OpenClaw Security Risks: A Warning to Users and Self-Hosters

OpenClaw 🦞 is powerful, but it currently carries serious security risk when self-hosted with default settings. Community reports and security discussions consistently point to exposed services, untrusted community skills, and weak operational guardrails.

This guide explains:

• what is risky
• how attackers typically abuse it
• the minimum hardening steps you should apply today

Key takeaways

• Many instances expose default ports (18789, 8000) publicly
• Community skills can function as a supply-chain attack vector
• Safe deployment requires isolation, strict allowlisting, and continuous monitoring

Why OpenClaw Is High Risk

OpenClaw agents can execute powerful actions on the host. That design is useful for automation, but dangerous when combined with unvetted third-party skills and internet-exposed control surfaces.

The two biggest risk multipliers are:

1. Publicly exposed services
   If gateway/API ports are reachable from the internet, attackers can scan, probe, and in some cases execute workflows or abuse control channels.

2. Untrusted skills
   Skills sourced from public hubs may include obfuscated or malicious behavior (credential theft, command downloaders, exfiltration logic). Even when removed, variants can reappear.

Treat OpenClaw as you would any high-privilege remote execution system: assume compromise is possible unless strict controls are in place.

Common Attack Patterns

Recent community incident reports show recurring patterns:

• Exfiltration of API keys, tokens, host metadata, or config files
• Skills using hidden outbound calls (webhooks, HTTP POST, encoded payloads)
• Port exposure on default binds (0.0.0.0) with weak access controls
• Re-uploaded malicious skill variants with minor changes

In practice, compromise often starts with either a malicious skill install or an exposed management endpoint.

Real Incidents and Attack Chains

• ClawHub Malicious Activity (January-February 2026)
  Dozens to hundreds of skills were reported with malicious payload patterns, including encoded obfuscation, fake dependencies, and unencrypted HTTP exfiltration.

  # Clone skills repo for audit
  git clone https://github.com/openclaw/skills ~/openclaw-skills
  cd ~/openclaw-skills
  
  # Grep for common malicious patterns (exfil, downloads, encoding)
  grep -r -i "curl.*http\|wget.*http\|base64\|powershell\|cmd.exe\|keylog" . --include="*.json" --include="*.yaml"
  
  # Check for non-HTTPS endpoints
  grep -r -i "http://" . | grep -v "https"
  
  # Remove suspicious skills. Be careful of this rm command
  find . -name "*research*" -o -name "*hsk*" | xargs rm -rf
  
  # Reinstall clean: backup first
  cp -r ~/openclaw-skills ~/openclaw-skills.bak

• Moltbook Leak Case (February 2026)
  A widely shared report described config/API key exfiltration behavior via webhook-like outbound channels.

  # Scan local OpenClaw logs for exfil (Discord, external APIs)
  sudo journalctl -u openclaw | grep -i "discord\|webhook\|http.*post" | tail -20
  
  # Check running processes for anomalies
  ps aux | grep openclaw | grep -E "curl|wget|nc"
  kill -9 <PID>  # Kill suspect process
  
  # Inspect config for leaks
  grep -r "api_key\|token\|webhook" ~/.openclaw/config.yaml

• Port Exposure and Remote Execution (Persistent Issue)
  Publicly exposed defaults continue to be one of the most common root causes.

  # On Ubuntu/Debian (Linux)
  sudo netstat -tuln | grep 8000  # Confirm exposure
  sudo ufw deny 8000  # Block port
  sudo systemctl restart openclaw
  
  # macOS (use pfctl or firewall)
  sudo pfctl -f /etc/pf.conf  # Edit to block 8000/tcp
  sudo pfctl -E

Practical Hardening Plan

Use this in order. Do not skip Tier 1.

Tier 1 (Required): Lock Down the Host

• Disable password-based SSH and root SSH login
• Set host firewall to default deny inbound
• Allow SSH only from trusted IPs
• Bind all OpenClaw services to loopback
• Remove or disable unused tools/integrations

# Disable root SSH, enforce keys (Linux)
sudo sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Install fail2ban/UFW
sudo apt update && sudo apt install ufw fail2ban -y
sudo ufw enable; sudo ufw default deny incoming
sudo ufw allow ssh  # From your IP only: sudo ufw allow from <YOUR_IP> to any port 22

Tier 2 (Strongly Recommended): Isolate Runtime

• Run OpenClaw in a dedicated container or VM
• Keep network access minimal (prefer private-only connectivity)
• Mount only required volumes; use read-only mounts where possible
• Never run with host root privileges unless absolutely required

# Pull official image (verify tag)
docker pull openclaw/openclaw:latest

# Run isolated (no ports, minimal volumes)
docker run -d --name secure-claw \
  --network none \  # No network access
  -v /path/to/safe/config:/config:ro \
  -v /tmp/claw-data:/data \
  openclaw/openclaw:latest

# Inspect container
docker logs secure-claw | grep -i "skill\|load"
docker exec secure-claw ps aux  # Check processes

Tier 3 (Advanced): Zero-Trust Operations

• Require VPN/Tailscale/SSH tunnel for remote access
• Keep OpenClaw off the public internet entirely
• Enforce a strict skill allowlist
• Monitor outbound network traffic and process execution
• Rotate credentials regularly and after any suspicious event

# Tailscale VPN (no public ports)
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --authkey=<your-key>

# Whitelist skills
nano ~/.openclaw/allowlist.yaml  # Only vetted: - safe-skill-1
openclaw --config ~/.openclaw/config.yaml --skills allowlist.yaml

# Audit runtime
sudo strace -p $(pgrep openclaw) -e trace=execve  # Trace execs

Ports 18789/8000: What To Do

Do not expose OpenClaw gateway/API ports directly to the internet.

Set components to loopback-only:

openclaw config set gateway.bind "loopback"
openclaw config set vector.bind "loopback"
openclaw config set frontend.bind "loopback"

Then verify:

openclaw config get gateway.bind
openclaw gateway status
sudo netstat -tuln | grep -E "18789|8000|3000"

If remote access is needed, use SSH port forwarding or a private mesh VPN (for example, Tailscale), not direct port exposure.

Incident Response (If You Suspect Compromise)

1. Isolate the host from external networks
2. Disable OpenClaw services and revoke exposed credentials
3. Remove untrusted skills and redeploy from a known-good baseline
4. Review logs for suspicious outbound traffic and process execution
5. Rotate all API keys, tokens, and secrets

If you cannot verify integrity, rebuild the environment from scratch.

Safer Alternatives

If you need stronger auditability and lower operational risk:

• Prefer managed platforms with enterprise controls
• Use local frameworks only with sandboxing and strict policy controls
• Avoid community extensions unless they are audited and pinned

OpenClaw can still be useful, but only when operated with a security-first setup. The default convenience path is not a safe path.

References

• OpenClaw security worse than expected
• Selfhosting security minefield
• Every vulnerability documented
• 18k instances scanned
• Malicious skill issue

tag: #opensource #linux #openclaw #ai #clawhub #skill #security