Deploying OpenClaw Securely: Why 42,000 Instances Are Exposed Online – and How to Do It Right
Looking to run OpenClaw professionally and securely? WZ-IT deploys OpenClaw on isolated infrastructure in Germany – with VPN, SSO and 24/7 monitoring. Learn more about our OpenClaw expertise or schedule a consultation directly.
OpenClaw has accumulated over 170,000 GitHub stars in just a few weeks, making it one of the fastest-growing open-source projects in history. The autonomous AI agent can process emails, manage calendars, deploy code and execute tasks independently – all via WhatsApp, Telegram, Slack or a dozen other channels.
The problem: The security landscape is catastrophic.
Security researchers have found over 42,000 unprotected OpenClaw instances on the public internet. A critical vulnerability (CVE-2026-25253) enables one-click remote code execution. And on the official skill marketplace ClawHub, 341 skills were identified that actively distribute malware (The Hacker News).
This article analyzes the concrete risks – and provides a practical hardening checklist for secure operations.
Table of Contents
- What Makes OpenClaw Different – and Why That's Dangerous
- Prompt Injection: When an Email Takes Over the Agent
- 42,000 Exposed Instances: The Gateway Problem
- ClawHub: 341 Skills Distributing Malware
- CLOUD Act & GDPR: When the Agent Uses Cloud LLMs
- Hardening Checklist: Deploying OpenClaw Securely
- Our Approach at WZ-IT
- Further Reading
What Makes OpenClaw Different – and Why That's Dangerous
OpenClaw is not a chatbot. It is an autonomous agent with full system access. This fundamentally distinguishes it from tools like ChatGPT or Claude, which are limited to conversations.
The "Lethal Trifecta"
Security researchers from ToxSec and Dark Reading have described the core risks as the "Lethal Trifecta" (Dark Reading):
| Risk Factor | What It Means |
|---|---|
| Private data access | File system, SSH keys, .env files, emails, chat histories, browser profiles |
| Processing external content | Emails, web pages, documents, Slack messages – all potentially manipulated |
| External communication | The agent can send emails, make HTTP requests, post Slack messages |
Added to this is a fourth dimension: Persistent memory. OpenClaw retains context across sessions in a SQLite database. This enables attacks that are fragmented over days or weeks and only assemble at execution time – known as memory poisoning (Trend Micro).
Heartbeat: Autonomous Execution Without Confirmation
The heartbeat system checks every 30 minutes for pending tasks and executes them without explicit confirmation. This makes the agent proactive – but also vulnerable to time-based attacks. A payload injected into persistent memory can manipulate the HEARTBEAT.md file and establish a persistent backdoor that fires every 30 minutes (OpenClaw Docs).
Prompt Injection: When an Email Takes Over the Agent
Prompt injection is the most severe risk for OpenClaw deployments. Since the agent reads and processes external content from emails, documents, web pages and chat messages, attackers can inject manipulated instructions.
How Attacks Work
Security researchers at Zenity demonstrated a proof of concept: A crafted Google Document contained hidden instructions that caused OpenClaw to create a new Telegram bot integration under the attacker's control. From that point, the attacker could send commands through the new channel – without the user receiving any notifications (eSecurity Planet).
A journalist from Android Authority reported hacking his own computer via prompt injection in OpenClaw, describing it as "terrifyingly easy" (Android Authority).
The Multi-Channel Amplification Problem
OpenClaw processes content from 10+ channels simultaneously. A single manipulated support email could theoretically:
- Query customer records from the database
- Trigger fraudulent refunds
- Post Slack messages to mask the activity
The combination of broad system access and missing sandboxing turns every communication channel into a potential attack vector (Cisco Blogs).
42,000 Exposed Instances: The Gateway Problem
Within a week of OpenClaw's viral growth, security researchers found over 42,000 unprotected gateway instances on the public internet (CyberSecurity News).
Why So Many Instances Are Exposed
The OpenClaw gateway is designed as a local service – port 18789 on localhost. Many users accidentally expose it through:
- Missing firewall rules (UFW not configured)
- Open ports in cloud security groups (AWS, Hetzner)
- Reverse proxies without authentication
- Docker containers binding ports directly to the network
The results are alarming: 93.4% of publicly reachable instances had critical authentication bypass vulnerabilities (JFrog).
