try.directtry.direct

OpenClaw Security: Safe Deployment Guide

OpenClaw went from a side project to hundreds of thousands of GitHub stars in months. It also went from zero to hundreds of malicious skills on its own marketplace in weeks. Both facts describe the same tool, and if you are planning to run it, you need to understand why.


OpenClaw connects to messaging apps like WhatsApp, Telegram, Discord, and Slack, reads local files, executes shell commands, and acts on your behalf across whatever services you connect it to.


OpenClaw is not unsafe by design, but its permission model makes a compromised instance far more damaging than typical software. The risks are well documented at this point: a supply-chain campaign called ClawHavoc placed 341 malicious skills on ClawHub, a critical remote-code-execution flaw (CVE-2026-25253) let attackers hijack instances through a single malicious link, and Cisco found that 26% of 31,000 scanned agent skills contained at least one exploitable vulnerability. None of that means the tool is unusable. It means safe deployment comes down to isolation, a locked-down firewall, skill vetting, and logging, not avoidance.


This guide covers what independent security researchers actually documented, why the risk is structural rather than a handful of bad skills, and a practical checklist for running OpenClaw without becoming the next case study.


Why OpenClaw Is a Different Kind of Security Risk


Most software vulnerabilities give an attacker a foothold. A compromised OpenClaw instance often gives an attacker the same permissions the agent already has, which for most users includes:

  • Full shell access on the host machine
  • Read access to local files, and often to connected cloud storage
  • Live API keys and OAuth tokens for every connected service, from email and calendars to crypto wallets in some setups
  • The ability to install new skills on its own, if configured for autonomous operation

Skills, OpenClaw's extension mechanism, run with the same permissions as the agent itself. There is no sandbox boundary between "this skill checks the weather" and "this skill reads your browser's saved passwords." Security researchers have repeatedly shown that the two can look identical from the outside, and by design, ClawHub requires nothing more than a week-old GitHub account to publish a new one.


What the Security Research Actually Found


These incidents are documented by named security vendors and researchers, not rumor. Where sources disagreed on details, we've gone with the figures corroborated by multiple independent outlets.


The ClawHavoc supply chain attack. In February 2026, Koi Security audited all 2,857 skills then live on ClawHub and identified 341 malicious entries, roughly 12% of the registry. Of those, 335 were traced to a single coordinated campaign, now tracked as ClawHavoc, that used fake "prerequisite" install steps to deliver Atomic Stealer (AMOS) on macOS, a tool built to harvest browser passwords, crypto wallet keys, and session cookies. By later scans the count of flagged malicious skills had grown well past 800 as the registry itself expanded.


A critical remote code execution flaw. Tracked as CVE-2026-25253 and rated CVSS 8.8, this vulnerability let an attacker hijack a running OpenClaw instance and steal its authentication token simply by getting the victim to click a crafted link or visit a malicious page. It was patched within days of disclosure, but only for users who updated.


Widespread vulnerability rates across the wider skill ecosystem. Cisco's AI Defense team scanned roughly 31,000 agent skills across multiple frameworks, OpenClaw included, and found that about 26% contained at least one exploitable vulnerability: command injection, data exfiltration, or prompt injection.


Credential exposure at scale. Snyk's separate ToxicSkills audit scanned close to 4,000 ClawHub skills and found that 7.1% (283 skills) exposed sensitive credentials in plaintext, with 13.4% classified as containing critical-severity issues.


Scanners can be bypassed. Trail of Bits demonstrated that ClawHub's own malware-scanning pipeline could be defeated by padding a malicious skill file with roughly 100,000 blank lines, pushing the harmful code outside the window the scanner actually inspects. Comparable gaps were found in third-party scanning tools built specifically to catch this kind of threat.


Exposed instances at scale. Cisco has reported more than 135,000 OpenClaw instances reachable from the public internet, many running outdated, vulnerable versions.


The institutional response has been telling. China's government restricted state agencies, state-owned enterprises, and banks from running OpenClaw, citing risks around unauthorized data deletion, data leaks, and excessive resource usage. Multiple security vendors, including Cisco, report seeing similar internal restrictions inside enterprises as adoption grows.


The checklist below is what deploying it "deliberately, isolated, and monitored" actually looks like in practice.


How to Deploy OpenClaw Safely: A 7-Step Checklist


1. Never run it on a machine with unrelated sensitive access

Do not install OpenClaw on your daily laptop, especially one logged into personal email, banking, or production infrastructure. A dedicated VM, cloud instance, or container gives you a hard boundary between "if this agent is compromised" and "everything I own".


