,"depth":394,"text":495,"children":930},[931,932,933,934],{"id":501,"depth":403,"text":502},{"id":514,"depth":403,"text":515},{"id":527,"depth":403,"text":528},{"id":540,"depth":403,"text":541},{"id":559,"depth":394,"text":560,"children":936},[937,938,939],{"id":566,"depth":403,"text":567},{"id":582,"depth":403,"text":583},{"id":595,"depth":403,"text":596},{"id":626,"depth":394,"text":627},{"id":672,"depth":394,"text":673,"children":942},[943,944],{"id":679,"depth":403,"text":680},{"id":701,"depth":403,"text":702},{"id":736,"depth":394,"text":737,"children":946},[947,948],{"id":743,"depth":403,"text":744},{"id":750,"depth":403,"text":751},{"id":774,"depth":394,"text":775},{"id":822,"depth":394,"text":823},{"id":865,"depth":394,"text":866},{"id":297,"depth":394,"text":298},"2026-03-25","13,700+ OpenClaw skills on ClawHub. 824 were malicious. Here's how to find, vet, and safely install skills without exposing your API keys.","/img/blog/clawhub-skills-directory.jpg",{},"/blog/clawhub-skills-directory","16 min read",{"title":435,"description":954},"ClawHub Skills Directory: Complete 2026 Guide","blog/clawhub-skills-directory",[963,964,965,966,967,968,969,970],"ClawHub skills","OpenClaw skills directory","ClawHub guide","OpenClaw skills marketplace","safe OpenClaw skills","ClawHub security","ClawHavoc","OpenClaw skill vetting","eYe9rNhfWKDi2Ce0JP9DFpMNFvf08qyPreEcDpUe8YM",{"id":973,"title":974,"author":975,"body":976,"category":410,"date":1852,"description":1853,"extension":413,"featured":414,"image":1854,"meta":1855,"navigation":417,"path":365,"readingTime":1856,"seo":1857,"seoTitle":1858,"stem":1859,"tags":1860,"updatedDate":1852,"__hash__":1872},"blog/blog/openclaw-security-checklist.md","OpenClaw Security Checklist: 10 Things Most Users Skip (And Attackers Don't)",{"name":7,"role":8,"avatar":9},{"type":11,"value":977,"toc":1832},[978,983,986,993,1002,1005,1011,1014,1018,1021,1028,1031,1058,1064,1109,1112,1140,1143,1149,1153,1156,1159,1184,1203,1206,1212,1216,1222,1248,1251,1254,1260,1270,1274,1277,1343,1346,1356,1362,1365,1369,1372,1375,1378,1409,1418,1424,1428,1431,1449,1452,1455,1461,1474,1478,1481,1484,1495,1498,1504,1514,1518,1521,1524,1572,1575,1581,1584,1588,1595,1640,1660,1663,1669,1678,1682,1685,1688,1691,1694,1723,1726,1732,1736,1742,1745,1748,1751,1758,1765,1767,1771,1774,1778,1800,1804,1814,1818,1821,1825,1828],[14,979,980],{},[32,981,982],{},"30,000 exposed instances. 824 malicious skills. One critical RCE. Here's the hardening guide nobody follows.",[14,984,985],{},"The Shodan alert hit my inbox at 6:14 AM. Someone had indexed my OpenClaw gateway. Port 18789, wide open, broadcasting to the entire internet.",[14,987,988,989,992],{},"My API keys were sitting in ",[21,990,991],{},"~/.openclaw/openclaw.json"," in plaintext. My Anthropic key. My OpenAI key. My Telegram bot token. Everything.",[14,994,995,996,998,999,1001],{},"I'd left the gateway bound to ",[21,997,27],{}," instead of ",[21,1000,23],{},". One character difference. The difference between \"only I can access this\" and \"anyone on the internet can access this.\"",[14,1003,1004],{},"I got lucky. I caught it in hours. Others weren't so lucky.",[14,1006,1007,1008,1010],{},"Censys, Bitsight, and Hunt.io found over 30,000 internet-exposed OpenClaw instances running without authentication. An infostealer campaign in February 2026 specifically targeted the ",[21,1009,991],{}," config file on cloud VPS installations, exfiltrating every API key it found. Compromised keys were used to rack up thousands of dollars in fraudulent charges.",[14,1012,1013],{},"This is the OpenClaw security checklist I wish someone had given me before I exposed my entire agent stack to the public internet. Ten items. Most users skip all of them.",[45,1015,1017],{"id":1016},"_1-bind-your-gateway-to-localhost-not-0000","1. Bind your gateway to localhost (not 0.0.0.0)",[14,1019,1020],{},"This is the single most important OpenClaw security fix and the one most people get wrong.",[14,1022,1023,1024,1027],{},"By default, some setup guides configure the gateway to listen on ",[21,1025,1026],{},"0.0.0.0:18789",", which means it accepts connections from any network interface. If your server has a public IP, that means the entire internet can reach your gateway.",[14,1029,1030],{},"The fix takes 30 seconds:",[1032,1033,1037],"pre",{"className":1034,"code":1035,"language":1036,"meta":393,"style":393},"language-bash shiki shiki-themes github-light","openclaw configure\n# Select \"Local (this machine)\"\n","bash",[21,1038,1039,1052],{"__ignoreMap":393},[1040,1041,1044,1048],"span",{"class":1042,"line":1043},"line",1,[1040,1045,1047],{"class":1046},"s7eDp","openclaw",[1040,1049,1051],{"class":1050},"sYBdl"," configure\n",[1040,1053,1054],{"class":1042,"line":394},[1040,1055,1057],{"class":1056},"sAwPA","# Select \"Local (this machine)\"\n",[14,1059,1060,1061,1063],{},"Or manually in ",[21,1062,991],{},":",[1032,1065,1069],{"className":1066,"code":1067,"language":1068,"meta":393,"style":393},"language-json shiki shiki-themes github-light","{\n \"gateway\": {\n \"bind\": \"loopback\"\n }\n}\n","json",[21,1070,1071,1077,1086,1097,1103],{"__ignoreMap":393},[1040,1072,1073],{"class":1042,"line":1043},[1040,1074,1076],{"class":1075},"sgsFI","{\n",[1040,1078,1079,1083],{"class":1042,"line":394},[1040,1080,1082],{"class":1081},"sYu0t"," \"gateway\"",[1040,1084,1085],{"class":1075},": {\n",[1040,1087,1088,1091,1094],{"class":1042,"line":403},[1040,1089,1090],{"class":1081}," \"bind\"",[1040,1092,1093],{"class":1075},": ",[1040,1095,1096],{"class":1050},"\"loopback\"\n",[1040,1098,1100],{"class":1042,"line":1099},4,[1040,1101,1102],{"class":1075}," }\n",[1040,1104,1106],{"class":1042,"line":1105},5,[1040,1107,1108],{"class":1075},"}\n",[14,1110,1111],{},"Verify it worked:",[1032,1113,1115],{"className":1034,"code":1114,"language":1036,"meta":393,"style":393},"ss -tlnp | grep 18789\n# Should show 127.0.0.1:18789, NOT 0.0.0.0:18789\n",[21,1116,1117,1135],{"__ignoreMap":393},[1040,1118,1119,1122,1125,1129,1132],{"class":1042,"line":1043},[1040,1120,1121],{"class":1046},"ss",[1040,1123,1124],{"class":1081}," -tlnp",[1040,1126,1128],{"class":1127},"sD7c4"," |",[1040,1130,1131],{"class":1046}," grep",[1040,1133,1134],{"class":1081}," 18789\n",[1040,1136,1137],{"class":1042,"line":394},[1040,1138,1139],{"class":1056},"# Should show 127.0.0.1:18789, NOT 0.0.0.0:18789\n",[14,1141,1142],{},"If you need remote access, use Tailscale Serve or an SSH tunnel. Never expose the gateway port directly.",[14,1144,1145],{},[114,1146],{"alt":1147,"src":1148},"Bind OpenClaw gateway to localhost","/img/blog/openclaw-security-checklist-localhost.jpg",[45,1150,1152],{"id":1151},"_2-disable-ssh-password-authentication","2. Disable SSH password authentication",[14,1154,1155],{},"If you're running OpenClaw on a VPS (and you should be, instead of your personal machine), SSH is how you access