OpenClaw Security Hardening: What ClawJacked Taught Us About Running AI Agents at Home
Updated March 2026
Key Takeaways:
1. The ClawJacked vulnerability proved that simply running an AI agent on localhost does not make it safe. A malicious website could silently brute-force OpenClaw's gateway password through a WebSocket connection, requiring zero plugins or user interaction. Update to version 2026.2.26 or later immediately if you have not already.
2. The ClawHub skills marketplace has become a major supply chain attack surface. Security audits have identified over 1,000 malicious skills disguised as legitimate tools, many delivering credential-stealing malware. Treat every third-party skill as untrusted code and audit it before installation.
3. SlowMist's open-source OpenClaw Security Practice Guide on GitHub provides the most thorough hardening framework available today. It introduces a three-layer defense model built around zero-trust principles that every home user running OpenClaw should review and implement.
What Is OpenClaw and Why Should You Care About Its Security?
OpenClaw is a free, open-source AI agent that runs locally on your hardware and takes autonomous actions on your behalf. Originally published in November 2025 by Austrian developer Peter Steinberger under the name Clawdbot (later renamed Moltbot, then OpenClaw following trademark disputes), it has become one of the fastest-growing repositories in GitHub history, surpassing 180,000 stars within weeks of going viral in early 2026.
Unlike a standard chatbot that simply answers questions, OpenClaw can execute shell commands, read and write files, browse the web, send emails, manage your calendar, and interact with messaging platforms like WhatsApp, Slack, Telegram, and iMessage. It stores persistent memory across sessions, meaning it learns your preferences and retains context over time. People are buying dedicated hardware like Mac Minis just to run it around the clock.
The appeal is obvious. The security implications, however, have been severe. Within weeks of going mainstream, OpenClaw became the center of the first major AI agent security crisis of 2026, involving critical vulnerabilities in its core system, a massive supply chain poisoning campaign in its skills marketplace, and thousands of misconfigured instances exposed to the public internet.
This article breaks down what happened, what you need to know, and how to harden your OpenClaw installation using the best available guidance, including the SlowMist Security Practice Guide that most home users have never seen.
ClawJacked: The Vulnerability That Changed the Conversation
In late February 2026, researchers at Oasis Security disclosed a vulnerability chain they named ClawJacked. It allowed any website to silently take full control of a locally running OpenClaw agent with no plugins, no extensions, and no user interaction beyond visiting a webpage.
Here is how it worked. OpenClaw runs a local WebSocket server (the gateway) that acts as its control plane. Browsers do not block WebSocket connections to localhost the way they restrict standard HTTP cross-origin requests. This meant that malicious JavaScript on any website could quietly open a connection to the OpenClaw gateway running on a developer's machine.
Making matters worse, OpenClaw exempted localhost connections from rate limiting. The gateway also auto-approved new device registrations from local connections without requiring user confirmation. An attacker could therefore brute-force the gateway password at hundreds of attempts per second, register as a trusted device, and gain full administrative access to the agent, all while the user saw nothing unusual on their screen.
Once inside, an attacker could instruct the agent to search Slack history for API keys, read private messages, exfiltrate files, or execute arbitrary shell commands on any paired device. For someone with typical OpenClaw integrations, this amounted to full workstation compromise initiated from a browser tab.
The OpenClaw team classified ClawJacked as high severity and shipped a fix within 24 hours, which was an impressive turnaround for a volunteer-driven open-source project. The patch was included in version 2026.2.25 and later. If you are running anything older, stop reading and update now.
But ClawJacked was not an isolated incident. It was the most dramatic example of a broader architectural problem: OpenClaw was designed for maximum capability with minimal friction, and security was treated as an option rather than a default. The project's own documentation acknowledges this directly, stating that there is no perfectly secure setup.
The ClawHub Supply Chain Crisis
While ClawJacked targeted the core gateway, a parallel threat was unfolding in ClawHub, OpenClaw's public marketplace for third-party skills. Skills are folders containing instructions, scripts, and resources that extend what the agent can do. They are powerful, and they are also third-party code running in an environment with real system access.
