This post comes directly from a recent client engagement where we worked with a team evaluating OpenClaw for production deployment. The questions they asked, the risks we identified, and the controls we recommended are all grounded in that real-world advisory work. OpenClaw is a genuinely impressive platform — and with the right security posture, it can be deployed confidently. Here's what we learned.
Why OpenClaw Deserves Your Attention
OpenClaw has earned its place as one of the most popular open-source AI agent platforms on GitHub, and for good reason. Local hosting, multi-model routing, plugin extensibility, and the ability to function as a fully autonomous research and analysis assistant — it delivers capabilities that would otherwise require stitching together half a dozen tools. The platform's architecture is genuinely well thought out, and the community around it is active and growing.
That said, the security landscape around OpenClaw has evolved rapidly in early 2026, and organizations moving it into production need a clear picture of the current threat environment. The goal of this guide is not to discourage adoption — it's to make sure deployment teams have the information they need to do it right from the start.
This guide is based on findings from a real client engagement conducted by our team. Every recommendation here was pressure-tested against an actual deployment scenario.
The Current Security Landscape
Three developments define OpenClaw's security posture as of March 2026. Each is manageable — but all three need to be addressed before any production deployment.
Active CVEs
Nine CVEs are on record, ranging from medium to critical severity. All have patches available. The vulnerabilities include remote code execution, prompt injection, path traversal, and command injection. The good news: every one of these has a fix. The challenge: as of early March 2026, 93% of publicly reachable instances remain unpatched.
ClawHavoc Supply Chain Attack
Between January and February 2026, the official OpenClaw plugin marketplace (ClawHub) was compromised. 1,184 malicious skills were uploaded by 12 attacker-controlled accounts, disguised as crypto bots, productivity tools, and summarizers. Antiy CERT classified the family as "TrojanOpenClaw PolySkill," and Koi Security researcher Oren Yomtov named it "ClawHavoc."
Cisco's Published Scanner
Cisco released a dedicated tool to scan OpenClaw skills, describing them explicitly as "a security nightmare." When a major infrastructure security vendor publishes tooling for your platform, it's a signal worth paying attention to — both as validation that the platform matters and as confirmation that the risk surface is real.
ClawHavoc — Impact at Scale
The ClawHavoc supply chain attack is worth understanding in detail, not because it should deter adoption, but because it illustrates exactly why plugin governance and patch management are non-negotiable in any OpenClaw production deployment.
135,000+ exposed OpenClaw instances identified across 82 countries
93.4% of publicly reachable instances had critical authentication bypasses
1.5 million API tokens exposed via a Moltbook database misconfiguration
12,812 instances exploitable via remote code execution
36.8% of all scanned ClawHub skills contained at least one security flaw
39 identified skills distributed Atomic macOS Stealer (AMOS) to macOS users
The numbers are sobering, but the takeaway is constructive: organizations that patch promptly, vet plugins before installation, and restrict their attack surface are well-positioned to avoid these issues entirely. The problem isn't OpenClaw itself — it's unmanaged deployments.
CVE Breakdown — All Patches Available
Every known CVE has a patch. The table below provides a full reference so deployment teams can verify their instances are current.
| CVE ID | CVSS | Severity | Description | Patched In |
|---|---|---|---|---|
| CVE-2026-25253 | 8.8 | Critical | "ClawJacked" — Zero-click WebSocket hijacking allowing silent full control of a user's agent with no interaction required. | v2026.2.25 |
| CVE-2026-29610 | 7.7 | Critical/RCE | Command hijacking via PATH variable manipulation, enabling arbitrary code execution by overriding allowlisted commands. | v2026.2.14 |
| CVE-2026-25158 & CVE-2026-25157 | — | High | Path traversal and command injection. Part of a batch of three high-severity advisories. | — |
| CVE-2026-27001 | 8.6 | High | Unsanitized CWD path injection into LLM prompts, enabling prompt injection via maliciously named directories. | v2026.2.15 |
| CVE-2026-27487 | 7.8 | High | macOS Keychain command injection via malicious skill names, extracting credentials without user interaction. | v3.0.8 |
| CVE-2026-28463 | 8.4 | High | Shell expansion bypass in exec-approvals allowlist — safe binaries can read arbitrary files via glob patterns. | v2026.2.14 |
| CVE-2026-28478 | 7.5 | High | Webhook DoS via unbounded request body buffering causing memory pressure and availability degradation. | v2026.2.13 |
| CVE-2026-26972 | 6.7 | Medium | Browser download path traversal allowing writes outside the intended temp directory. | v2026.2.13 |
| CVE-2026-27486 | 5.3 | Medium | Unsafe process cleanup on shared hosts — CLI runner terminated processes by pattern matching without ownership verification. | v2026.2.14 |
Ten Questions Every Deployment Team Should Answer
During our engagement, we developed a checklist of ten questions that every team should be able to answer before an OpenClaw instance goes live. These aren't hypothetical — they came directly from the conversations we had with a real deployment team.
Observability & Model Routing
Every LLM call, tool execution, and data source interaction needs to be traceable. Where are logs stored, who has access, and is there alerting on anomalous behavior?
