If you’ve been on X in the last month, you’ve seen the photos. Mac Minis stacked on desks. Raspberry Pis tucked behind monitors. VPS dashboards glowing with the OpenClaw control panel. The pitch is irresistible: a personal AI agent that lives on your hardware, connects to your messaging apps, manages your calendar, writes code, and executes real-world tasks on your behalf. Always on. Always learning. Always ready.

What most of the setup guides floating around don’t mention is that you’re also deploying one of the most aggressively targeted attack surfaces in recent memory.

OpenClaw (formerly Clawdbot, formerly Moltbot) went from zero to 180,000 GitHub stars in weeks. It triggered a Mac Mini shortage in U.S. stores. And within three weeks of going viral, it became the center of a multi-vector security crisis that is still unfolding.

This isn’t a hit piece on the project. The tool is genuinely useful, and Peter Steinberger (who recently joined OpenAI to lead personal agent development) built something that clearly resonated. But the gap between how fast people are deploying OpenClaw and how well they understand what they’re exposing is alarming. Let’s walk through what’s actually happening, then talk about how to fix it.

The attack surface nobody reads about

The core problem is architectural. OpenClaw is an autonomous agent with shell access, persistent memory, and deep integrations into your messaging apps, email, calendar, files, and API keys. When it works, it feels like magic. When it’s misconfigured, it’s a single point of compromise for your entire digital life.

Here’s what’s gone wrong so far.

CVE-2026-25253: One-click RCE

In late January, researcher Mav Levin at Depthfirst discovered that OpenClaw’s Control UI accepted a gatewayUrl query parameter from the URL without validation. It would then automatically initiate a WebSocket connection to whatever address was specified, transmitting the user’s authentication token as part of the handshake. The attack chain completed in milliseconds: a victim clicks a crafted link, the attacker exfiltrates the token, connects to the local gateway, disables sandboxing, and executes arbitrary commands. CVSS 8.8. Patched in v2026.1.29, but the initial fix was incomplete. Depthfirst and Snyk found the Docker sandbox could still be bypassed (CVE-2026-24763), and two more CVEs dropped the same day. As of writing, Endor Labs has disclosed six additional vulnerabilities including SSRF, missing authentication, and path traversal bugs.

30,000+ exposed instances

Multiple scanning teams (Censys, Bitsight, SecurityScorecard, Hunt.io) have independently found tens of thousands of OpenClaw instances sitting on the open internet with little or no authentication. One early Shodan scan found nearly a thousand instances running with zero auth. Researcher Jamieson O’Reilly demonstrated he could access Anthropic API keys, Telegram bot tokens, Slack accounts, and complete chat histories from exposed deployments. SecurityScorecard correlated 549 exposed instances with prior breach activity and found 63% of observed deployments were vulnerable to RCE.

ClawHavoc: The skills supply chain attack

This is the one that should keep you up at night. OpenClaw uses “skills,” which are folders of instructions and scripts that extend the agent’s capabilities. ClawHub, the official skills marketplace, required nothing more than a one-week-old GitHub account to publish. A single user (”hightower6eu”) uploaded 354 malicious packages in what appears to have been an automated blitz. Security researcher Paul McCarty identified 386 malicious skills between February 1-3 alone. Updated scans now report over 1,184 malicious skills across ClawHub and GitHub.

The skills masqueraded as cryptocurrency trading automation tools, using brand names like ByBit, Polymarket, and Axiom. They all shared the same C2 infrastructure (91.92.242[.]30) and used social engineering to convince users to execute commands that stole crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords. No technical exploit required. The skills were just Markdown files with “run this command” instructions, and the agent faithfully executed them.

One skill posing as a “DeFi Portfolio Tracker” simply ran a grep for JSON files containing “mnemonic” or “seed,” then posted the results to a Telegram bot. Recovery from exposed seed phrases is impossible. McCarty contacted the OpenClaw team multiple times. Steinberger reportedly said he had too much to do to address the issue. Many of the malicious skills remained live for days after disclosure.

The crypto connection

The targeting of cryptocurrency users was deliberate and financially motivated. The intersection of OpenClaw’s early adopter demographic (tech-forward, crypto-adjacent, running autonomous agents with API access) and the irreversibility of crypto transactions made this a perfect hunting ground. The damage extended beyond wallet theft. Attackers also harvested SSH keys enabling lateral movement, cloud tokens for infrastructure compromise, and browser session data. The creator recently banned all crypto-related discussion from the OpenClaw Discord after scammers hijacked his accounts and launched a fake CLAWD token that briefly hit a $16 million market cap.

Why the standard installation guides are the problem

Scroll through X and you’ll find dozens of “how I set up my OpenClaw in 10 minutes” threads. YouTube tutorials with hundreds of thousands of views. VPS hosting companies selling one-click deploys. People are literally paying $500 for “managed setup” services.

Almost none of them start with security.

The typical guide goes: install OpenClaw, connect your LLM API key, pair your messaging apps, install some cool skills, done. That’s how you end up as one of the 30,000+ exposed instances. The DigitalOcean one-click deploy shipped with OpenClaw v2026.1.24-1, which is vulnerable to the one-click RCE. Their auto-update script didn’t even work properly due to git permissions issues.

Sophos described the fundamental issue well: the “lethal trifecta” is when an AI agent has access to private data, the ability to communicate externally, and the ability to process untrusted content. OpenClaw, by design, does all three. Anyone who can message your agent is effectively granted the same permissions the agent has. A malicious email, a crafted webpage, a poisoned skill. Any of these become a direct pipeline to everything OpenClaw can touch.

