OpenClaw Security: What CTOs Need to Know

OpenClaw launched in November 2025 and hit 250,000 GitHub stars within 60 days. It’s one of the most popular open-source AI tools ever created — a personal AI agent that can browse the web, write code, manage files, and interact with dozens of services on your behalf. The appeal is obvious. For a small business looking at what AI agents can actually do, OpenClaw looks like the answer to everything.

But there’s a problem. In the four months since launch, OpenClaw has accumulated 104 security advisories and 28 CVEs on its GitHub security tracker — 5 critical, 53 high severity. Its plugin marketplace was found to be 20% malicious. Over 220,000 instances are exposed directly to the internet. And Microsoft’s security team has publicly stated that it should not be run on any standard business computer.

I’m writing this because if you’re a business owner or CTO evaluating AI tools, you need the full picture. Not to scare you away from AI — AI genuinely helps businesses — but to help you understand what “move fast and break things” looks like when the thing being broken is your security.

One Click Is All It Takes

On January 26, 2026, security researcher Mav Levin at DepthFirst publicly disclosed CVE-2026-25253 — a vulnerability that lets an attacker take complete control of your computer with a single click.

Here’s how it works in plain English. Someone sends you a link — in an email, a Slack message, a text. You click it. In the background, that link tells your OpenClaw instance to connect to the attacker’s server instead of yours. Your authentication token — the digital key that proves you’re you — transmits to the attacker automatically. They now have full access to your OpenClaw agent, which has access to your files, your browser, your command line. They disable the safety prompts. They execute whatever commands they want. The whole process takes milliseconds.

That’s not a theoretical attack. 66 public exploit repositories appeared on GitHub within weeks. Belgium’s national cybersecurity center (CNCERT) issued a formal advisory. Microsoft added detection signatures to Windows Defender on February 12.

This is not a drill. A single click on a malicious link gives an attacker full control of any unpatched OpenClaw instance — and 66 ready-made exploit tools are publicly available on GitHub.

And this wasn’t the only remote takeover. On February 26, Oasis Security disclosed CVE-2026-32025 (“ClawJacked”) — a vulnerability where simply visiting a malicious website while OpenClaw is running lets an attacker brute-force your password at hundreds of attempts per second, register as a trusted device, and take full control. No clicking required. Oasis Security stated bluntly: “A human-chosen password doesn’t stand a chance.”

The Marketplace You Can’t Trust

OpenClaw gets its capabilities from “skills” — plugins that extend what it can do. The official marketplace, ClawHub, launched alongside the product. Within months, it became a security catastrophe.

On February 1, 2026, Koi Security researcher Oren Yomtov published the first audit. Among 2,857 skills on ClawHub, he found 341 that were malicious — 335 from a single coordinated campaign. By February 16, as ClawHub grew to 10,700+ skills, the malicious count rose to 824. Antiy CERT ultimately identified 1,184 malicious skills traced to 12 publisher accounts, with one account alone responsible for 677 packages.

The campaign, dubbed “ClawHavoc,” used three attack methods. First: fake installation instructions that tricked users into downloading keyloggers. Second: functional-looking tools with hidden reverse shells — backdoors that gave attackers remote access. Third: direct theft of credentials from OpenClaw’s configuration files, including API keys and passwords.

When Snyk conducted its own audit of 3,984 skills, the results were worse: 36.82% had security flaws. 534 were critical. 76 contained confirmed malicious code. Cisco Talos tested the #1-ranked skill on the entire marketplace (“What Would Elon Do?”) and found it silently exfiltrating user data.

As of March 2026, roughly 900 malicious skills exist among approximately 4,500 total. That’s one in five. Imagine walking into an app store where every fifth download is designed to steal from you.

220,000 Open Front Doors

When you install OpenClaw using Docker — the most common method — it binds to all network interfaces by default. That means it’s accessible to the entire internet unless you specifically configure it otherwise. Early versions also shipped with authentication disabled.

The result: the number of exposed OpenClaw instances has grown from roughly 1,000 in late January to over 220,000 by March 2026, according to SecurityScorecard’s STRIKE team. Researcher Maor Dayan scanned 42,665 exposed instances and found that 93.4% had authentication bypassed entirely. SecurityScorecard correlated 549 exposed instances with active breach indicators and 1,493 with known, unpatched vulnerabilities.