Multi-model routing (e.g., Claude, ChatGPT, Grok) is a strength of the platform, but introduces complexity around data residency. Each provider has its own data retention and training policies — routing logic must account for that. Is there a data classification layer governing routing decisions?
Plugin Governance & Data Persistence
Given the documented ClawHavoc supply chain attack, every skill or plugin needs a formal review process before installation. Who approves new plugins? Are plugins version-locked to prevent silent updates?
Uncontrolled caching or indexing between sessions is a common and underappreciated risk vector. What is the retention and deletion policy for agent memory?
Compliance, Access Controls & Human Sign-Off
This includes any shared folders used as the agent's document input zone — not just the obvious database and API layers.
Access to modify configuration, install new skills, or interact with the agent directly should be scoped and controlled from day one. Open access is not a starting position.
A record of agent actions, prompt submissions, and tool calls is essential for any compliance review — and invaluable for incident response.
A soft prompt is not sufficient. The mechanism needs to be technically enforced in code, not just expected behaviorally. This was one of the most important findings from our engagement.
Priorities, Timelines & Data Platforms
Starting narrow (e.g., industry news monitoring, company research) and expanding deliberately is the right approach. Define success criteria before expanding access.
Platforms like Pitchbook, S&P Global CapIQ, CB Insights, and SG2 have their own API access models and licensing terms. Some may explicitly restrict AI agent use of their data.
Drawing the Line on Data Boundaries
"Sensitive data" needs a formal definition before deployment — not after. Patient data is obvious. But what about internal financials, personnel records, strategic plans, deal pipeline details, or investor communications? The line must be drawn explicitly, and every team member should know where it sits.
Additionally, any chat integration (Telegram, WhatsApp, Slack, Teams, Discord) must be evaluated against data residency and policy requirements. Each platform has a meaningfully different security profile, and OpenClaw's flexibility in connecting to them is a strength — provided the governance layer keeps pace.
The Open Source Tradeoff
OpenClaw's open-source model is a genuine advantage when understood correctly. Here's how we framed it for our client.
Local + Open Source Advantages
The agentic orchestration layer stays on-premises, not in a vendor cloud. There's no implicit data sharing with the platform provider. Multi-model routing limits any single provider's data exposure. Full auditability of what's installed and running. And OpenAI's acquisition of OpenClaw is likely to increase security investment over time.
Risks to Manage
Active CVEs remain unpatched on the majority of public instances. The supply chain attack via ClawHub is confirmed. Open source means faster exploit disclosure and sometimes slower enterprise patching cycles. Local LLMs require more powerful hardware. Security responsibility shifts entirely to the deployment team.
The conclusion is not to avoid OpenClaw — it's to deploy it with the right controls in place from the start and to build in a formal review gate before expanding access. This was the central recommendation from our engagement.
Recommended Deployment Approach
Based on our engagement, a well-reasoned OpenClaw deployment follows three principles.
Begin with low-risk use cases like industry news monitoring and company research. Add data platform integrations as each is individually validated. This is how our client is approaching it, and it's the approach we recommend universally.
Running OpenClaw locally means the agentic orchestration layer doesn't live in a vendor's cloud. Combined with selective LLM routing, this limits how much any single provider sees — a meaningful advantage for data-sensitive organizations.
Requiring approval before major agent actions is meaningful, but only if it's enforced in code rather than expected behaviorally. A soft prompt asking "are you sure?" is not a control — it's a suggestion.
Purpose-Built AI Agent Security Controls
Beyond standard network and infrastructure controls, OpenClaw deployments need purpose-built security measures that sit between the agent and the outside world. These are not optional for production.
Prompt Injection Defense
Multi-layer defense against instruction smuggling through data sources, tool responses, file contents, and user inputs.
Tool Execution Sandboxing
OS and container-level constraints on what the agent process can actually do on the host machine.
Data Boundary Enforcement
Formal controls preventing sensitive data from crossing defined boundaries through agent channels.
Plugin Allowlisting
Integrity verification and version-locking for all installed skills, with a formal review gate for new additions.
Session Isolation
Preventing cross-session data leakage and managing agent memory retention policies.
Audit Logging
Tamper-evident records of all agent actions, prompt submissions, tool calls, and configuration changes.
For a detailed breakdown of every tool available across these categories — including open-source, built-in, and commercial options — see our companion post: OpenClaw Security Tooling Landscape.
Source References
Key sources referenced in this guide, all verified as of March 11, 2026.
- oasis.security/blog/openclaw-vulnerability — CVE-2026-25253 (ClawJacked)
- osv.dev/vulnerability/GHSA-2qj5-gwg2-xwc4 — CVE-2026-27001
- tenable.com/cve/CVE-2026-26972 — Path Traversal CVE
- tenable.com/cve/CVE-2026-27486 — Process Cleanup CVE
- tenable.com/cve/CVE-2026-28478 — Webhook DoS CVE
- redpacketsecurity.com/cve-alert-cve-2026-28463 — Shell Expansion Bypass CVE
- sentinelone.com/vulnerability-database/cve-2026-29610 — PATH Hijacking CVE
Planning an OpenClaw deployment? We can help you get the security posture right from the start.
./start-conversation