In early February 2026, security researchers from Koi Security conducted an audit of all skills available on ClawHub at the time and found 341 malicious entries. Of those, 335 were traced to a single coordinated campaign tracked as ClawHavoc, which primarily delivered a macOS information stealer called Atomic Stealer (AMOS). By mid-February, the number of confirmed malicious skills had grown to over 800 across an expanded registry of more than 10,000 skills. A separate audit by Snyk found that 36 percent of all ClawHub skills contained detectable prompt injection, and confirmed nearly 1,500 malicious payloads total.
The attack method was straightforward. Malicious skills were disguised as popular tools for cryptocurrency trading, social media analytics, and productivity. Their documentation looked professional, but buried in a prerequisites section were instructions to download and execute external code. In some cases, the skill's SKILL.md file directly instructed the AI agent to run a curl command that sent data to an attacker-controlled server, all without user awareness.
Cisco's AI security research team tested a particularly notorious skill called "What Would Elon Do?" and found nine security issues, including two critical and five high-severity findings. The skill was, in Cisco's words, functionally malware.
ClawHub has since introduced VirusTotal scanning for all published skills, a reporting system for flagging suspicious entries, and a requirement that publishers maintain a GitHub account for at least one week. These are positive steps, but they are still catching up with the scale of the problem.
Beyond ClawJacked: The Broader Risk Surface
ClawJacked and ClawHavoc are the incidents that made headlines, but the underlying risk profile of running OpenClaw at home goes deeper. Here are the core areas of concern that every home user should understand.
Exposed Instances
OpenClaw's gateway binds to 0.0.0.0:18789 by default, which means it listens on all network interfaces. Multiple scanning teams have identified over 30,000 OpenClaw instances directly accessible from the public internet, many running without authentication. Security researcher Jamieson O'Reilly demonstrated that some exposed instances gave up months of private conversation history the moment a WebSocket connection was established.
Prompt Injection
Because OpenClaw processes content from emails, web pages, Slack messages, and other sources, it is susceptible to indirect prompt injection. An attacker can embed malicious instructions in an email or webpage that the agent processes as part of a normal task. If the agent fails to distinguish between trusted user instructions and untrusted retrieved data, it can execute commands on behalf of the attacker. This is not theoretical. Eye Security disclosed a log poisoning vulnerability where attackers could embed prompt injections through WebSocket requests to publicly accessible instances, which was patched in version 2026.2.13.
Persistent Memory as an Attack Amplifier
OpenClaw's persistent memory, one of its most appealing features, also amplifies attack potential. As Palo Alto Networks researchers noted, persistent memory turns attacks from point-in-time exploits into stateful, delayed-execution attacks. A successfully injected instruction can persist across sessions and activate later under specific conditions.
How to Harden OpenClaw: The SlowMist Security Practice Guide
If you are running OpenClaw at home and want to do it responsibly, the single most useful resource available right now is the OpenClaw Security Practice Guide published by the SlowMist security team on GitHub. Originally written in Chinese with an English translation, it is a comprehensive hardening framework built specifically for high-privilege autonomous AI agents. It has not received widespread attention in the English-speaking consumer space, which is unfortunate because it directly addresses the security gaps that ClawJacked and ClawHavoc exposed.
What makes SlowMist's guide unusual is that it is designed to be agent-facing. You can send the guide directly to your OpenClaw agent in chat, let it evaluate the recommendations, and have it deploy the defense measures with minimal manual setup. The guide is built around four core principles: zero-friction daily operations, mandatory confirmation for high-risk actions, explicit nightly auditing, and zero-trust architecture by default.
The framework organizes security into three layers.
Pre-Action Defenses
Before the agent does anything risky, SlowMist's guide establishes a behavior blacklist with clearly defined red and yellow lines. Red-line actions, such as executing unvetted installation commands from external sources, are blocked outright. The guide also includes a skill installation security audit protocol that requires the agent to list files, clone the skill offline, read its contents, perform a full-text scan of all files including Markdown and JSON, check for red flags, and then report to a human for approval before proceeding. This directly addresses the ClawHub supply chain problem by turning skill installation from a casual chat-driven action into a formal audit step.