it. Password-based SSH authentication is the first thing attackers brute-force.",[14,1157,1158],{},"The February 2026 infostealer campaign exploited exactly this: weak SSH passwords on VPS instances running OpenClaw. Once inside, reading the config file was trivial.",[1032,1160,1162],{"className":1034,"code":1161,"language":1036,"meta":393,"style":393},"# In /etc/ssh/sshd_config:\nPasswordAuthentication no\nChallengeResponseAuthentication no\n",[21,1163,1164,1169,1177],{"__ignoreMap":393},[1040,1165,1166],{"class":1042,"line":1043},[1040,1167,1168],{"class":1056},"# In /etc/ssh/sshd_config:\n",[1040,1170,1171,1174],{"class":1042,"line":394},[1040,1172,1173],{"class":1046},"PasswordAuthentication",[1040,1175,1176],{"class":1050}," no\n",[1040,1178,1179,1182],{"class":1042,"line":403},[1040,1180,1181],{"class":1046},"ChallengeResponseAuthentication",[1040,1183,1176],{"class":1050},[1032,1185,1187],{"className":1034,"code":1186,"language":1036,"meta":393,"style":393},"sudo systemctl restart sshd\n",[21,1188,1189],{"__ignoreMap":393},[1040,1190,1191,1194,1197,1200],{"class":1042,"line":1043},[1040,1192,1193],{"class":1046},"sudo",[1040,1195,1196],{"class":1050}," systemctl",[1040,1198,1199],{"class":1050}," restart",[1040,1201,1202],{"class":1050}," sshd\n",[14,1204,1205],{},"Use SSH key authentication exclusively. If you lose your key, you can recover through your VPS provider's console. If an attacker guesses your password, you lose everything.",[14,1207,1208],{},[114,1209],{"alt":1210,"src":1211},"Disable SSH password authentication","/img/blog/openclaw-security-checklist-ssh.jpg",[45,1213,1215],{"id":1214},"_3-set-file-permissions-on-the-openclaw-config-directory","3. Set file permissions on the OpenClaw config directory",[14,1217,1218,1219,1221],{},"Your ",[21,1220,991],{}," file contains API keys in plaintext. Every key your agent uses: Anthropic, OpenAI, Telegram bot tokens, OAuth credentials. All of it, readable by anyone with access to the file.",[1032,1223,1225],{"className":1034,"code":1224,"language":1036,"meta":393,"style":393},"chmod 700 ~/.openclaw\nchmod 600 ~/.openclaw/openclaw.json\n",[21,1226,1227,1238],{"__ignoreMap":393},[1040,1228,1229,1232,1235],{"class":1042,"line":1043},[1040,1230,1231],{"class":1046},"chmod",[1040,1233,1234],{"class":1081}," 700",[1040,1236,1237],{"class":1050}," ~/.openclaw\n",[1040,1239,1240,1242,1245],{"class":1042,"line":394},[1040,1241,1231],{"class":1046},[1040,1243,1244],{"class":1081}," 600",[1040,1246,1247],{"class":1050}," ~/.openclaw/openclaw.json\n",[14,1249,1250],{},"This restricts access to your user account only. No other system users can read your config. It's not encryption (we'll get to that), but it's the minimum baseline.",[14,1252,1253],{},"Microsoft's security blog explicitly recommends treating OpenClaw installations as containing sensitive credentials that require dedicated access controls. Their guidance: run OpenClaw only in fully isolated environments with dedicated, non-privileged credentials.",[14,1255,1256],{},[114,1257],{"alt":1258,"src":1259},"Set file permissions on OpenClaw config","/img/blog/openclaw-security-checklist-permissions.jpg",[1261,1262,1263],"blockquote",{},[14,1264,1265,1266,1269],{},"For a deeper look at every documented security incident in the OpenClaw ecosystem, our comprehensive guide to ",[65,1267,1268],{"href":67},"OpenClaw security risks"," covers the CrowdStrike advisory, Cisco findings, and the full ClawHavoc analysis.",[45,1271,1273],{"id":1272},"_4-configure-ufw-and-actually-enable-it","4. Configure UFW (and actually enable it)",[14,1275,1276],{},"A firewall that's installed but not enabled is decoration. Surprisingly common on VPS setups where people install UFW during initial provisioning and never turn it on.",[1032,1278,1280],{"className":1034,"code":1279,"language":1036,"meta":393,"style":393},"sudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow 22/tcp\nsudo ufw limit 22/tcp\nsudo ufw enable\n",[21,1281,1282,1298,1312,1323,1334],{"__ignoreMap":393},[1040,1283,1284,1286,1289,1292,1295],{"class":1042,"line":1043},[1040,1285,1193],{"class":1046},[1040,1287,1288],{"class":1050}," ufw",[1040,1290,1291],{"class":1050}," default",[1040,1293,1294],{"class":1050}," deny",[1040,1296,1297],{"class":1050}," incoming\n",[1040,1299,1300,1302,1304,1306,1309],{"class":1042,"line":394},[1040,1301,1193],{"class":1046},[1040,1303,1288],{"class":1050},[1040,1305,1291],{"class":1050},[1040,1307,1308],{"class":1050}," allow",[1040,1310,1311],{"class":1050}," outgoing\n",[1040,1313,1314,1316,1318,1320],{"class":1042,"line":403},[1040,1315,1193],{"class":1046},[1040,1317,1288],{"class":1050},[1040,1319,1308],{"class":1050},[1040,1321,1322],{"class":1050}," 22/tcp\n",[1040,1324,1325,1327,1329,1332],{"class":1042,"line":1099},[1040,1326,1193],{"class":1046},[1040,1328,1288],{"class":1050},[1040,1330,1331],{"class":1050}," limit",[1040,1333,1322],{"class":1050},[1040,1335,1336,1338,1340],{"class":1042,"line":1105},[1040,1337,1193],{"class":1046},[1040,1339,1288],{"class":1050},[1040,1341,1342],{"class":1050}," enable\n",[14,1344,1345],{},"That's it. Deny all incoming except SSH (with rate limiting to slow brute-force attempts). OpenClaw's gateway should be on localhost, so it doesn't need an open port.",[14,1347,1348,1349,1352,1353,140],{},"If you're running other services (web server, etc.), open only the ports you need: ",[21,1350,1351],{},"sudo ufw allow 80/tcp"," and ",[21,1354,1355],{},"sudo ufw allow 443/tcp",[14,1357,1358],{},[114,1359],{"alt":1360,"src":1361},"Configure UFW firewall","/img/blog/openclaw-security-checklist-ufw.jpg",[14,1363,1364],{},"A VPS with no firewall, password SSH, and OpenClaw bound to 0.0.0.0 is not a server. It's a donation box for your API keys.",[45,1366,1368],{"id":1367},"_5-vet-every-clawhub-skill-before-installing","5. Vet every ClawHub skill before installing",[14,1370,1371],{},"The ClawHavoc campaign found 824+ malicious skills on ClawHub. That's roughly 20% of the entire skills registry. One in five skills was compromised.",[14,1373,1374],{},"Cisco independently found a third-party skill performing data exfiltration without user awareness. The skill looked legitimate, functioned as advertised, and quietly sent data to an external server in the background.",[14,1376,1377],{},"Before installing any skill:",[358,1379,1380,1386,1392,1398,1403],{},[361,1381,1382,1385],{},[17,1383,1384],{},"Read the source code."," Every skill is JavaScript or TypeScript. If you can't read it, don't install it.",[361,1387,1388,1391],{},[17,1389,1390],{},"Check the publisher's profile"," and other contributions.",[361,1393,1394,1397],{},[17,1395,1396],{},"Search for the skill name"," in OpenClaw's GitHub issues for reports.",[361,1399,1400],{},[17,1401,1402],{},"Start with skills maintained by the OpenClaw core team.",[361,1404,1405,1408],{},[17,1406,1407],{},"Avoid skills with