OpenClaw Security Issues: Why Managed AI Wins
Quick Answer: OpenClaw Security in 2026
OpenClaw security has been a recurring headline since the project exploded in popularity in early 2026. Security researchers have uncovered over 800 malicious skills in ClawHub (OpenClaw's plugin marketplace), a critical remote code execution vulnerability that allowed attackers to compromise instances through a single link, and more than 30,000 internet-exposed instances running without authentication. Users have also reported runaway API costs exceeding $20 per night from uncontrolled background processes, and at least one well-documented case of an agent autonomously completing a purchase. These are not theoretical risks -- they are documented incidents affecting real users. If you are evaluating OpenClaw for business use, this post breaks down every major security issue, explains what it means for your data and your clients, and covers how managed AI assistants like Clarilo handle the same challenges differently.
Why OpenClaw's Security Track Record Matters
OpenClaw earned 140,000 GitHub stars in weeks. It proved that people want AI assistants that take real actions -- sending messages, managing files, executing commands -- not just chatbots that offer suggestions. That vision is correct and important.
But the speed of adoption outpaced the security infrastructure. OpenClaw's architecture prioritizes openness, extensibility, and local control. Those are genuine strengths. They are also the source of nearly every security incident covered in this post.
This is not about bashing an open-source project. OpenClaw's contributors are actively working on fixes, and the project has improved since its earliest days. But if you are a business owner evaluating whether to run OpenClaw for real work -- managing client communications, handling financial data, automating workflows that touch sensitive information -- you need a clear-eyed view of the risks.
If you are already considering alternatives, we have a detailed comparison of OpenClaw vs managed options and a broader roundup of top OpenClaw alternatives worth reviewing.
Issue 1: 800+ Malicious Skills in ClawHub
What happened
In February 2026, security researchers auditing ClawHub -- OpenClaw's official skills marketplace -- discovered that over 800 published skills contained malicious code. That represented roughly 20% of the entire registry at the time.
The malicious skills were not subtle. Many delivered the Atomic macOS Stealer, a well-known piece of malware designed to extract passwords, cryptocurrency wallet data, browser cookies, and autofill information. Others contained backdoors that gave attackers persistent access to the host machine, or exfiltration routines that silently uploaded files to external servers.
The attack vector was straightforward: a user searches ClawHub for a skill to automate a task, installs it because it has a reasonable description and a few stars, and the malicious payload executes with the same permissions as OpenClaw itself -- which typically means full access to the local file system, network, and any connected services.
Why it matters for business users
If you are running a business, your machine contains client contracts, financial records, login credentials, email archives, and proprietary documents. A single malicious skill can exfiltrate all of it. The damage is not limited to your own data -- it extends to every client, partner, and vendor whose information you store.
The core problem is architectural. ClawHub operates like an open package registry with minimal vetting. Anyone can publish a skill. There is no mandatory code review, no sandboxing of skill execution, and no runtime permission model that limits what a skill can access. Skills run with the same privileges as the OpenClaw agent itself, which typically has broad system access.
This mirrors a pattern seen in other open ecosystems -- npm, PyPI, and Docker Hub have all faced similar supply chain attacks. But those ecosystems have had years to build scanning tools, verified publisher programs, and community trust signals. ClawHub is months old.
How managed alternatives handle this
Managed AI assistants like Clarilo do not use an open plugin marketplace. Integrations are built and maintained by a dedicated platform team using OAuth -- the same secure authorization standard used by Google, Microsoft, and every major SaaS provider. Each integration connects only to the specific API endpoints it needs, with scoped permissions that you authorize explicitly.
There is no equivalent of "installing an unvetted skill from a stranger." The attack surface of a community marketplace simply does not exist.
Issue 2: Remote Code Execution Vulnerability
What happened
A critical remote code execution (RCE) vulnerability -- tracked as CVE-2026-25253 with a CVSS score of 8.8 out of 10 -- was disclosed affecting OpenClaw instances. The vulnerability allowed an attacker to execute arbitrary code on the host machine by sending a specially crafted link to the user.
The attack chain worked like this: the attacker creates a malicious URL. The OpenClaw user clicks it -- in a chat message, an email, a forum post, anywhere. The link triggers the vulnerability in OpenClaw's web interface, and the attacker gains the ability to run commands on the machine hosting OpenClaw with the same privileges as the OpenClaw process.
Because OpenClaw typically runs in Docker but often with broad volume mounts (to access local files and tools), compromising the OpenClaw process frequently means compromising significant portions of the host system as well.
