Is OpenClaw Safe? Honest Security Assessment (2026)

Security ยท 11 min read

Is OpenClaw Safe? An Honest Look at the Risks (2026)

Last updated: February 2026 ยท Reading time: 11 minutes

OpenClaw has 190,000+ GitHub stars, over a million downloads, and a vocal community that loves it. It's also been called a "security nightmare" by Semgrep, had a CVE disclosed in January 2026, and lost nearly half its skill marketplace to a malware purge in February.

So is it safe? The honest answer: it depends on what you do with it and how you configure it. OpenClaw isn't inherently dangerous, but it's a powerful tool that can absolutely cause problems if you set it up carelessly. The same is true of Docker, SSH, or any tool that runs code on your machine.

This article breaks down the actual risks โ€” not the theoretical ones, the ones that have actually bitten real users โ€” and shows you exactly how to protect yourself.

What Happened: A Quick Timeline

If you're just catching up on the security drama, here's what went down.

Late 2024 โ€“ Mid 2025: OpenClaw launches and grows rapidly. Security is minimal. The project moves fast, breaking things along the way. Early adopters accept the trade-off.

Late 2025: Security researchers start poking at OpenClaw seriously as its popularity explodes. Several blog posts highlight the risks of running an AI agent with full system access. The project responds with security improvements โ€” DM pairing, allowlists, sandbox modes.

January 2026 (CVE-2026-25253): A vulnerability was discovered that allowed attackers to obtain user authentication tokens. The issue was patched in version 2026.1.29. If you're running an older version, update immediately.

February 2026 (ClawHavoc incident): Security researchers found 341 malicious skills on ClawHub โ€” the official skill marketplace โ€” that were actively stealing user data and distributing malware. An additional 283 skills had critical security flaws. ClawHub responded by removing roughly 2,400 suspicious skills (going from 5,700 to 3,286), adding VirusTotal scanning for all skills, and improving moderation.

February 2026 (Semgrep report): Semgrep published a detailed security analysis titled "OpenClaw Security Engineer's Cheat Sheet," calling it a "security nightmare dressed up as a daydream." The report was balanced โ€” acknowledging the risks while providing practical mitigation strategies.

None of this is great. But context matters. Every popular open-source project with a plugin ecosystem goes through this phase. npm, PyPI, VS Code extensions, Chrome extensions โ€” all have had similar malware incidents. The question isn't whether problems exist. It's whether they're being addressed. And by most accounts, they are.

The Five Real Risks

Let's talk about what can actually go wrong, ranked by how likely you are to encounter it.

Risk 1: Malicious Skills (High Likelihood if Careless)

This is the biggest practical risk. ClawHub's skill ecosystem is young and was, until recently, poorly moderated. The ClawHavoc incident proved that bad actors were actively targeting OpenClaw users through fake or compromised skills.

Skills are essentially code that runs on your machine with your permissions. A malicious skill can read your files, steal your API keys, exfiltrate your WhatsApp session, or install malware. This isn't hypothetical โ€” it happened to real users.

How to protect yourself:

  • Only install skills from trusted publishers or the curated awesome-openclaw-skills list on GitHub
  • Always check the VirusTotal report on a skill's ClawHub page before installing
  • Read the SKILL.md and source code, especially for skills that access sensitive data
  • Keep your total skill count low โ€” every skill increases your attack surface
  • Prefer bundled skills (shipped with OpenClaw) over community skills for critical functions

Risk 2: Credential Exposure (Medium Likelihood)

Your OpenClaw configuration file contains API keys, bot tokens, and session credentials. These are stored unencrypted in ~/.openclaw/ by default. The Semgrep report highlighted this as a significant concern โ€” if an attacker (or a compromised skill) gains access to this directory, they get everything.

Your WhatsApp session credentials are particularly sensitive. Anyone with those files can read your WhatsApp messages.