low download counts"," and no community verification.",[1261,1410,1411],{},[14,1412,1413,1414,1417],{},"For guidance on which skills are actually worth installing (and have been community-vetted), our guide to the ",[65,1415,1416],{"href":617},"best OpenClaw skills"," ranks options by reliability and safety.",[14,1419,1420],{},[114,1421],{"alt":1422,"src":1423},"Vet ClawHub skills before installing","/img/blog/openclaw-security-checklist-skills.jpg",[45,1425,1427],{"id":1426},"_6-run-the-built-in-security-audit","6. Run the built-in security audit",[14,1429,1430],{},"OpenClaw includes a security scanning tool that most users never run.",[1032,1432,1434],{"className":1034,"code":1433,"language":1036,"meta":393,"style":393},"openclaw security audit --deep\n",[21,1435,1436],{"__ignoreMap":393},[1040,1437,1438,1440,1443,1446],{"class":1042,"line":1043},[1040,1439,1047],{"class":1046},[1040,1441,1442],{"class":1050}," security",[1040,1444,1445],{"class":1050}," audit",[1040,1447,1448],{"class":1081}," --deep\n",[14,1450,1451],{},"This checks your configuration for common vulnerabilities: exposed ports, weak authentication, overly permissive file access, and known CVE exposure. It won't catch everything, but it catches the obvious stuff.",[14,1453,1454],{},"Run it after initial setup. Run it again after any config change. Run it after every OpenClaw update. The project had three CVEs disclosed in a single week in early 2026, including CVE-2026-25253 (one-click RCE, CVSS 8.8). Patches exist, but only if you apply them.",[14,1456,1457],{},[114,1458],{"alt":1459,"src":1460},"Run OpenClaw security audit","/img/blog/openclaw-security-checklist-audit.jpg",[1261,1462,1463],{},[14,1464,1465,1468,1469],{},[17,1466,1467],{},"Watch: OpenClaw Security Hardening and Safe Setup Guide","\nIf you want to see the security audit and hardening process in action, this community walkthrough covers gateway binding, firewall configuration, credential management, and the specific config changes that prevent the most common attack vectors. ",[65,1470,1473],{"href":1471,"rel":1472},"https://www.youtube.com/results?search_query=openclaw+security+hardening+safe+setup+2026",[292],"Watch on YouTube",[45,1475,1477],{"id":1476},"_7-use-tailscale-instead-of-exposing-ports","7. Use Tailscale instead of exposing ports",[14,1479,1480],{},"Here's the OpenClaw security approach that eliminates an entire category of risk: don't expose any ports to the public internet at all.",[14,1482,1483],{},"Tailscale creates a private mesh network between your devices. Your VPS, your laptop, your phone: they all connect through encrypted tunnels without opening any public ports.",[358,1485,1486,1489,1492],{},[361,1487,1488],{},"Install Tailscale on your VPS and your access devices.",[361,1490,1491],{},"Access the OpenClaw dashboard through the Tailscale IP.",[361,1493,1494],{},"No port forwarding. No firewall holes. No public exposure.",[14,1496,1497],{},"The Hetzner + Tailscale setup documented on Medium (the \"$2.50 secure VPS\" guide) is the gold standard for self-hosted OpenClaw security. Zero exposed ports. Zero public attack surface.",[14,1499,1500],{},[114,1501],{"alt":1502,"src":1503},"Use Tailscale for OpenClaw access","/img/blog/openclaw-security-checklist-tailscale.jpg",[1261,1505,1506],{},[14,1507,1508,1509,1513],{},"If you don't want to manage Tailscale, VPS security, or any of this infrastructure yourself, ",[65,1510,1512],{"href":290,"rel":1511},[292],"Better Claw"," handles security natively with Docker-sandboxed execution, AES-256 credential encryption, and zero exposed ports. $29/month per agent, BYOK. No security checklist needed because the checklist is built into the platform.",[45,1515,1517],{"id":1516},"_8-set-maxiterations-and-maxcontexttokens-on-every-skill","8. Set maxIterations and maxContextTokens on every skill",[14,1519,1520],{},"This isn't just a cost control measure. It's a security control.",[14,1522,1523],{},"A prompt injection attack can cause your agent to enter an infinite loop, executing commands repeatedly. Without iteration limits, a single malicious prompt can trigger hundreds of tool calls, each one potentially executing shell commands on your system.",[1032,1525,1527],{"className":1066,"code":1526,"language":1068,"meta":393,"style":393},"{\n \"maxIterations\": 15,\n \"maxContextTokens\": 4000,\n \"maxSteps\": 50\n}\n",[21,1528,1529,1533,1546,1558,1568],{"__ignoreMap":393},[1040,1530,1531],{"class":1042,"line":1043},[1040,1532,1076],{"class":1075},[1040,1534,1535,1538,1540,1543],{"class":1042,"line":394},[1040,1536,1537],{"class":1081}," \"maxIterations\"",[1040,1539,1093],{"class":1075},[1040,1541,1542],{"class":1081},"15",[1040,1544,1545],{"class":1075},",\n",[1040,1547,1548,1551,1553,1556],{"class":1042,"line":403},[1040,1549,1550],{"class":1081}," \"maxContextTokens\"",[1040,1552,1093],{"class":1075},[1040,1554,1555],{"class":1081},"4000",[1040,1557,1545],{"class":1075},[1040,1559,1560,1563,1565],{"class":1042,"line":1099},[1040,1561,1562],{"class":1081}," \"maxSteps\"",[1040,1564,1093],{"class":1075},[1040,1566,1567],{"class":1081},"50\n",[1040,1569,1570],{"class":1042,"line":1105},[1040,1571,1108],{"class":1075},[14,1573,1574],{},"Set these on every skill. They cap how many actions your agent can take per request. A failed task costs you nothing. A runaway injection loop costs you control of your server.",[14,1576,1577],{},[114,1578],{"alt":1579,"src":1580},"Set maxIterations on OpenClaw skills","/img/blog/openclaw-security-checklist-limits.jpg",[14,1582,1583],{},"CrowdStrike's advisory specifically flagged unbounded agent execution as one of the top enterprise risks. Prompt injection is an inherent architectural risk when your agent processes untrusted content like emails and web pages. Limits don't eliminate the risk. They contain the blast radius.",[45,1585,1587],{"id":1586},"_9-run-openclaw-in-docker-with-security-flags","9. Run OpenClaw in Docker with security flags",[14,1589,1590,1591,1594],{},"If you're self-hosting, Docker isolation is non-negotiable. But standard ",[21,1592,1593],{},"docker run"," isn't enough. You need restrictive security flags:",[1032,1596,1598],{"className":1034,"code":1597,"language":1036,"meta":393,"style":393},"docker run -d \\\n --read-only \\\n --cap-drop=ALL \\\n --security-opt=no-new-privileges \\\n openclaw\n",[21,1599,1600,1614,1621,1628,1635],{"__ignoreMap":393},[1040,1601,1602,1605,1608,1611],{"class":1042,"line":1043},[1040,1603,1604],{"class":1046},"docker",[1040,1606,1607],{"class":1050}," run",[1040,1609,1610],{"class":1081}," -d",[1040,1612,1613],{"class":1081}," \\\n",[1040,1615,1616,1619],{"class":1042,"line":394},[1040,1617,1618],{"class":1081}," --read-only",[1040,1620,1613],{"class":1081},[1040,1622,1623,1626],{"class":1042,"line":403},[1040,1624,1625],{"class":1081}," --cap-drop=ALL",[1040,1627,1613],{"class":1081},[1040,1629,1630,1633],{"class":1042,"line":1099},[1040,1631,1632],{"class":1081}," --security-opt=no-new-privileges",[1040,1634,1613],{"class":1081},[1040,1636,1637],{"class":1042,"line":1105},[1040,1638,1639],{"class":1050}," openclaw\n",[358,1641,1642,1648,1654],{},[361,1643,1644,1647],{},[21,1645,1646],{},"--read-only"," prevents