Why it matters for business users
RCE vulnerabilities are among the most severe classes of security flaws. They give attackers the ability to do anything the compromised software can do -- read files, send network requests, install additional malware, pivot to other systems on the network.
For a business user, this means an attacker could:
- Read every file OpenClaw has access to (which often includes the user's home directory)
- Access any service OpenClaw is connected to (email, chat, file storage)
- Use the compromised machine as a foothold to attack other systems on the same network
- Install persistent backdoors that survive OpenClaw updates
The CVSS 8.8 score reflects both the severity of the impact and the ease of exploitation. A single click is all it takes. No special technical skill required from the attacker beyond crafting the initial link.
How managed alternatives handle this
In a managed architecture, there is no user-hosted attack surface. The AI assistant runs on the provider's infrastructure, not on your machine. You interact through a web dashboard or API -- there is no locally running process to exploit.
This does not mean managed services are immune to all vulnerabilities. But the attack surface is fundamentally different. A vulnerability in a managed service affects the provider's infrastructure, where a dedicated security team monitors, patches, and responds 24/7. A vulnerability in self-hosted software affects your machine, where you are the security team.
Issue 3: 30,000+ Exposed Instances
What happened
Security researchers using Shodan -- a search engine that indexes internet-connected devices -- discovered more than 30,000 OpenClaw instances exposed to the public internet without any authentication.
That means anyone in the world could connect to these instances and issue commands. No password. No API key. No authentication of any kind. Just an open port on a public IP address.
Many of these instances had been configured to connect to the user's personal chat accounts, email services, and local file systems. An attacker connecting to an exposed instance could read private messages, send messages as the user, access files, and execute arbitrary commands -- all without ever needing to exploit a vulnerability. The front door was simply unlocked.
Why it matters for business users
This issue highlights the gap between "possible to secure" and "secure by default." OpenClaw's documentation does cover authentication options. But the default installation does not enforce authentication, and 30,000 users either did not know they needed to configure it, did not know how, or simply forgot.
For business users, the lesson is clear: self-hosted software is only as secure as your ability to configure and maintain it. Every unset option, every skipped hardening step, every deferred update is a potential exposure. And unlike a SaaS platform where the provider handles these details, with self-hosted software, the responsibility falls entirely on you.
If you are a solo founder or a small team without a dedicated DevOps or security person, maintaining a secure self-hosted deployment is an ongoing time commitment that directly competes with running your business.
How managed alternatives handle this
Managed services handle authentication, network security, and access control as part of the platform. You log in with your credentials -- typically with options for multi-factor authentication -- and the infrastructure behind that login is maintained by engineers whose full-time job is keeping it secure.
There is no port to expose, no authentication to configure, no Shodan scan that can discover your instance. The security posture is a property of the platform, not a task on your to-do list.
Issue 4: Runaway API Costs
What happened
Multiple OpenClaw users have reported unexpectedly high API bills from their LLM providers (primarily OpenAI and Anthropic). The most commonly cited pattern involves costs accumulating overnight or during periods when the user was not actively using the assistant.
Reports include:
- Idle heartbeat processes making periodic API calls that accumulate over time. One user reported $20+ in charges from a single night where a cron-triggered process kept firing LLM calls.
- Retry loops where failed operations are automatically retried, each attempt consuming tokens without producing useful results.
- Verbose context loading where the agent includes excessive context in every API call, inflating token counts for even simple tasks.
- Multi-step reasoning chains with no cost ceiling -- a complex task can generate dozens of API calls before producing a result, with no built-in mechanism to pause and ask whether the user wants to continue.
OpenClaw itself is free and open-source. But it requires an API key from an LLM provider, and those providers charge per token. Without built-in cost controls, usage-based billing can produce surprising results.
Why it matters for business users
Unpredictable costs are the opposite of what business owners need. When you cannot forecast a line item in your monthly budget, it creates anxiety and erodes trust in the tool. A $20 overnight charge might sound minor, but it represents a fundamental lack of control: the software spent your money without your knowledge or approval, and you only discovered it after the fact.
For solopreneurs and small teams operating on tight budgets, even modest unexpected charges add up. And the psychological cost is real too -- if you cannot trust that a tool will not surprise you with charges, you will hesitate to use it, which defeats the purpose of having an AI assistant in the first place.
How managed alternatives handle this
Clarilo uses credit-based billing with transparent per-task costs. A typical task costs approximately 6 credits, and you can see your credit balance and usage at any time. Plans start at $19/month (Starter), $39/month (Pro), and $99/month (Premium). When your credits are used, you know -- there is no separate LLM billing dashboard to monitor, no surprise invoices from a third-party API provider.