2. Default to deny on outbound network access

An agent that can only reach the specific APIs it needs is far less useful to an attacker than one with open egress to the entire internet. Configure your firewall for allowlisted outbound connections rather than blocklisting known-bad destinations after the fact.


3. Treat every third-party skill as untrusted code

Skills execute with full agent permissions the moment they are installed. Before adding anything from ClawHub:

  • Scan it with a dedicated tool built for this, such as Cisco's open-source skill-scanner, rather than relying on the marketplace's built-in check alone
  • Read the SKILL.md file and any bundled scripts yourself if the skill touches credentials, files, or network calls
  • Keep the total number of installed skills small; every skill is additional attack surface
  • Avoid one-click installs from public marketplaces in any environment connected to sensitive accounts

4. Keep credentials out of the agent's filesystem

Use a secrets manager or vault rather than letting OpenClaw store API keys and tokens in plaintext config files. Rotate tokens regularly, and scope each connected service to the minimum permissions the agent actually needs. If a skill only needs to read a calendar, it should not also hold write access to email.


5. Patch on a schedule, not when you remember

CVE-2026-25253 and similar flaws were fixed quickly once disclosed. The instances that got compromised were, overwhelmingly, ones running outdated versions. Update OpenClaw and its dependencies on a defined cadence, and subscribe to the project's security advisories.


6. Log everything the agent does

If OpenClaw can act autonomously, you need an audit trail of what it acted on: which skills ran, which tool calls fired, which external destinations received data. Runtime monitoring is what turns "we think something went wrong three weeks ago" into "we caught this in under a minute".


7. Separate the agent from production infrastructure

If OpenClaw is managing DevOps tasks, deploying code, or touching infrastructure, give it a scoped service account rather than admin credentials, and route its actions through the same review gates you would require of a junior engineer.


Where to Actually Run It


Once the isolation and monitoring model above is in place, the remaining decision is infrastructure: a self-managed server, a cloud VM you harden by hand, or a preconfigured deployment.


TryDirect's marketplace includes an OpenClaw preconfigured stack, built by the StackDog Team, that deploys to Amazon EC2, DigitalOcean, or Hetzner Cloud with a firewall already configured. It is worth being direct about what that stack currently is and is not: the listing is explicitly labeled an experimental setup, and at the time of writing it has passed 3 of the marketplace's 8 verification checks. That is not unusual for a preconfigured stack built around a tool this new, but it does mean the firewall and isolation it ships with are a starting point, not a substitute for the credential hygiene, skill vetting, and monitoring practices above.


The advantage of deploying through a marketplace stack rather than a manual install is mainly speed and a consistent baseline: a fresh, isolated instance with networking pre-configured, rather than OpenClaw sharing a machine with other workloads by default. Whichever route you choose, self-hosted VM, containerized deployment, or a marketplace image, the checklist does not change. Isolation, a locked-down firewall, vetted skills, and real logging are what determine whether an OpenClaw deployment is a productivity tool or a liability.


FAQ


Is OpenClaw safe to use? OpenClaw is not inherently unsafe, but its permission model, an agent with shell access, file access, and live credentials, means the consequences of a compromise are more severe than with typical software. Safety depends heavily on how it is deployed and which skills are installed, not just which version you run.


What is ClawHub and why does it matter for security? ClawHub is OpenClaw's community marketplace for skills, the packages that extend what the agent can do. Because anyone with a week-old GitHub account can publish and vetting has historically been limited, ClawHub was the primary vector for the ClawHavoc campaign and other malicious-skill incidents documented by Koi Security, Snyk, and Cisco.


Should I run OpenClaw on my personal computer? It is not recommended if that machine also holds sensitive personal accounts, saved passwords, or production credentials. A dedicated, isolated environment, whether a cloud VM, container, or preconfigured stack, limits the blast radius if something goes wrong.


Do skill scanners fully solve the malicious skill problem? No. Trail of Bits demonstrated bypasses against ClawHub's own scanning pipeline and several third-party scanners. Scanning is a useful first filter, not a guarantee, which is why limiting the number of installed skills and reviewing anything with credential or network access still matters.


Deploy OpenClaw on an isolated, firewall-configured instance in minutes with the OpenClaw preconfigured stack on TryDirect.

Try It Yourself

Deploy this stack or browse pre-built templates in the marketplace. Your first deployment is always free.