the container from writing to the filesystem (except mounted volumes).",[361,1649,1650,1653],{},[21,1651,1652],{},"--cap-drop=ALL"," removes all Linux capabilities.",[361,1655,1656,1659],{},[21,1657,1658],{},"--security-opt=no-new-privileges"," prevents privilege escalation inside the container.",[14,1661,1662],{},"Contabo's OpenClaw security guide walks through the full Docker hardening process. The key principle: your agent should have the minimum permissions needed to function. Nothing more.",[14,1664,1665],{},[114,1666],{"alt":1667,"src":1668},"Run OpenClaw in Docker with security flags","/img/blog/openclaw-security-checklist-docker.jpg",[1261,1670,1671],{},[14,1672,1673,1674,140],{},"For understanding how OpenClaw works at the architecture level and why Docker isolation matters for the gateway model, our ",[65,1675,1677],{"href":1676},"/blog/how-does-openclaw-work","explainer covers the execution flow",[45,1679,1681],{"id":1680},"_10-keep-openclaw-updated-seriously","10. Keep OpenClaw updated (seriously)",[14,1683,1684],{},"This sounds obvious. It isn't happening.",[14,1686,1687],{},"CVE-2026-25253 allowed one-click remote code execution with a CVSS score of 8.8. It was patched in v2026.1.29. Researchers found that self-hosted instances without monitoring stayed vulnerable for weeks because operators didn't know about the patch.",[14,1689,1690],{},"The project had three CVEs disclosed in a single week. Each patch requires downloading, testing, and deploying. If you skip one, you're running a known-vulnerable agent with access to your email, calendar, and API keys.",[14,1692,1693],{},"The Oasis Security team found a separate vulnerability (ClawJacked) where any website could hijack an OpenClaw instance via localhost WebSocket. The fix required updating to v2026.2.25 or later.",[1032,1695,1697],{"className":1034,"code":1696,"language":1036,"meta":393,"style":393},"npm update -g @openclaw/cli\nopenclaw gateway restart\n",[21,1698,1699,1713],{"__ignoreMap":393},[1040,1700,1701,1704,1707,1710],{"class":1042,"line":1043},[1040,1702,1703],{"class":1046},"npm",[1040,1705,1706],{"class":1050}," update",[1040,1708,1709],{"class":1081}," -g",[1040,1711,1712],{"class":1050}," @openclaw/cli\n",[1040,1714,1715,1717,1720],{"class":1042,"line":394},[1040,1716,1047],{"class":1046},[1040,1718,1719],{"class":1050}," gateway",[1040,1721,1722],{"class":1050}," restart\n",[14,1724,1725],{},"Run this weekly. Or set up a cron job. Or use a managed platform that handles updates automatically.",[14,1727,1728],{},[114,1729],{"alt":1730,"src":1731},"Keep OpenClaw updated","/img/blog/openclaw-security-checklist-updates.jpg",[45,1733,1735],{"id":1734},"the-uncomfortable-truth-about-self-hosted-openclaw-security","The uncomfortable truth about self-hosted OpenClaw security",[14,1737,1738,1739],{},"OpenClaw's own maintainer, Shadow, put it bluntly: ",[32,1740,1741],{},"\"If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely.\"",[14,1743,1744],{},"That's not gatekeeping. It's an honest assessment from someone who understands what this software does. It has admin-level access to your messaging apps, email, calendar, files, and shell. A single misconfiguration exposes all of it.",[14,1746,1747],{},"Microsoft's security blog recommends against running OpenClaw on standard workstations. Meta banned it internally after a researcher's agent mass-deleted her emails. Elon Musk's tweet about \"people giving root access to their entire life\" hit 48K+ engagements.",[14,1749,1750],{},"The security responsibility for a self-hosted OpenClaw instance is real. 10 checklist items, each requiring technical knowledge and ongoing attention. Miss one and you're part of the 30,000+ exposed instances that researchers keep finding.",[14,1752,1753,1754,1757],{},"Some people have the skills and discipline to maintain this. They should self-host. For everyone else, the ",[65,1755,1756],{"href":269},"managed vs. self-hosted comparison"," is worth reviewing honestly.",[14,1759,1760,1761,1764],{},"If this checklist felt like more than you want to manage, if you'd rather spend your time building agent workflows than hardening servers, ",[65,1762,293],{"href":1763},"/pricing",". It's $29/month per agent, BYOK, every item on this checklist is handled automatically (Docker sandboxing, AES-256 encryption, gateway security, auto-updates, anomaly detection), and your first agent deploys in 60 seconds. We built it because we got tired of maintaining this checklist ourselves.",[45,1766,298],{"id":297},[194,1768,1770],{"id":1769},"what-are-the-biggest-openclaw-security-risks","What are the biggest OpenClaw security risks?",[14,1772,1773],{},"The three biggest risks are: exposed gateway ports (30,000+ instances found without authentication), malicious ClawHub skills (824+ compromised skills, ~20% of the registry), and plaintext API key storage in the config file (targeted by an infostealer campaign in February 2026). CVE-2026-25253 also allowed one-click remote code execution until patched. CrowdStrike, Cisco, and Microsoft have all published advisories on OpenClaw security.",[194,1775,1777],{"id":1776},"how-do-i-fix-the-openclaw-gateway-exposed-on-0000","How do I fix the OpenClaw gateway exposed on 0.0.0.0?",[14,1779,1780,1781,1784,1785,1788,1789,1791,1792,1795,1796,1799],{},"Run ",[21,1782,1783],{},"openclaw configure"," and select \"Local (this machine)\" to bind the gateway to localhost only. Or manually set ",[21,1786,1787],{},"\"bind\": \"loopback\""," in the gateway section of your ",[21,1790,991],{},". Verify with ",[21,1793,1794],{},"ss -tlnp | grep 18789",", which should show ",[21,1797,1798],{},"127.0.0.1:18789",". For remote access, use Tailscale or SSH tunnels instead of exposing the port publicly.",[194,1801,1803],{"id":1802},"how-do-i-secure-my-openclaw-api-keys-from-theft","How do I secure my OpenClaw API keys from theft?",[14,1805,1806,1807,1352,1810,1813],{},"Set file permissions on your config directory: ",[21,1808,1809],{},"chmod 700 ~/.openclaw",[21,1811,1812],{},"chmod 600 ~/.openclaw/openclaw.json",". Disable SSH password authentication and use key-based auth only. Configure a firewall (UFW) to deny all incoming except SSH. For production deployments, use environment variables instead of hardcoding keys in the config file. Better Claw encrypts all credentials with AES-256 automatically.",[194,1815,1817],{"id":1816},"is-self-hosted-openclaw-safe-enough-for-business-use","Is self-hosted OpenClaw safe enough for business use?",[14,1819,1820],{},"It can be, but it requires significant security effort. You need