What Attackers See
Anyone gaining access to an exposed gateway can:
- Read API keys and OAuth tokens
- Access private chat histories and emails
- Execute arbitrary shell commands on the host
- Read, modify and exfiltrate files
- Use the agent as a proxy for further attacks
CVE-2026-25253: One-Click Remote Code Execution
In January 2026, CVE-2026-25253 was published – a critical vulnerability (CVSS 8.8) in the Control UI. The UI accepted the gatewayUrl parameter from the query string without validation and connected automatically, sending the stored token in the process.
Result: A single crafted link was enough to send the gateway token to an attacker-controlled server and take over the entire system. Patched in version 2026.1.29 (SOCRadar).
ClawHub: 341 Skills Distributing Malware
ClawHub is OpenClaw's official extension marketplace – comparable to a plugin store. Security researchers from Koi Security audited all 2,857 available skills and found 341 actively malicious entries (The Hacker News).
The "ClawHavoc" Campaign
335 of the malicious skills distributed the Atomic macOS Stealer (AMOS) – an infostealer sold on criminal marketplaces for $500-1,000/month. AMOS extracts:
- Browser credentials and cookies
- Keychain passwords
- Crypto wallet data
- SSH keys
- Files from the home directory
The skills had professional documentation and plausible names: solana-wallet-tracker, youtube-summarize-pro, polymarket-trader.
7.1% of All Skills Leak Credentials
Independent of the ClawHavoc campaign, Snyk found that 283 additional skills (7.1% of the registry) contained vulnerabilities that expose sensitive credentials (The Register).
The lesson: No skill should be installed without manual code review.
CLOUD Act & GDPR: When the Agent Uses Cloud LLMs
OpenClaw itself is just the "hand" – the language model is the "brain." When configured with GPT-4, Claude or another US-hosted service as the backend, all prompts and context data are transmitted to US providers.
This directly conflicts with European data protection law:
- The CLOUD Act allows US authorities to access data from US companies – regardless of server location
- The GDPR requires a legal basis for transfers to third countries
- The EU AI Act (effective August 2, 2026) tightens obligations for autonomous AI systems
Organizations processing sensitive business or customer data through OpenClaw while using a US API as the LLM backend face a fundamental compliance problem.
The alternative: Local models via Ollama (Llama 3.3 70B, Mistral Large, Qwen 2.5) on dedicated GPU infrastructure – no data transfer, full GDPR compliance. Read more in our article on AI sovereignty.
Hardening Checklist: Deploying OpenClaw Securely
The following measures significantly reduce the attack surface. They are based on official documentation, independent security audits and our own deployment experience (OpenClaw Docs, Adversa AI).
Network
| Measure | Priority | Details |
|---|---|---|
| Bind gateway to localhost | Critical | Never use 0.0.0.0. Port 18789 only on 127.0.0.1 |
| VPN for remote access | Critical | Tailscale, WireGuard or SSH tunneling instead of open ports |
| Firewall rules | Critical | UFW: Block gateway port at the firewall level |
| Network segmentation | High | OpenClaw in its own VLAN/subnet – isolated from production systems |
| No shared hosting | High | Never run OpenClaw on the same host as databases or backend services |
Authentication & Secrets
| Measure | Priority | Details |
|---|---|---|
| Enable token auth | Critical | Mandatory when the gateway is active |
| Tokens via environment variables | Critical | Never store in files on disk |
| No secrets in HEARTBEAT.md | Critical | Becomes part of the prompt context – sent to LLM provider |
| Credential rotation | High | Regularly rotate all API keys, tokens and OAuth grants |
| Use a secrets manager | Recommended | HashiCorp Vault, Bitwarden CLI or similar |
Host Hardening
| Measure | Priority | Details |
|---|---|---|
| Dedicated non-root user | Critical | Minimal system privileges |
| Full-disk encryption | High | LUKS or dm-crypt on the gateway host |
| SSH hardening | High | Key-only auth, root login disabled, fail2ban active |
| File permissions | High | 700 on directories, 600 on files |
| Automatic updates | Recommended | Unattended-upgrades for security patches |
Skill Vetting
| Measure | Priority | Details |
|---|---|---|
| Code review before installation | Critical | Manually review every SKILL.md for shell commands |
| Verified publishers only | High | No skills from unknown ClawHub accounts |
| Pin skill versions | High | No automatic updates of unreviewed skills |
Monitoring & Governance
| Measure | Priority | Details |
|---|---|---|
| Log all agent actions | Critical | Review regularly – especially after heartbeat cycles |
| API budget limits | High | Cap LLM costs to detect runaway heartbeats |
| Maintain AI inventory | High | Centrally track all OpenClaw deployments (prevent shadow AI) |
| Define bounded autonomy | Recommended | Clearly specify where the agent can act independently and where it cannot |
Our Approach at WZ-IT
When deploying OpenClaw for enterprises, we implement a multi-layered security architecture:
- Isolated infrastructure: Dedicated VMs in German data centers – no shared hosting environments, no multi-tenant risks.