If you’ve read my piece on what cybersecurity actually means for a business your size, you know that the basics matter: strong passwords, access controls, keeping software updated. OpenClaw’s default configuration violates all three. It ships open, unauthenticated, and listening to the world.

What the Security Community Is Saying

This isn’t a fringe concern. The biggest names in security have weighed in.

Microsoft published official guidance on February 19, 2026, stating that OpenClaw “should be treated as untrusted code execution with persistent credentials” and “is not appropriate to run on a standard personal or enterprise workstation.” They released Defender detection signatures and published hunting queries for their enterprise security platform.

Kaspersky called OpenClaw “the biggest insider threat of 2026” and reported that major info-stealing malware families — RedLine, Lumma, and Vidar — have added OpenClaw file paths to their target lists. If your machine gets infected with any of these common threats, they now automatically look for and steal your OpenClaw credentials.

Palo Alto Networks described OpenClaw as exhibiting what security researcher Simon Willison calls the “lethal trifecta”: it accesses your private data, processes untrusted external content, and can communicate with the outside world. That combination means a compromised agent can steal your data and send it anywhere.

China’s CNCERT issued two security warnings in two days, and the Ministry of Industry (MIIT) and central banking authority followed with restrictions on government use. In the same week, VentureBeat published: “OpenClaw can bypass your EDR, DLP and IAM without triggering a single alert.”

Your Employees Might Already Be Running It

Here’s the part that should concern every business leader: according to Token Security, 22% of enterprise customers had employees running OpenClaw without IT approval. No security review. No configuration hardening. No awareness of the vulnerabilities described above.

OpenClaw is free, exciting, and easy to install. It promises to make people dramatically more productive. Of course employees are installing it. They’re doing it on company laptops, connecting it to company accounts, and giving it access to company data. They’re not being malicious — they’re being enthusiastic. But enthusiasm without oversight is how breaches happen.

This is the shadow IT problem on steroids. When employees ran unauthorized Dropbox accounts, the worst case was a data leak. When employees run unauthorized AI agents with full system access and a 20% malicious plugin rate, the worst case is complete workstation compromise, credential theft, and lateral movement into your business systems.

What Safe Deployment Actually Looks Like

I don’t want to leave you with the impression that OpenClaw is unusable. It’s a powerful tool, and the development team has been responsive to security disclosures — patches typically land within 24–48 hours. They’ve hired dedicated security leadership, integrated automated skill scanning, and added built-in security audit tools.

But “patches are available” and “patches are applied” are two very different things. As I wrote in The Real Cost of Doing It Yourself, nearly 30% of vulnerabilities in 2025 were exploited within 24 hours of disclosure, and 60% of breaches involve known, unpatched vulnerabilities. The fix exists. The problem is that nobody applied it.

If you’re evaluating OpenClaw — or any AI agent platform — for your business, here are the questions you should be asking whoever is managing it:

• Is it running on a dedicated, isolated machine? Microsoft says it should never run on a standard workstation. If it’s on someone’s laptop next to their email and browser, that’s a problem.
• Is it accessible from the internet? If the answer is “I’m not sure,” assume yes. The default configuration exposes it.
• Who controls which plugins are installed? With 20% of the marketplace confirmed malicious, “whoever wants to” is not an acceptable answer.
• How quickly are security patches applied? OpenClaw averages roughly one high-severity advisory per day. If updates aren’t happening at least weekly, you’re accumulating risk fast.
• Is there an audit trail? Can you see what the agent did, what data it accessed, and what it sent externally?
• Are credentials properly isolated? API keys, passwords, and tokens should never be directly accessible to the agent process.

If the person managing your OpenClaw deployment can’t answer these questions confidently, you have a problem that needs immediate attention.

The Bottom Line

OpenClaw represents something genuinely new: an AI agent that can act autonomously on your behalf across your entire digital life. That capability is real, and the productivity gains are real. But the security risks are also real — 104 advisories in four months, a poisoned marketplace, hundreds of thousands of exposed instances, and national governments issuing warnings.

This is exactly the kind of problem a fractional CTO exists to solve. Not because the technology is bad, but because deploying it safely requires the kind of security expertise, infrastructure design, and ongoing vigilance that most small businesses don’t have in-house. It’s not a one-time setup — it’s continuous management of a rapidly evolving threat surface.