12 things you should do before your OpenClaw instance ruins your life

Whether you’re running on a Mac Mini, a VPS, or a Raspberry Pi, these aren’t optional. They’re the minimum.

1. Update to the latest version immediately

Anything older than v2026.1.30 is vulnerable to known, actively exploited CVEs with public exploit code. Check your version, update, and verify. If you’ve been running an older version exposed to the internet, assume compromise. Rotate every credential the agent had access to.

2. Bind to localhost only

Your gateway should listen on 127.0.0.1, not 0.0.0.0. Verify this is actually happening: run lsof -iTCP:18789 -sTCP:LISTEN and confirm you see 127.0.0.1:18789. If you see *:18789 or 0.0.0.0:18789, your gateway is exposed to the network and you need to fix it now.

3. Change the default gateway port

OpenClaw ships with port 18789. Every scanner, every attacker, every honeypot hunter knows this. Shodan queries for port 18789 are how researchers found 30,000+ exposed instances in the first place. Pick a non-standard port and configure your gateway to use it. This isn’t security through obscurity as a strategy. It’s reducing your visibility to automated scanning. You still need everything else on this list, but there’s no reason to make yourself easy to find.

4. Run on a dedicated device or VM, never your primary machine

This is the single most important architectural decision. OpenClaw gets the same level of access to your computer that you have. If it gets compromised, the blast radius is everything on that machine. Use a spare Mac Mini, a dedicated VPS, a Raspberry Pi, a VM. Not your daily driver with your password manager, crypto wallets, and work credentials.

5. Create a dedicated non-admin user account

On macOS: System Settings > Users & Groups > create a standard account. OpenClaw runs here. It can’t install system software, modify system files, or escalate privileges. If the agent gets tricked, the damage is contained. On Linux: create a dedicated user, don’t run as root, and use the principle of least privilege for file permissions.

6. Lock down file permissions and configure your firewall

Your OpenClaw config directory contains your API keys, tokens, and chat history. Lock it down:

chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json

Then set up your firewall properly. On Linux, use UFW with a default-deny inbound policy:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw enable

On macOS, enable the built-in firewall in System Settings > Network > Firewall. On a VPS, also restrict SSH access to your IP or a private network. Use Tailscale for remote access instead of exposing ports. The goal is allowlist-only for inbound traffic. If a port doesn’t need to be open, it shouldn’t be.

7. Do not install skills from ClawHub without reviewing the code

The skills marketplace is still fundamentally a trust problem. Yes, OpenClaw has partnered with VirusTotal to scan uploads. No, that doesn’t make it safe. Skills are Markdown files that can contain hidden “run this command” instructions. Treat every third-party skill like an untrusted executable. Read the code. Understand what it does. Start with zero skills and add deliberately. Use Cisco’s open-source Skill Scanner to audit before installing.

8. Enable execution approval for dangerous operations

Set the exec_approval flag in your configuration for tools like terminal, filesystem_delete, and git_push. This forces the agent to ask before executing destructive commands. It adds friction, but friction is the point.

9. Set API spending limits on every provider

Go to billing settings on Anthropic, OpenAI, and any other service you’ve connected. Set a monthly cap. A misconfigured agent or a runaway loop can burn through credits fast, and a compromised agent can rack up charges intentionally. Start conservative ($20-50/month) and adjust up.

10. Never expose your agent to untrusted input

No group chats with strangers. No auto-replying to tweets. No letting unknown users interact with your bot. Every message your agent reads is a potential prompt injection. Indirect prompt injection through email, web pages, or documents is a real and demonstrated attack vector against OpenClaw. Use DM pairing and restrict who can communicate with your agent.

11. Use burner accounts for email, GitHub, and messaging

Do not connect OpenClaw to your primary email, your main GitHub account, or your personal messaging apps. Create standalone, dedicated accounts for anything the agent touches. A burner email for OpenClaw. A separate GitHub account if you need repo access. A dedicated Telegram or Signal account for bot communication. If OpenClaw gets compromised, and at this point you should plan for that possibility, the attacker gets access to a throwaway account instead of your real inbox, your repos, and your contact list. This is basic blast radius containment and it costs you nothing but ten minutes of setup.

12. Run the security audit regularly

OpenClaw has a built-in security audit. Use it:

openclaw security audit --deep

Run this after every update, after installing any new skill, and on a regular schedule. The --fix flag will auto-tighten common misconfigurations. Also enable the macOS firewall, enable FileVault for full-disk encryption, and monitor your gateway logs for unauthorized configuration changes or command execution.

The bigger picture

OpenClaw is a preview of where we’re all headed. Autonomous AI agents that act on our behalf, with persistent memory and deep system access, are not going away. They’re going to become standard infrastructure. The question is whether we’ll deploy them with the same thoughtfulness we apply to other privileged access, or whether we’ll keep treating them like chatbots with extra features.

The 512 vulnerabilities found in the January security audit, the 1,184 malicious skills on ClawHub, the 30,000+ exposed instances, the drained crypto wallets. None of this happened because OpenClaw is a bad project. It happened because adoption outran security by months, and the installation guides people followed optimized for speed instead of safety.

If you’re going to run an autonomous agent, treat it like what it is: a privileged user on your network with access to your most sensitive data. Harden accordingly.

Subscribe to Dark Dossier for weekly threat research and adversary tradecraft analysis.