In-Action Controls
While the agent operates, the guide enforces permission narrowing, hash baselines for core configuration files, audit logging, and cross-skill pre-flight checks. The hash baseline system monitors critical files like openclaw.json for unauthorized changes, though SlowMist acknowledges this is audited nightly rather than in real time, creating a maximum discovery latency of about 24 hours. For more advanced setups, they suggest adding inotify or auditd for real-time monitoring.
Post-Action Auditing
After each day, the guide calls for an automated nightly audit that checks 13 core metrics including platform security status, process and network activity, sensitive directory changes, SSH login attempts, cron job integrity, configuration file hash verification, disk usage, environment variable exposure, and credential scanning. Results are pushed as a daily security briefing to your messaging platform and saved locally. The guide also includes a brain backup strategy that pushes the OpenClaw state directory to a private Git repository for disaster recovery.
SlowMist is transparent about the guide's limitations. It cannot defend against unknown vulnerabilities in the OpenClaw engine itself, the underlying operating system, or third-party dependencies. It also notes that the LLM cognitive layer is susceptible to being bypassed by carefully crafted documents, and that human confirmation remains the ultimate defense against sophisticated supply chain poisoning.
The guide also includes a Security Validation and Red Teaming Guide with specific test cases you can run to verify that your defenses are working, ranging from basic prompt injection resistance to long-context poisoning attempts and privilege escalation scenarios.
Practical Steps for Home Users
If you are running OpenClaw on personal hardware, here is what you should do at minimum, drawing from SlowMist's guide, OpenClaw's own security documentation, and the lessons of ClawJacked.
First, update to version 2026.2.26 or later. This addresses ClawJacked and several other high-severity vulnerabilities including CVE-2026-25253 and multiple command injection flaws.
Second, run the built-in security audit by executing openclaw security audit --deep in your terminal. This flags common misconfigurations including gateway authentication exposure, browser control exposure, elevated allowlists, and filesystem permission issues. Run it regularly, especially after changing your configuration or exposing any network surfaces.
Third, restrict who can talk to your agent. Use DM pairing, allowlists, or explicit open mode deliberately. Most security failures with OpenClaw are not sophisticated exploits. They are cases where someone messaged the bot and the bot did what they asked.
Fourth, run OpenClaw in an isolated environment. Security researchers across multiple organizations, including Microsoft, have recommended deploying OpenClaw only in a fully isolated environment such as a dedicated virtual machine or separate physical system with non-privileged credentials. Do not run it on your primary workstation where it has access to your SSH keys, browser sessions, and credential stores.
Fifth, treat every ClawHub skill as untrusted code. Audit skills before installing them. Review the SKILL.md file manually, check for external download instructions, and look for obfuscated commands. Better yet, adopt SlowMist's formal skill audit protocol and have your agent perform the review with human approval required before installation.
Sixth, implement nightly auditing. Whether you use SlowMist's nightly audit script or build your own, automated monitoring is essential. Check for unexpected outbound connections, file changes in sensitive directories, and modifications to your OpenClaw configuration files.
Seventh, start with the smallest access that still works. OpenClaw supports per-agent access profiles that can restrict agents to read-only tools, read-only workspaces, or no filesystem and shell access at all. Begin restrictive and widen permissions only as you gain confidence.
The Bigger Picture
OpenClaw is not going away. On February 14, 2026, Peter Steinberger announced he would be joining OpenAI and that the project would be moved to an open-source foundation. The community is large, the use cases are real, and the technology is genuinely capable.
But the security track record of the first few months should give every home user pause. The combination of full system access, persistent memory, broad third-party integrations, and an open skills marketplace creates an attack surface that traditional consumer security tools are not equipped to handle. Endpoint security sees processes running but does not understand agent behavior. Network tools see API calls but cannot distinguish legitimate automation from compromise.
The responsible approach is not to avoid OpenClaw entirely, but to run it with the same seriousness you would apply to any system that has root access to your machine, because that is exactly what it is. The resources exist to do this well. The SlowMist guide, OpenClaw's own security documentation, and the built-in audit tools provide a solid foundation. The gap has been in translating these resources into practical, consumer-friendly guidance, which is what we aim to address here at modemguides.com.
If you are going to give an AI agent the keys to your digital life, take the time to change the locks first.
Frequently Asked Questions
What is OpenClaw and how is it different from ChatGPT or other AI assistants?