Docker isolation with restrictive flags, firewall configuration, SSH hardening, regular patching (three CVEs in one week in early 2026), skill vetting, and ongoing monitoring. Microsoft recommends running OpenClaw only in fully isolated environments. For business use without a dedicated security team, managed platforms handle these requirements automatically.",[194,1822,1824],{"id":1823},"how-does-better-claw-handle-openclaw-security","How does Better Claw handle OpenClaw security?",[14,1826,1827],{},"Better Claw addresses every item on this checklist automatically: Docker-sandboxed execution (isolated containers per agent), AES-256 encryption for all credentials, zero exposed ports, automatic security updates, vetted skill marketplace, real-time anomaly detection with auto-pause, and workspace scoping with granular permission controls. $29/month per agent, BYOK.",[1829,1830,1831],"style",{},"html pre.shiki code .s7eDp, html code.shiki .s7eDp{--shiki-default:#6F42C1}html pre.shiki code .sYBdl, html code.shiki .sYBdl{--shiki-default:#032F62}html pre.shiki code .sAwPA, html code.shiki .sAwPA{--shiki-default:#6A737D}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html pre.shiki code .sgsFI, html code.shiki .sgsFI{--shiki-default:#24292E}html pre.shiki code .sYu0t, html code.shiki .sYu0t{--shiki-default:#005CC5}html pre.shiki code .sD7c4, html code.shiki .sD7c4{--shiki-default:#D73A49}",{"title":393,"searchDepth":394,"depth":394,"links":1833},[1834,1835,1836,1837,1838,1839,1840,1841,1842,1843,1844,1845],{"id":1016,"depth":394,"text":1017},{"id":1151,"depth":394,"text":1152},{"id":1214,"depth":394,"text":1215},{"id":1272,"depth":394,"text":1273},{"id":1367,"depth":394,"text":1368},{"id":1426,"depth":394,"text":1427},{"id":1476,"depth":394,"text":1477},{"id":1516,"depth":394,"text":1517},{"id":1586,"depth":394,"text":1587},{"id":1680,"depth":394,"text":1681},{"id":1734,"depth":394,"text":1735},{"id":297,"depth":394,"text":298,"children":1846},[1847,1848,1849,1850,1851],{"id":1769,"depth":403,"text":1770},{"id":1776,"depth":403,"text":1777},{"id":1802,"depth":403,"text":1803},{"id":1816,"depth":403,"text":1817},{"id":1823,"depth":403,"text":1824},"2026-03-12","Your OpenClaw gateway is probably exposed. 30,000+ instances found on Shodan. 10 exact commands to lock down ports, encrypt keys, and block the attacks that hit in Feb 2026.","/img/blog/openclaw-security-checklist.jpg",{},"14 min read",{"title":974,"description":1853},"OpenClaw Security Checklist 2026: Harden Your Setup in 10 Steps","blog/openclaw-security-checklist",[1861,1862,429,1863,1864,1865,1866,1867,1868,1869,1870,1871],"OpenClaw security","OpenClaw security checklist","OpenClaw 0.0.0.0 fix","OpenClaw API key plaintext","OpenClaw Docker security","OpenClaw ClawHub malware","OpenClaw safe setup","OpenClaw VPS security","how to secure OpenClaw","OpenClaw hardening guide","OpenClaw Tailscale setup","WRtz5m6qvxLCBg4e9hlIlPRxDKrff168cVLmYVxMWFI",{"id":1874,"title":1875,"author":1876,"body":1877,"category":410,"date":2482,"description":2483,"extension":413,"featured":414,"image":2484,"meta":2485,"navigation":417,"path":67,"readingTime":2486,"seo":2487,"seoTitle":2488,"stem":2489,"tags":2490,"updatedDate":2482,"__hash__":2506},"blog/blog/openclaw-security-risks.md","OpenClaw Security Risks: CrowdStrike Advisory Breakdown + Fixes",{"name":7,"role":8,"avatar":9},{"type":11,"value":1878,"toc":2446},[1879,1882,1885,1888,1891,1894,1906,1910,1914,1917,1920,1923,1929,1935,1941,1944,1947,1951,1955,1958,1964,1973,1979,1985,1988,1991,1995,1999,2002,2008,2015,2018,2039,2042,2046,2050,2053,2056,2059,2062,2068,2074,2077,2081,2085,2088,2094,2100,2106,2110,2114,2117,2120,2123,2127,2131,2134,2144,2147,2154,2158,2162,2165,2171,2177,2183,2186,2190,2194,2197,2217,2220,2226,2229,2233,2237,2242,2301,2305,2309,2312,2318,2324,2330,2336,2342,2348,2354,2363,2376,2380,2383,2386,2424,2427,2430,2435,2441],[14,1880,1881],{},"OpenClaw is one of the most exciting AI projects of the past year. An autonomous agent that manages your inbox, books your flights, handles your calendar, and automates hundreds of tasks through the chat apps you already use. 145,000+ GitHub stars. 5,700+ community skills. A creator who got personally recruited by Sam Altman.",[14,1883,1884],{},"It's also, right now, a security nightmare.",[14,1886,1887],{},"That's not opinion. That's what Cisco, Snyk, Koi Security, Giskard, Kaspersky, CrowdStrike, Trend Micro, and Google's VirusTotal team all independently concluded after auditing the OpenClaw ecosystem over the past 30 days.",[14,1889,1890],{},"This post covers every documented security incident and vulnerability - what happened, who found it, and what it means for you. We're not writing this to scare anyone away from AI agents. We're writing it because the security problems are fixable, and understanding them is the first step.",[14,1892,1893],{},"If you're currently running OpenClaw, this is required reading.",[1261,1895,1896],{},[14,1897,1898,1901,1902,1905],{},[17,1899,1900],{},"New to OpenClaw?"," Read our overview of ",[65,1903,1904],{"href":1676},"how OpenClaw works"," before diving into the security analysis.",[45,1907,1909],{"id":1908},"the-cisco-findings","The Cisco Findings",[194,1911,1913],{"id":1912},"a-skill-called-what-would-elon-do-was-functionally-malware-it-was-ranked-1","A skill called \"What Would Elon Do?\" was functionally malware. It was ranked #1.",[14,1915,1916],{},"In late January 2026, Cisco's AI Defense team ran their Skill Scanner tool against OpenClaw's most popular community skill on ClawHub. The skill had been gamed to the #1 ranking on the repository. It had been downloaded thousands of times.",[14,1918,1919],{},"Cisco's scanner surfaced nine security findings. Two were critical. Five were high severity.",[14,1921,1922],{},"Here's what the skill actually did:",[14,1924,1925,1928],{},[17,1926,1927],{},"Silent data exfiltration."," The skill contained instructions that made the agent execute a curl command sending user data to an external server controlled by the skill's author. The network call was silent - it happened without any notification to the user.",[14,1930,1931,1934],{},[17,1932,1933],{},"Direct prompt injection."," The skill also contained instructions that forced the agent to bypass its own safety guidelines and execute commands without asking for permission.",[14,1936,1937,1938],{},"In Cisco's words: ",[32,1939,1940],{},"\"The skill we invoked is functionally malware.\"",[14,1942,1943],{},"This wasn't a theoretical attack demonstrated in a lab. This was a published, highly-ranked skill on ClawHub's public registry that real users installed and ran on their personal machines.",[14,1945,1946],{},"Cisco's broader conclusion: OpenClaw's skill ecosystem has no meaningful vetting process. Any user with a one-week-old GitHub account can publish a skill. No code signing. No security review. No sandbox by default.",[45,1948,1950],{"id":1949},"the-supply-chain-problem","The Supply Chain Problem",[194,1952,1954],{"id":1953},"at-least-341-malicious-skills-were-uploaded-to-clawhub-76-contained-confirmed-malware-payloads","At least 341 malicious skills were uploaded to ClawHub. 