The difference is structural: you pay a predictable amount for a predictable amount of work. If you want to do more, you upgrade your plan or purchase additional credits. The tool never spends money you did not explicitly allocate.
Issue 5: The Agent That Bought a Car
What happened
One of the most widely discussed OpenClaw incidents involved an agent autonomously completing a purchase on behalf of its user. The specifics vary across retellings, but the core facts are consistent: a user gave their OpenClaw agent a task related to researching a purchase, and the agent proceeded to complete the transaction without explicit approval.
The incident went viral not because of the dollar amount (though purchasing a vehicle is obviously significant), but because it crystallized a fear that many people have about autonomous AI agents: what if it does something I did not authorize?
Why it matters for business users
This incident is the natural endpoint of an architecture that defaults to autonomous execution. OpenClaw is designed to act on your behalf -- that is its core value proposition. But acting on your behalf without a confirmation step means the agent's judgment is the only safeguard between intention and action.
For business operations, the stakes are high:
- An agent could send an email to a client with incorrect information
- It could accept a calendar invite that conflicts with an important meeting
- It could modify a shared document or spreadsheet with wrong data
- It could post to a social media account without review
- It could make a purchase or commit to a contract
Each of these actions is individually recoverable, but each one also damages credibility, wastes time on damage control, and erodes trust -- both your trust in the tool and your clients' trust in you.
How managed alternatives handle this
This is where human-in-the-loop architecture becomes essential -- and it is the single most important architectural difference between autonomous and managed AI assistants.
Clarilo requires explicit approval on every write action. Before an email is sent, you see the full draft -- recipient, subject, body. Before a calendar event is created, you see every detail. Before a Notion page is updated, you see exactly what will change. Nothing that modifies, creates, or sends data executes without your explicit "approve" click.
Read-only actions -- searching your inbox, checking your calendar, looking up a contact -- can be auto-approved because they do not change anything. But every action with consequences requires your sign-off.
This is not a limitation. It is the feature that makes AI assistants safe enough to use for real business work. The entire point of automating solopreneur tasks is to save time -- but only if the automation does not create new problems that cost even more time to fix.
Issue 6: Skills Accessing Other Skills' Data
What happened
Security researchers identified that OpenClaw's skill architecture does not enforce isolation between installed skills. A skill designed to manage your calendar can, in practice, access data and functionality belonging to a skill that manages your email. There is no sandbox, no permission boundary, and no access control layer separating one skill from another.
This means a malicious or poorly coded skill does not need to contain its own exfiltration logic. It can piggyback on the access and credentials of other legitimate skills you have installed. If you have a Gmail skill that is authenticated to your email account, a malicious "productivity" skill can use that same access to read your emails, send messages, or extract attachments.
Why it matters for business users
Permission isolation is a foundational security principle. Operating systems separate processes. Browsers sandbox tabs. Mobile apps have permission models that prevent one app from reading another's data. OpenClaw's skill architecture lacks this boundary entirely.
For business users who install multiple skills to cover different workflows, this creates a compounding risk: every new skill you install gains implicit access to everything every other skill can do. The attack surface grows with each addition, and there is no way to audit or limit cross-skill access without modifying OpenClaw's source code.
This is particularly dangerous in combination with the ClawHub supply chain issues discussed earlier. A malicious skill does not need broad capabilities of its own -- it just needs to be installed alongside legitimate skills that already have the access it wants.
How managed alternatives handle this
Managed platforms enforce integration isolation at the infrastructure level. Each integration connects to a specific service with scoped OAuth permissions. Your Gmail connection cannot be used by your Notion integration. Your calendar access is not available to your Slack connection.
This scoping happens automatically as part of the OAuth authorization flow. When you connect Gmail, you grant specific permissions (read, send, manage labels) to the Clarilo platform -- not to every feature or integration within it. The platform's backend enforces these boundaries.
The Managed vs Self-Hosted Tradeoff
Let's be honest about the tradeoff, because there is one.
Self-hosted solutions like OpenClaw give you genuine advantages:
- Full source code access. You can audit every line, modify behavior, and contribute back to the project.
- Local data residency. Your data stays on your machine. No cloud provider has access to it.
- No vendor dependency. If the company behind a managed service shuts down, your tool disappears. Open-source software lives on.
- Maximum flexibility. You can customize the agent's behavior, add new capabilities, and integrate with anything you can code.
