138 security flaws in 63 days: OpenClaw's vulnerability problem is worse than you think

OpenClaw crossed 250,000 GitHub stars faster than React. It’s the most popular open-source AI agent ever built. And it’s had 138 security vulnerabilities in the 63 days since February 2, 2026.

That’s 2.2 new vulnerabilities per day. Seven of them rated critical. Forty-nine rated high. And if you’re running an instance right now — for your business, for a client, even just to experiment — there’s a decent chance your API keys, your Slack tokens, and your customer data are already exposed.

I’m not being dramatic. Kaspersky found 512 total vulnerabilities in a single audit, eight of them critical. Cisco’s security researchers analyzed 31,000 agent skills and found 26% contained at least one vulnerability. Microsoft published a dedicated security blog about how to run OpenClaw without getting hacked.

When Microsoft, Cisco, and Kaspersky all publish warnings about the same tool in the same month, you pay attention.

The vulnerabilities that matter most

Let me skip the CVE soup and explain what these flaws actually mean in practice.

Your agent can be hijacked from a website you visit. The “ClawJacked” vulnerability, discovered by Oasis Security, let any website open a connection to your local OpenClaw instance and brute-force its password at hundreds of attempts per second. The gateway’s rate limiter exempted localhost connections entirely — it assumed local access was safe. The attacker gets full admin control: they can read your messages, dump your API keys, and run commands on your machine. Fixed in version 2026.2.25, but only after public disclosure.

Your data leaks through Telegram previews. Researchers at PromptArmor found that messaging apps generate link previews automatically — and OpenClaw’s agent responses can be manipulated to include URLs with sensitive data baked into the query parameters. The data transmits the moment the preview renders. No clicking required.

Emails can trick your agent into sending your files to an attacker. Matvey Kukuy, CEO of Archestra.AI, demonstrated this live: he sent a crafted email that extracted private keys through prompt injection. No confirmation prompts. No user interaction. The agent just… did it.

The skill marketplace is a minefield. This one’s bad. 824+ malicious skills have been documented in ClawHub — OpenClaw’s community marketplace — including credential harvesters, cryptominers, persistent backdoors, and prompt injection loaders. Cisco found a skill called “What Would Elon Do?” that bypassed safety guidelines and sent user data to external servers. Between January 27 and February 1, over 230 malicious scripts were published on ClawHub and GitHub, downloaded thousands of times.

The barrier to publishing? A GitHub account older than one week.

42,000 instances exposed on the public internet

Here’s where it gets really uncomfortable for business owners.

Shodan scans found 42,000+ OpenClaw instances directly accessible from the internet. 63% had authentication disabled. 28% were running versions with known, unpatched vulnerabilities.

BitSight tracked the explosion in real time: from roughly 1,000 instances on January 27 to over 30,000 by February 8. A 177% increase in a single day. They found instances in healthcare, finance, government, and insurance. One test instance accepted the password “a” — a single character.

Censys identified 21,639 exposed instances on January 31 alone. The United States had the largest share. China hosted about 30% — mostly on Alibaba Cloud. Misconfigured instances were leaking API keys, OAuth tokens, and plaintext credentials.

Then the Moltbook breach happened. Moltbook — a social network for OpenClaw agents — had its database exposed: 35,000 email addresses and 1.5 million agent API tokens. The platform had grown to 770,000+ active agents before anyone noticed the database was public.

China’s CNCERT issued a formal warning. State-run enterprises and government agencies were banned from running OpenClaw on office computers. The ban extends to military personnel families.

Why traditional security tools don’t catch this

I think this is the part that trips up business owners who assume their IT setup is “good enough.”

Your antivirus sees processes running. Your firewall sees network traffic. Your identity provider sees OAuth grants. None of them understand what an AI agent is doing or why. As Reco’s analysis puts it: “Endpoint security sees processes running but doesn’t understand agent behavior. Identity systems see OAuth grants but don’t flag AI agent connections as unusual.”

The agent operates in a weird middle ground. It’s not malware — it’s software you installed on purpose. It’s not an employee — but it has access to your Slack, your email, your calendar, and your files. It processes instructions from external sources (emails, web pages, Telegram messages) and executes them with whatever permissions you gave it.

Giskard’s researchers found that OpenClaw’s default session configuration shares context across all direct messages. API keys loaded in what you think is a “private” session? Available to anyone who can message the bot. Files generated in one user’s session? Retrievable by another user. The isolation that feels obvious to a human isn’t the default.