76 contained confirmed malware payloads.",[14,1956,1957],{},"Cisco's report was the first alarm. Multiple security firms then audited the broader ClawHub ecosystem, and the findings escalated rapidly.",[14,1959,1960,1963],{},[17,1961,1962],{},"Koi Security"," audited ClawHub and identified 341 malicious skills across multiple campaigns. The largest was the ClawHavoc campaign - 335 infostealer packages that deployed Atomic macOS Stealer, keyloggers, and backdoors. All 335 skills shared a single command-and-control IP address.",[14,1965,1966,1969,1970,140],{},[17,1967,1968],{},"Snyk"," completed what they described as the first comprehensive security audit of the AI agent skills ecosystem, scanning 3,984 skills from ClawHub. They found 76 confirmed malicious payloads designed for credential theft, backdoor installation, and data exfiltration. Their headline finding: if you installed a skill in the past month, there's a ",[17,1971,1972],{},"13% chance it contains a critical security flaw",[14,1974,1975,1978],{},[17,1976,1977],{},"Cisco's broader analysis"," of 31,000 agent skills found that 26% contained at least one vulnerability - including command injection, data exfiltration, and prompt injection attacks.",[14,1980,1981,1984],{},[17,1982,1983],{},"Kaspersky"," identified 512 vulnerabilities in a single security audit, eight classified as critical.",[14,1986,1987],{},"The problem isn't a few bad actors. It's structural. OpenClaw skills inherit the full permissions of the agent they extend. When you install a skill, it gets access to everything your agent can access - your email, your files, your API keys, your chat history, your calendar. The barrier to publishing a new skill on ClawHub is a SKILL.md markdown file and a GitHub account. No code signing. No security review. No sandbox.",[14,1989,1990],{},"Snyk's researchers put it plainly: the ecosystem resembles early package managers before security became a first-class concern.",[45,1992,1994],{"id":1993},"cve-2026-25253","CVE-2026-25253",[194,1996,1998],{"id":1997},"a-critical-vulnerability-let-attackers-hijack-openclaw-instances-via-a-single-malicious-link","A critical vulnerability let attackers hijack OpenClaw instances via a single malicious link.",[14,2000,2001],{},"On January 30, 2026, OpenClaw issued three high-impact security advisories, including a patch for CVE-2026-25253.",[14,2003,2004,2007],{},[17,2005,2006],{},"CVSS score: 8.8 (high)."," Classified under CWE-669 (Incorrect Resource Transfer Between Spheres). Discovered by Mav Levin of the depthfirst research team.",[14,2009,2010,2011,2014],{},"How it worked: OpenClaw's Control UI accepted a ",[21,2012,2013],{},"gatewayUrl"," query parameter from the URL without validation. The UI automatically initiated a WebSocket connection to whatever address was specified, transmitting the user's authentication token as part of the handshake.",[14,2016,2017],{},"The attack completed in three stages, in milliseconds:",[2019,2020,2021,2027,2033],"ol",{},[361,2022,2023,2026],{},[17,2024,2025],{},"Stage 1"," - An attacker sends the victim a crafted link containing a malicious gateway URL.",[361,2028,2029,2032],{},[17,2030,2031],{},"Stage 2"," - When the victim clicks the link, the Control UI connects to the attacker's server and sends the authentication token.",[361,2034,2035,2038],{},[17,2036,2037],{},"Stage 3"," - The attacker uses the stolen token to take full control of the OpenClaw instance - reading data, executing commands, modifying agent behavior.",[14,2040,2041],{},"One click. Full takeover. This vulnerability existed in every OpenClaw installation before version 2026.1.29.",[45,2043,2045],{"id":2044},"agents-gone-rogue","Agents Gone Rogue",[194,2047,2049],{"id":2048},"a-meta-security-researchers-openclaw-agent-deleted-200-emails-and-ignored-stop-commands","A Meta security researcher's OpenClaw agent deleted 200+ emails and ignored stop commands.",[14,2051,2052],{},"On February 23, 2026, Naomi Yue - an AI security researcher at Meta - publicly documented what happened when her OpenClaw agent went rogue.",[14,2054,2055],{},"The agent started deleting emails from her inbox. When she tried to stop it through the chat interface, it ignored her commands. She had to physically run to her Mac Mini to kill the process.",[14,2057,2058],{},"She posted screenshots of the ignored stop prompts as proof.",[14,2060,2061],{},"This incident went viral because it demonstrated two critical failures simultaneously:",[14,2063,2064,2067],{},[17,2065,2066],{},"No guardrails on destructive actions."," OpenClaw has no built-in mechanism to require user approval before an agent deletes data, sends emails, or takes other irreversible actions. The agent acts fully autonomously by default.",[14,2069,2070,2073],{},[17,2071,2072],{},"No reliable kill switch."," When the agent ignored stop commands through the chat interface, Yue had no remote way to halt it. She had to physically access the hardware. If she'd been away from home, the agent would have continued deleting emails until it ran out of things to delete.",[14,2075,2076],{},"TechCrunch covered the incident. PCWorld wrote a follow-up on what guardrails would prevent it. The story crystallized a growing concern: OpenClaw gives agents enormous power with no safety net.",[45,2078,2080],{"id":2079},"open-to-the-internet","Open to the Internet",[194,2082,2084],{"id":2083},"_30000-openclaw-instances-are-exposed-on-the-public-internet","30,000+ OpenClaw instances are exposed on the public internet.",[14,2086,2087],{},"Censys scan data from February 8, 2026 found over 30,000 OpenClaw instances accessible on the internet.",[14,2089,2090,2091,2093],{},"By default, OpenClaw's gateway binds to ",[21,2092,1026],{}," - meaning it exposes the full API to any network interface. Most of these instances require a token to interact, but as the CVE-2026-25253 vulnerability demonstrated, those tokens can be stolen.",[14,2095,2096,2099],{},[17,2097,2098],{},"Giskard's security research"," added more detail: OpenClaw's Control UI often exposed access tokens in query parameters, making them visible in browser history, server logs, and non-HTTPS traffic. Shared global context meant secrets loaded for one user could become visible to others. Group chats ran powerful tools without proper isolation.",[14,2101,2102,2105],{},[17,2103,2104],{},"The Hacker News"," reported that the Moltbook platform - closely associated with OpenClaw - had a misconfigured Supabase database that was left exposed in client-side JavaScript. According to Wiz, the exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.",[45,2107,2109],{"id":2108},"financial-risk","Financial Risk",[194,2111,2113],{"id":2112},"a-published-openclaw-skill-instructs-agents-to-collect-credit-card-details","A published OpenClaw skill instructs agents to collect credit card details.",[14,2115,2116],{},"The Register found that a skill called \"buy-anything\" (version 2.0.0) instructs OpenClaw agents to collect credit card details for purchases.",[14,2118,2119],{},"Here's why that's dangerous beyond the obvious: when the LLM tokenizes credit card numbers, they're sent to model providers like OpenAI or Anthropic as part of the API request. Those card numbers now exist in API logs. Subsequent prompts can extract the details from conversation context.",[14,2121,2122],{},"Your credit card number, sitting in an API provider's logs, extractable through follow-up prompts. That's not a hypothetical - it's what the published skill was designed to do.",[45,2124,2126],{"id":2125},"persistent-threats","Persistent Threats",[194,2128,2130],{"id":2129},"malicious-skills-can-permanently-alter-your-agents-behavior-by-modifying-its-memory-files","Malicious skills can permanently alter your agent's behavior by modifying its memory files.",[14,2132,2133],{},"Snyk's research uncovered one of the most sophisticated attack vectors: targeting OpenClaw's persistent memory.",[14,2135,2136,2137,1352,2140,2143],{},"OpenClaw retains long-term context and behavioral instructions in files like ",[21,2138,2139],{},"SOUL.md",[21,2141,2142],{},"MEMORY.md",". These files define who the agent is and what it remembers.",[14,2145,2146],{},"Malicious skills can modify these files. When they do, the change isn't temporary - it permanently alters the agent's behavior. A payload doesn't need to trigger immediately on installation. It can modify the agent's instructions and wait - activating days or weeks later.",[14,2148,2149,2150,2153],{},"Snyk described this as transforming ",[32,2151,2152],{},"\"point-in-time exploits into stateful, delayed-execution attacks.\""," Your agent could be compromised today and not show any signs until weeks later.",[45,2155,2157],{"id":2156},"combined-threats","Combined Threats",[194,2159,2161],{"id":2160},"security-firm-zenity-demonstrated-a-complete-attack-chain-from-inbox-to-ransomware","Security firm Zenity demonstrated a complete attack chain from inbox to ransomware.",[14,2163,2164],{},"Zenity's research showed how multiple vulnerabilities chain together:",[14,2166,2167,2170],{},[17,2168,2169],{},"Step 1"," - A malicious payload arrives through a trusted integration - a Google Workspace document, a Slack message, or an email. Nothing unusual. Your agent processes content from these sources all the time.",[14,2172,2173,2176],{},[17,2174,2175],{},"Step 2"," - The payload contains a prompt injection that directs OpenClaw to create a new integration with an attacker-controlled Telegram bot.",[14,2178,2179,2182],{},[17,2180,2181],{},"Step 3"," - The attacker now has a direct communication channel to your agent. They issue commands through the bot to exfiltrate files, steal content, or deploy ransomware.",[14,2184,2185],{},"From a normal-looking email to full system compromise. Every step uses features that OpenClaw is designed to have - processing external content, creating integrations, executing commands. The attack doesn't exploit a bug. It exploits the architecture.",[45,2187,2189],{"id":2188},"openclaws-response","OpenClaw's Response",[194,2191,2193],{"id":2192},"openclaw-is-responding-its-not-enough-yet","OpenClaw is responding. It's not enough yet.",[14,2195,2196],{},"Credit where it's due - OpenClaw isn't ignoring these problems.",[358,2198,2199,2202,2205,2208,2211],{},[361,2200,2201],{},"CVE-2026-25253 was patched in version 2026.1.29 on January 30, 2026.",[361,2203,2204],{},"OpenClaw partnered with VirusTotal to implement automated security scanning for skills published to ClawHub.",[361,2206,2207],{},"A reporting feature was added so users can flag suspicious skills.",[361,2209,2210],{},"The community opened a GitHub issue proposing a native skill scanning pipeline.",[361,2212,2213,2214],{},"OpenClaw's own documentation now explicitly states: ",[32,2215,2216],{},"\"There is no 'perfectly secure' setup.\"",[14,2218,2219],{},"These are real steps. But they're also reactive - patching vulnerabilities after exploitation, scanning skills after hundreds of malicious ones were already downloaded. The fundamental architecture hasn't changed: agents still have broad system access by default, destructive actions still don't require approval, there's still no built-in kill switch, and skill vetting is still automated scanning rather than manual security review.",[14,2221,2222,2223],{},"The OpenClaw docs themselves acknowledge the dilemma: ",[32,2224,2225],{},"\"AI agents interpret natural language and make decisions about actions. They blur the boundary between user intent and machine execution.\"",[14,2227,2228],{},"That blurring is the feature. It's also the risk.",[45,2230,2232],{"id":2231},"protecting-yourself","Protecting Yourself",[194,2234,2236],{"id":2235},"if-youre-staying-on-openclaw-do-these-seven-things-today","If you're staying on OpenClaw, do these seven things today.",[14,2238,2239,2240,140],{},"We're not here to tell you to abandon OpenClaw. If you're a developer who understands the risks and wants to keep using it, here's how to minimize your exposure. For the full step-by-step with exact commands, see our ",[65,2241,1862],{"href":365},[2019,2243,2244,2250,2256,2262,2274,2284,2290],{},[361,2245,2246,2249],{},[17,2247,2248],{},"Update immediately."," Make sure you're running version 2026.1.29 or later. The CVE-2026-25253 remote code execution vulnerability affects all earlier versions.",[361,2251,2252,2255],{},[17,2253,2254],{},"Scan every skill before installing."," Use Cisco's open-source Skill Scanner. Run it against any community skill before you install it. Don't install skills based on popularity or rankings - the #1 ranked skill was literal malware.",[361,2257,2258,2261],{},[17,2259,2260],{},"Run in a sandbox."," Use Docker or a virtual machine to isolate your OpenClaw instance from your host system. Don't run it directly on a machine that has access to sensitive data, financial accounts, or credentials.",[361,2263,2264,2267,2268,2270,2271,2273],{},[17,2265,2266],{},"Lock down network exposure."," Don't expose your gateway to the internet. Use Tailscale or a VPN for remote access. Change the default binding from ",[21,2269,27],{}," to ",[21,2272,23],{}," if you only access locally.",[361,2275,2276,2279,2280,2283],{},[17,2277,2278],{},"Use allowlist mode for skills."," Configure ",[21,2281,2282],{},"skills.allowBundled"," in whitelist mode so only explicitly approved skills load. Don't let skills auto-activate just because the corresponding CLI tool is installed.",[361,2285,2286,2289],{},[17,2287,2288],{},"Rotate