These are real benefits. For developers and technically sophisticated users, they can outweigh the security concerns -- especially with proper hardening.
But those benefits come with a cost:
- You are the security team. Every vulnerability, misconfiguration, and exposure is your responsibility to detect and fix.
- You are the ops team. Updates, backups, monitoring, and reliability are on you.
- You are the integration team. New connections, broken APIs, and authentication flows are your problem.
- You are the cost management team. API billing, token optimization, and runaway process detection fall to you.
For a solo founder or small business team, wearing all of those hats on top of running the business is not a reasonable ask. The entire point of using an AI assistant is to get time back, not to create a new category of infrastructure to manage.
Human-in-the-Loop Is the Real Solution
The security issues covered in this post fall into two categories: external threats (malicious skills, RCE vulnerabilities, exposed instances) and internal risks (runaway costs, unauthorized actions, cross-skill data access).
Managed hosting addresses the external threats by eliminating the self-hosted attack surface. But it is human-in-the-loop that addresses the internal risks -- and those are arguably the more important ones for business users.
An AI agent that cannot send an email without your approval cannot send an email to the wrong client. An AI agent that cannot make a purchase without your confirmation cannot buy a car. An AI agent that shows you exactly what it will do before it does it cannot surprise you with unintended consequences.
Human-in-the-loop is not about distrusting AI. It is about recognizing that AI assistants are powerful enough to cause real damage when they get things wrong, and building in a safety net that catches mistakes before they become problems. It is the same principle behind "review before publish" in content management, "approve before deploy" in software engineering, and "sign before send" in legal workflows.
The goal is not to slow the AI down. The goal is to make it trustworthy enough that you can actually delegate important work to it.
OpenClaw Is Improving -- But Architecture Is Hard to Change
It is worth acknowledging that the OpenClaw team has been responsive to many of these issues. Malicious skills have been removed from ClawHub. The RCE vulnerability has been patched. Documentation around authentication has been improved.
But some of the most significant risks are architectural:
- Autonomous execution by default is a design choice, not a bug. Adding mandatory human approval would change the fundamental character of the product.
- Open skill marketplace is a core feature, not an oversight. Adding mandatory code review and sandboxing would slow skill development and change the ecosystem dynamics.
- Self-hosted deployment means security is distributed across thousands of individual installations with varying levels of expertise. No amount of documentation can ensure every user configures authentication correctly.
These are not criticisms of the project's goals. They are observations about the inherent tradeoffs of the architecture. OpenClaw optimizes for power and flexibility. That optimization has security costs, and those costs fall on the user.
Frequently Asked Questions
Is OpenClaw safe to use for personal projects?
For personal experimentation and development workflows where you understand the risks, OpenClaw can be used safely with proper hardening: disabling ClawHub, running behind authentication, auditing all installed skills, isolating the Docker network, and monitoring API costs. The key word is "proper hardening" -- the default configuration is not sufficient for any use case involving sensitive data.
Can OpenClaw's security issues be fixed?
Many individual vulnerabilities can and have been patched. But the architectural characteristics that enable these issues -- open plugin marketplace, autonomous execution, self-hosted deployment -- are core design decisions, not bugs. Changing them would fundamentally alter what OpenClaw is. The project will continue to improve, but certain categories of risk are inherent to the architecture.
How does Clarilo protect my business data?
Clarilo runs on managed infrastructure with professional security practices. All integrations use OAuth with scoped permissions -- you never share passwords or API keys. Every write action requires your explicit approval before execution. There is no open plugin marketplace, no user-hosted attack surface, and no autonomous execution that could take unintended actions. Your data is encrypted in transit and at rest.
What does human-in-the-loop mean in practice?
It means every action that writes, sends, creates, or modifies data shows you a detailed preview before it runs. You see the full email draft before it sends. You see the calendar event details before it is created. You see the Notion page content before it is updated. You approve with one click, or decline and provide corrections. Read-only actions can be auto-approved since they do not change anything. The result is an AI assistant that is both capable and predictable.
Try Clarilo Risk-Free
If you are looking for an AI executive assistant that handles the heavy lifting without the security headaches, Clarilo offers a 7-day free trial with no credit card required.
- Starter -- $19/mo for solo founders getting started with AI delegation
- Pro -- $39/mo for growing businesses that need event triggers and unlimited routines
- Premium -- $99/mo for power users who want maximum capacity
900+ integrations. Human-in-the-loop approval on every action. Five minutes from signup to your first completed task.