Security

OpenClaw's open-source nature and growing popularity make it a target. Kaspersky researchers documented the threat landscape: 512 total vulnerabilities across related systems, with CVE-2026-25253 standing out as particularly severe (CVSS 8.8 severity rating).

More alarming than individual CVEs is the exposure problem: 30,000+ publicly exposed OpenClaw instances were discovered, nearly all bound to 0.0.0.0. These exposed instances are accessible to anyone with an internet connection.

Some became compromised and were repurposed for cryptocurrency mining or data exfiltration. The threat isn't theoretical—it's real, widespread, and well-documented.

The good news: exposure is preventable through simple configuration (binding to 127.0.0.1 and using authentication). The bad news: thousands of teams made this mistake. Understanding the threat landscape isn't about paranoia; it's about operating eyes-wide-open to real risks that you can actually control.

The most significant security incident in OpenClaw's history was ClawHavoc, discovered in 2026. Researchers found 1,184 malicious skills published to ClawHub, affecting approximately 300,000 users who had installed them.

The attack was sophisticated: the most-downloaded skill on ClawHub was confirmed malware. The malicious skills used multiple attack vectors: some requested unnecessary permissions to seem legitimate, some had names similar to popular legitimate skills (typosquatting), some operated silently without visible effects, and the most dangerous ones established reverse shells—giving attackers shell access to the host machine.

The attack was discovered when security researchers audited popular skills and found suspicious behavior. The incident highlighted a critical risk: the ClawHub ecosystem is open (anyone can publish), and users can't easily verify skill legitimacy.

After ClawHavoc, OpenClaw implemented the TRUST framework to help users evaluate skills, but the risk remains. Lessons: be cautious with skills, especially new or unpopular ones; prefer bundled skills when available; monitor skill permissions carefully.

After ClawHavoc, OpenClaw created TRUST: a five-dimension evaluation framework for skills. Transparency asks: is the source code publicly available and reviewable? Does the developer disclose what the skill does?

Reputation examines the developer's history—are they known and trusted in the community? Do they maintain other well-regarded skills?

Updates checks if the skill is actively maintained—how recent was the last update? Is the developer responsive to security reports?

Scope evaluates what permissions the skill requests—does it need network access to achieve its function? Does it request shell access, file system access, or database credentials?

Testing verifies whether independent security audits exist—have others reviewed this skill for vulnerabilities? TRUST distills to a simple idea: evaluate skills rigorously before installation.

You wouldn't run an unknown executable on your computer without examining it; apply the same principle to skills. High-TRUST skills are safe; low-TRUST skills might be dangerous.

OpenClaw organizes skills into three safety tiers. Bundled skills ship with OpenClaw core—they're developed by the OpenClaw team, thoroughly tested, and audited regularly. These are the safest option and cover 80% of common use cases.

Well-Vetted Community skills are published by developers with strong TRUST scores—transparent code, good reputation, recent updates, appropriate scope, and security audits. These skills are generally safe but require individual consideration.

Use at Own Risk skills are published by less-established developers or haven't undergone full TRUST evaluation. They might be legitimate and useful, but you're assuming risk when using them. Install with caution and monitor carefully.

The tier system helps you make informed decisions: if a bundled skill exists, prefer it. If not, look for well-vetted alternatives.

Only use 'Use at Own Risk' skills when no alternatives exist and you've personally reviewed the code. This tiered approach puts you in control of your risk tolerance.

Starting with v2026.1.29, OpenClaw requires authentication for all Gateway access. This means every connection to port 18789 must provide a valid token.

This requirement exists because of exposed instances—authentication is the primary defense against unauthorized access. Tokens are configured in your .env file during setup; they're long random strings that are difficult to guess or brute-force.

External access to the Gateway should never be direct; instead, route through a reverse proxy (nginx, Caddy, or cloud providers' load balancers) that enforces HTTPS and validates tokens. The authentication requirement is automatic in recent versions, but if you're running older installations, upgrade immediately.

The v2026.1.29 release emphasized security; staying on recent versions is non-negotiable.

The safest way to extend OpenClaw is building your own skills instead of relying on community-published ones. Custom skills eliminate supply chain risk—you control the code and understand exactly what it does.

Building a skill is straightforward: 20-30 minutes of work yields a fully functional skill tailored to your exact needs. Skills are JavaScript (Node.js) functions that take inputs and return outputs. The OpenClaw documentation includes detailed examples.

Once built, you can publish your skill to ClawHub to share with others, or keep it private (on your own machine). Starting with custom skills also builds understanding—you learn how OpenClaw's tool system works, which improves your overall mastery. The learning curve is gentle; the simplest skills are just 10-15 lines of code.

If you find yourself wanting a skill that doesn't exist, building it is faster and safer than searching the internet for one. Start with custom skills before exploring community options. You'll develop better security intuitions and avoid the ClawHavoc trap.