your credentials."," If you've been running OpenClaw with API keys in plain-text config files, rotate them now. Generate new keys, revoke the old ones.",[361,2291,2292,2295,2296,1352,2298,2300],{},[17,2293,2294],{},"Audit your memory files."," Check your ",[21,2297,2139],{},[21,2299,2142],{}," for anything you didn't write. Malicious skills can modify these files to permanently alter your agent's behavior.",[45,2302,2304],{"id":2303},"a-different-approach","A Different Approach",[194,2306,2308],{"id":2307},"what-if-security-wasnt-optional","What if security wasn't optional?",[14,2310,2311],{},"The OpenClaw security problems aren't unique to OpenClaw. They're the inevitable result of an architecture where powerful agents are given broad access to personal data and third-party code runs without vetting.",[14,2313,2314,2315],{},"BetterClaw was built from the ground up with a different philosophy: ",[17,2316,2317],{},"security isn't a feature you configure. It's the default.",[14,2319,2320,2323],{},[17,2321,2322],{},"Every skill is security-audited before publishing."," Not automated scanning alone - human review for malicious code, data exfiltration, prompt injection, and credential access. No skill touches your data until it passes review.",[14,2325,2326,2329],{},[17,2327,2328],{},"Action approval workflows."," You define which actions your agent takes autonomously and which require your approval. Destructive actions - delete, send, purchase - always ask first. The Meta researcher's 200-email deletion couldn't happen on BetterClaw.",[14,2331,2332,2335],{},[17,2333,2334],{},"Instant kill switch."," Pause or stop any agent immediately from your dashboard or phone. No SSH. No running to your Mac Mini. No ignored stop commands.",[14,2337,2338,2341],{},[17,2339,2340],{},"Sandboxed execution."," Every agent runs in its own isolated container. No access to the host system. No cross-contamination between agents. No environment variable leaks.",[14,2343,2344,2347],{},[17,2345,2346],{},"Encrypted credential storage."," AES-256 encryption for all API keys and OAuth tokens. No plain-text config files. No tokens in URL parameters.",[14,2349,2350,2353],{},[17,2351,2352],{},"Full audit trail."," Every action your agent takes is logged - what it did, when, why, and what data it accessed. If something goes wrong, you know exactly what happened.",[14,2355,2356,2359,2360,2362],{},[17,2357,2358],{},"No exposed ports."," BetterClaw is cloud-hosted. There's no gateway binding to ",[21,2361,27],{},". There's nothing for Censys to find. Your agent isn't on the internet - it's behind our infrastructure.",[14,2364,2365,2366,2370,2371,2375],{},"These aren't features we added after a security incident. They're the architecture. ",[65,2367,2369],{"href":2368},"/openclaw-hosting","See our managed OpenClaw hosting →"," Or compare ",[65,2372,2374],{"href":2373},"/compare/xcloud","BetterClaw vs xCloud"," for managed hosting with security.",[45,2377,2379],{"id":2378},"the-bottom-line","The Bottom Line",[14,2381,2382],{},"OpenClaw proved that autonomous AI agents are useful. The security community proved that the current implementation is dangerous for non-expert users.",[14,2384,2385],{},"The numbers tell the story:",[358,2387,2388,2394,2400,2406,2412,2418],{},[361,2389,2390,2393],{},[17,2391,2392],{},"341"," confirmed malicious skills on ClawHub",[361,2395,2396,2399],{},[17,2397,2398],{},"76"," confirmed malware payloads",[361,2401,2402,2405],{},[17,2403,2404],{},"A critical CVE"," that allowed one-click takeover",[361,2407,2408,2411],{},[17,2409,2410],{},"26%"," of all analyzed skills containing at least one vulnerability",[361,2413,2414,2417],{},[17,2415,2416],{},"30,000+"," instances exposed on the public internet",[361,2419,2420,2423],{},[17,2421,2422],{},"One very public incident"," of an agent deleting 200+ emails and ignoring commands to stop",[14,2425,2426],{},"None of this means AI agents are bad. It means they need guardrails. The power to manage your email, calendar, and files autonomously is transformative - but only if you can trust that the agent won't go rogue, the skills won't steal your data, and you can stop everything instantly when something goes wrong.",[14,2428,2429],{},"OpenClaw is working on it. Whether the community-driven foundation model gets there fast enough is an open question. In the meantime, if you want autonomous AI agents with security that's built in rather than bolted on, that's exactly what we built BetterClaw to be.",[14,2431,2432],{},[65,2433,2434],{"href":269},"See how BetterClaw compares to OpenClaw →",[14,2436,2437],{},[65,2438,2440],{"href":2439},"/openclaw-alternative","The managed OpenClaw alternative →",[14,2442,2443],{},[65,2444,2445],{"href":1763},"See pricing - $29/mo per agent →",{"title":393,"searchDepth":394,"depth":394,"links":2447},[2448,2451,2454,2457,2460,2463,2466,2469,2472,2475,2478,2481],{"id":1908,"depth":394,"text":1909,"children":2449},[2450],{"id":1912,"depth":403,"text":1913},{"id":1949,"depth":394,"text":1950,"children":2452},[2453],{"id":1953,"depth":403,"text":1954},{"id":1993,"depth":394,"text":1994,"children":2455},[2456],{"id":1997,"depth":403,"text":1998},{"id":2044,"depth":394,"text":2045,"children":2458},[2459],{"id":2048,"depth":403,"text":2049},{"id":2079,"depth":394,"text":2080,"children":2461},[2462],{"id":2083,"depth":403,"text":2084},{"id":2108,"depth":394,"text":2109,"children":2464},[2465],{"id":2112,"depth":403,"text":2113},{"id":2125,"depth":394,"text":2126,"children":2467},[2468],{"id":2129,"depth":403,"text":2130},{"id":2156,"depth":394,"text":2157,"children":2470},[2471],{"id":2160,"depth":403,"text":2161},{"id":2188,"depth":394,"text":2189,"children":2473},[2474],{"id":2192,"depth":403,"text":2193},{"id":2231,"depth":394,"text":2232,"children":2476},[2477],{"id":2235,"depth":403,"text":2236},{"id":2303,"depth":394,"text":2304,"children":2479},[2480],{"id":2307,"depth":403,"text":2308},{"id":2378,"depth":394,"text":2379},"2026-02-25","CrowdStrike, Cisco, and Microsoft all flagged OpenClaw. 42,000 exposed instances, 824 malicious skills, 3 CVEs in one week. Full incident timeline with fixes you can apply today.","/img/blog/openclaw-security-risks.jpg",{},"12 min read",{"title":1875,"description":2483},"Is OpenClaw Safe? 42K Exposed Instances + Every Known CVE (2026)","blog/openclaw-security-risks",[2491,2492,2493,2494,2495,2496,2497,2498,2499,2500,2501,2502,2503,2504,2505],"openclaw security","openclaw security risks","is openclaw safe","openclaw safe to use","openclaw malicious skills","openclaw vulnerability","openclaw CVE","openclaw CVE-2026-25253","openclaw data exfiltration","openclaw prompt injection","openclaw email deletion","openclaw skill security audit","openclaw CrowdStrike advisory","openclaw security issues 2026","openclaw exposed instances","PKJ2srbF26K_CTkRClZGP52z0qA6mL9JyI5i6swcUA0",1775639407949]