What this means if you’re running a business

I set up AI agents for small businesses. I recommend OpenClaw as one of the tools in the stack. I’m still recommending it — but with caveats I didn’t need six months ago.

OpenClaw isn’t insecure because it’s badly made. It’s insecure because it’s a powerful tool being deployed by people who don’t know what they’re deploying. A chef’s knife isn’t dangerous because it’s a bad knife. It’s dangerous because someone left it on the counter where the kids can reach it.

The typical small business owner who sets up OpenClaw follows a YouTube tutorial, connects it to Telegram, hooks up their Gmail, and walks away. They don’t change the default session scope. They don’t restrict the gateway to localhost. They don’t audit the skills they install. They don’t check if their instance is accessible from the public internet.

And then they hand that agent access to their customer emails, their invoicing system, and their calendar. With a single-character password. On a VPS that’s open to the world.

What you should actually do

If you’re already running OpenClaw, here’s the checklist. None of this is optional.

Update immediately. If you’re running anything before version 2026.2.25, you’re vulnerable to the ClawJacked WebSocket hijack. Check your version and update. Today.

Lock down the gateway. Bind it to 127.0.0.1 — never 0.0.0.0. Set a 64-character random token. Block port 18789 at your firewall. If you need remote access, use Tailscale or a VPN — never expose the port directly. Blink’s hardening guide has the exact commands.

Audit every skill you’ve installed. Remove anything you didn’t personally verify. Don’t install skills from ClawHub without reading the source code. Yes, that’s annoying. The alternative is running code from strangers with access to your business accounts.

Fix your session isolation. Change the default scope from main to per-peer or per-account-channel-peer. The main scope shares everything across users. Giskard’s guide explains the configuration in detail.

Don’t run it on your primary machine. Kaspersky’s recommendation is blunt: use a dedicated spare computer or VPS. Never your main workstation. Never a machine that stores sensitive business files. If the agent gets compromised, the blast radius should be limited to that one box.

Use the best model for safety. Kaspersky specifically recommends Claude Opus for the strongest prompt injection detection. Cheaper models are more susceptible to being tricked by malicious inputs.

Set up monitoring. If your agent is connected to Gmail, Slack, or any business tool — you need to know what it’s doing. Check your OAuth grants. Review what permissions you’ve given the agent. Remove anything it doesn’t strictly need.

If you haven’t started yet, you’re in a better position than you think

Honestly? The business owners reading this who haven’t set up OpenClaw yet are in the best spot. You get to start with the right architecture from day one instead of retrofitting security onto a running system.

The three-tier privacy model I recommend to clients hasn’t changed:

1. Mac Mini with a local model for maximum privacy — your data never leaves your office
2. Cloud AI provider (Claude, GPT) for cost savings — your data goes to the API provider but nowhere else
3. Dedicated GPU server as a middle ground — your own hardware in a data center

What’s changed is that I now add a security layer to every setup. Network isolation. Skill auditing. Session scoping. Monitoring. It adds a few hours to the initial setup, and it’s not the fun part. But it’s the difference between an AI assistant and an AI liability.

The EU AI Act deadline hits August 2. If you’re deploying AI agents that touch customer data, you need an inventory of what’s running, what data it accesses, and what controls are in place. Starting with a secure setup now means you’re not scrambling for compliance in four months.

The real question

OpenClaw is the most capable open-source AI agent I’ve worked with. The multi-channel support (Telegram, Slack, WhatsApp, iMessage), the persistent memory, the skill system — when it’s set up right, it’s genuinely useful for businesses. I wrote about how it compares to Claude Code Channels and I still stand by that analysis.

But “set up right” now means something different than it did in January. The tool grew faster than the security practices around it. 250,000 GitHub stars in weeks. Hundreds of thousands of instances deployed. And a marketplace that went from 2,857 skills to 10,700+ in two weeks — with no meaningful code review process.

138 vulnerabilities in 63 days isn’t a reason to avoid OpenClaw. It’s a reason to respect what you’re deploying. If you wouldn’t give a new hire unsupervised access to your email, your bank account, and your customer database on their first day — don’t give it to an AI agent without the same due diligence.

If you want help setting this up without the security headaches — or if you’re already running OpenClaw and want someone to audit it — check my pricing or get in touch. I’ll tell you exactly where your risk sits and what it takes to fix it.