- Network isolation: VPN-only access via Tailscale or WireGuard. No gateway port is publicly reachable.
- SSO integration: Authentication via Authentik or Keycloak – no local passwords.
- Local LLMs: When desired, we deploy Ollama with Open WebUI on dedicated GPU servers – no data transfer to US providers.
- 24/7 monitoring: Automated monitoring of all agent actions, heartbeat cycles and API costs. Alerting on anomalies.
- Security updates: Regular patches and skill audits included.
We see ourselves as an extension of your IT team – not a black box.
Further Reading
- OpenClaw Managed Hosting & Installation
- AI Sovereignty: Why German Companies Shouldn't Send Data to US AI Services
- GDPR-Compliant AI Inference with GPU Servers
- Open WebUI vs. AnythingLLM: The Comparison
- NetBird vs. Tailscale: VPN Alternatives Compared
Sources
- eSecurity Planet: OpenClaw or Open Door? Prompt Injection Creates AI Backdoors
- Cisco Blogs: Personal AI Agents like OpenClaw Are a Security Nightmare
- CyberSecurity News: 21,000+ OpenClaw AI Instances Exposed Online
- SOCRadar: CVE-2026-25253 – 1-Click RCE in OpenClaw
- The Hacker News: Researchers Find 341 Malicious ClawHub Skills
- The Register: It's easy to backdoor OpenClaw, and its skills leak API keys
- Dark Reading: OpenClaw's Gregarious Insecurities Make Safe Usage Difficult
- Trend Micro: What OpenClaw Reveals About Agentic Assistants
- CrowdStrike: What Security Teams Need to Know About OpenClaw
- JFrog: Giving OpenClaw The Keys to Your Kingdom
- Adversa AI: OpenClaw Security 101 – Vulnerabilities & Hardening 2026
- OpenClaw Official Security Docs
- Android Authority: I hacked my own computer using OpenClaw
Frequently Asked Questions
Answers to important questions about this topic
OpenClaw can be operated securely – but requires consistent hardening. Without measures like VPN, token auth and network isolation, the attack surface is significant: CVE-2026-25253, prompt injection via emails and 42,000+ exposed instances demonstrate the risks.
Prompt injection is an attack where attackers place manipulated content (e.g., in emails, documents, chat messages) that OpenClaw interprets and executes as instructions – including file access, credential theft or backdoor installation.
Many users accidentally expose the gateway through open ports, missing firewall rules or insecure reverse proxy configurations. 93.4% of publicly reachable instances had critical auth bypass vulnerabilities according to security researchers.
Bind the gateway to localhost, use VPN for remote access (Tailscale, WireGuard), enable token auth, use a dedicated non-root user, enable full-disk encryption, set firewall rules and manually review all ClawHub skills before installation.
A critical vulnerability (CVSS 8.8) in OpenClaw's Control UI that enables one-click remote code execution. A single crafted link is enough to steal the gateway token and fully compromise the system. Patched in version 2026.1.29.
Yes. We deploy OpenClaw on isolated infrastructure in German data centers – with VPN, SSO, network segmentation, monitoring and regular security updates. Including 24/7 monitoring and SLA.
Written by
Timo Wevelsiep
Co-Founder & CEO
Co-Founder of WZ-IT. Specialized in cloud infrastructure, open-source platforms and managed services for SMEs and enterprise clients worldwide.
LinkedInLet's Talk About Your Idea
Whether a specific IT challenge or just an idea – we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Trusted by leading companies
Timo Wevelsiep & Robin Zins
CEOs of WZ-IT