How to protect yourself:

  • Set proper file permissions: chmod 600 ~/.openclaw/openclaw.json and chmod -R 700 ~/.openclaw/credentials
  • Never run OpenClaw on a shared computer without understanding the implications
  • If you're running on a VPS, secure your server with SSH keys (disable password authentication)
  • Consider using environment variables for API keys instead of hardcoding them in the config file
  • Back up your credentials directory securely โ€” don't leave copies on unencrypted cloud storage

Risk 3: Prompt Injection Through Messages (Medium Likelihood)

OpenClaw processes messages from real messaging platforms. If someone sends your bot a carefully crafted message, they might be able to manipulate the AI into performing unintended actions โ€” reading files, running commands, or leaking information.

This risk exists with any AI agent that processes untrusted input, not just OpenClaw. It's the fundamental challenge of agentic AI: the AI consumes data that can influence its behavior.

How to protect yourself:

  • Always use DM pairing (the default) โ€” unknown senders get a pairing code instead of a response
  • Set strict allowlists on every channel so only trusted contacts can interact with your assistant
  • For group chats, require @mentions before the assistant responds
  • Run non-main sessions (groups, shared channels) in Docker sandboxes using agents.defaults.sandbox.mode: "non-main"

Risk 4: Unintended Agent Actions (Low-Medium Likelihood)

OpenClaw has real tools โ€” browser control, file system access, command execution. In theory, the AI could take an action you didn't intend. Early users reported incidents ranging from amusing (the assistant buying things online) to concerning (sending messages to wrong contacts).

In practice, this is less of a problem than it sounds. Modern AI models (especially Claude) are conservative by default and ask for confirmation on risky actions. But it can happen, especially with complex multi-step automations.

How to protect yourself:

  • Start with limited tools and add more as you get comfortable
  • Use /verbose on initially to see exactly what the assistant is doing
  • Don't give the assistant access to financial tools or sensitive accounts until you trust the setup
  • Set up non-main session sandboxing for any context where the assistant might process untrusted input
  • Review cron jobs and automation triggers carefully before enabling them

Risk 5: Platform Account Risks (Low Likelihood)

OpenClaw connects to WhatsApp using the Baileys library, an unofficial implementation of the WhatsApp Web protocol. This means you're technically violating WhatsApp's terms of service. In practice, personal use hasn't resulted in bans (the community hasn't reported widespread issues), but the risk exists.

How to protect yourself:

  • Use a separate phone number for WhatsApp if you're concerned
  • Don't use the assistant to send mass messages or spam
  • Telegram is the safest channel since it officially supports bots
  • For business use, consider channels with official bot support (Telegram, Slack, Discord)

What OpenClaw Does Right

It's not all doom and gloom. The project has implemented meaningful security features, and they're improving rapidly.

DM pairing is on by default. Unknown senders receive a pairing code and the bot ignores their messages until approved. This prevents random people from interacting with your assistant.

Allowlists on every channel. You control exactly who can talk to your bot. Without explicit permission, nobody gets through.

Docker sandboxing for non-main sessions. Group chats and shared channels can be isolated in per-session Docker containers, so even if someone injects a malicious prompt, the damage is contained.

The openclaw doctor command. A built-in security scanner that checks your entire configuration for risky settings โ€” open DM policies, exposed services, missing authentication. Run it regularly.

34+ security-related commits since the project started taking security seriously. The team is responsive to reported issues.

VirusTotal integration on ClawHub. Every skill now gets automatic malware scanning. This doesn't catch everything (prompt injection attacks are harder to detect than traditional malware), but it's a significant improvement.

Active security community. Tools like Clawdex help detect known malicious skills. The Discord community actively reports suspicious activity.

The Security Checklist

If you want to run OpenClaw as safely as reasonably possible, here's the complete checklist. Do all of these before walking away from your setup.