OpenClaw is a self-hosted AI agent that runs locally on your own hardware rather than in the cloud. Unlike standard chatbots that only answer questions, OpenClaw can take autonomous actions on your behalf including executing shell commands, managing files, sending emails, browsing the web, and controlling connected devices. It connects to large language models like Claude or GPT for its reasoning capabilities, but the critical difference is its ability to act on your system with whatever permissions you grant it. This makes it far more powerful and far more dangerous if misconfigured or compromised.
Has the ClawJacked vulnerability been fixed, and am I still at risk?
Yes, the specific ClawJacked vulnerability was patched in OpenClaw version 2026.2.25, released within 24 hours of disclosure. The fix tightens WebSocket security checks and re-enables rate limiting for localhost connections. However, if you are running an older version, you remain fully exposed. Update immediately. It is also important to understand that ClawJacked was one vulnerability among many. Multiple additional CVEs have been disclosed in early 2026, covering remote code execution, command injection, server-side request forgery, authentication bypass, and path traversal. Keeping OpenClaw updated is not a one-time task but an ongoing requirement.
What is the SlowMist OpenClaw Security Practice Guide and do I need technical skills to use it?
The SlowMist OpenClaw Security Practice Guide is a free, open-source hardening framework published on GitHub by the SlowMist security team, a well-known blockchain security firm. It provides a structured approach to securing OpenClaw installations using a three-layer defense model covering pre-action, in-action, and post-action security measures. The guide assumes basic familiarity with Linux system administration concepts like file permissions, cron jobs, and command-line operations. One of its most practical features is that it is designed to be agent-facing, meaning you can send the guide directly to your OpenClaw agent and have it help deploy the recommended defenses. That said, you should understand what the agent is doing on your behalf rather than blindly trusting it to secure itself.
Are ClawHub skills safe to install now that VirusTotal scanning has been added?
Safer than before, but not safe by default. OpenClaw now scans all published skills using VirusTotal's threat intelligence, including its Code Insight capability for analyzing intent. Skills flagged as malicious are blocked, and suspicious ones receive a warning label. All active skills are re-scanned daily. However, this is a reactive measure that cannot catch every threat, particularly novel or well-obfuscated attacks. The fundamental architecture of ClawHub still allows anyone with a week-old GitHub account to publish skills. You should treat every skill as untrusted code, review SKILL.md files manually before installing, and avoid running any skill that asks you to download or execute external binaries as a prerequisite.
Should I run OpenClaw on my main computer?
No. Multiple security organizations, including Microsoft, have explicitly recommended against running OpenClaw on a standard personal or enterprise workstation. The recommended approach is to run it in a dedicated virtual machine or on a separate physical device with its own user account and non-privileged credentials. This limits the blast radius if the agent is compromised. If an attacker gains control of your OpenClaw instance and it is running on your primary machine, they potentially have access to everything you do, including SSH keys, browser sessions, saved passwords, documents, and any connected services. Isolating OpenClaw onto its own device or VM is one of the simplest and most effective hardening steps you can take.
How do I know if my OpenClaw instance is exposed to the internet?
Run openclaw security audit --deep from your terminal. This built-in tool checks for common misconfigurations, including whether your gateway is accessible from external networks. You can also manually check which interfaces the gateway is listening on by running ss -tlnp | grep 18789 on Linux. If you see 0.0.0.0:18789, your instance is listening on all network interfaces and is potentially accessible from the internet if your router or firewall is not blocking the port. The gateway should ideally be bound to 127.0.0.1 (localhost only) unless you have a specific reason and proper authentication in place for remote access.
What is a prompt injection attack and why is OpenClaw particularly vulnerable to it?
A prompt injection attack occurs when malicious instructions are hidden inside content that the AI agent processes, such as an email, a web page, or a document. The agent cannot always distinguish between legitimate user instructions and hostile instructions embedded in data it is reading. Because OpenClaw actively processes content from emails, Slack messages, web pages, and other external sources as part of its normal operation, it has a large surface area for indirect prompt injection. Combined with its ability to execute commands, access files, and send messages, a successful prompt injection can give an attacker the ability to take actions through the agent as if they were the authorized user.