During setup:

  • โœ… Update to the latest version (npm install -g openclaw@latest) โ€” this patches CVE-2026-25253 and other known issues
  • โœ… Set strict allowlists on every messaging channel
  • โœ… Keep DM pairing enabled (the default)
  • โœ… Set file permissions on your config and credentials directories
  • โœ… Use environment variables for API keys where possible

For skills:

  • โœ… Only install skills you actually need (fewer = safer)
  • โœ… Check VirusTotal reports on ClawHub before installing
  • โœ… Prefer bundled skills and the curated awesome-openclaw-skills list
  • โœ… Read the SKILL.md before installing any skill that accesses sensitive data
  • โœ… Review skill source code for anything that handles credentials

For server deployments:

  • โœ… Use SSH keys, not passwords, for server access
  • โœ… Don't expose the gateway port (18789) to the public internet
  • โœ… Use Tailscale for remote dashboard access instead of direct port exposure
  • โœ… Enable Docker sandboxing for non-main sessions
  • โœ… Keep your server OS and Docker updated

Ongoing:

  • โœ… Run openclaw doctor periodically to check for configuration issues
  • โœ… Update OpenClaw when new versions are released (security patches are frequent)
  • โœ… Monitor your API spending for unexpected usage (could indicate unauthorized access)
  • โœ… Review your allowlists periodically and remove contacts that no longer need access

Who Should and Shouldn't Use OpenClaw

OpenClaw is probably fine for you if:

  • You're using it as a personal assistant on a dedicated machine or VPS
  • You're comfortable with basic command-line security (file permissions, SSH keys)
  • You stick to trusted skills and keep your allowlists tight
  • You treat it like any other tool that runs code on your system

Think twice if:

  • You handle highly sensitive data (medical records, financial data, classified information)
  • You're running it on a machine with access to production systems or customer data
  • You plan to install dozens of third-party skills without reviewing them
  • You want to expose it in public group chats with strangers
  • You're in a regulated industry where an AI acting on your behalf creates compliance issues

Don't use it if:

  • You're not willing to configure allowlists and basic security settings
  • You want a "set it and forget it" assistant with zero maintenance
  • You need enterprise-grade security guarantees and audit trails

The Bottom Line

OpenClaw is as safe as you make it. The defaults are reasonable โ€” DM pairing, allowlists, local execution. The project has had real security incidents, but has responded to them with real fixes. The community is large enough that issues get found and reported quickly.

The biggest risks are self-inflicted: installing unvetted skills, leaving credentials exposed, skipping basic server hardening. If you follow the checklist above, you'll be in better shape than most.

Is it perfect? No. Is it safe enough for personal use with proper configuration? Yes. Should you run it on a machine with access to your company's production database? Probably not.

Use common sense. Run the doctor. Update regularly. And don't install skills from strangers.

Frequently Asked Questions

Has anyone actually been hacked through OpenClaw?

The ClawHavoc incident confirmed that malicious skills were actively stealing user data. Whether individual users suffered significant losses hasn't been publicly documented in detail, but the malware was functional, not theoretical.

Should I update immediately?

Yes. If you're running any version older than 2026.1.29, you're vulnerable to CVE-2026-25253. Update with npm install -g openclaw@latest.

Is my WhatsApp account at risk?

Your WhatsApp session credentials are stored locally and could be exposed if your server is compromised or a malicious skill accesses them. Use file permissions, avoid untrusted skills, and consider a separate phone number for added safety.

Can I use OpenClaw at work?

For personal productivity, probably โ€” check with your IT team. For anything touching company data, customer information, or regulated systems, involve your security team first. The Semgrep report is a good resource to share with them.

Is the Telegram setup safer than WhatsApp?

Somewhat. Telegram's official Bot API is a supported, documented way to run bots. WhatsApp's Baileys library is unofficial. Telegram is the lower-risk channel from a platform perspective.

Ready to set up OpenClaw securely? Follow our setup guide with security best practices built in. Need a reliable server? Check our hosting comparison โ€” a dedicated VPS is more secure than running on a shared machine.