
The honest starting point
If you read only one article on this site, make it this one. OpenClaw is legitimate, useful software, and this site exists because we think it matters. But it has also been one of the most attacked and most misconfigured pieces of software of 2026, and anyone considering it deserves the full picture.
The project's own documentation is refreshingly direct: OpenClaw is designed as a single-user personal assistant, not as a hardened boundary against hostile users. It gives the operator enormous power and trusts the operator to secure it. Most of the incidents below trace back to that trust being misplaced: exposed ports, default settings, unvetted third-party skills.
Exposed instances and unsafe defaults
Older versions of OpenClaw bound their gateway, the control plane that connects your chat apps to the model, to all network interfaces by default. In plain terms, installs that were meant to be private were listening to the entire internet.
Security researchers, including Bitsight, reported figures around 135,000 exposed instances across dozens of countries, with a majority running no authentication at all. University IT teams issued advisories telling staff and students to pull instances off public networks.
The good news: current official guidance at docs.openclaw.ai defaults to loopback-only binding, token authentication, and private overlays such as Tailscale for remote access. The bad news: old configs, copied tutorials, and users who override defaults keep the exposed population alive.
A fast-moving CVE stream
Vulnerability disclosures have come thick and fast. Community trackers counted well over 130 disclosed CVEs by April 2026, and the number has kept climbing. A few highlights, as reported by the researchers who found them:
- CVE-2026-32922, rated CVSS 9.9: a pairing token could reportedly be converted into full admin control with remote code execution.
- CVE-2026-22172, also rated 9.9: admin control without credentials.
- CVE-2026-25253, nicknamed ClawBleed, rated 8.8: reported as a one-click remote code execution flaw, and as actively exploited in the wild.
- The "Claw Chain": a reported cluster of four flaws enabling data theft, privilege escalation, and persistence.
Individual IDs and scores shift as advisories are updated, so treat the specifics as a snapshot. The pattern is what matters: this is a large, actively probed attack surface that requires prompt, ongoing patching.
Prompt injection: the lethal trifecta
Even a fully patched OpenClaw faces a structural problem. Security writers call it the lethal trifecta: the agent combines untrusted input (emails, messages, web pages), access to sensitive data (files, credentials, browser sessions), and outbound connectivity. Anything that can talk to your agent can try to instruct it.
Researchers demonstrated that a single crafted email or web page could trick exposed instances into exfiltrating SSH keys and API tokens. Others showed log poisoning, where attacker content written into logs gets read back later as instructions. One trajectory-based audit reported prompt-injection robustness of roughly 57 percent, with older and smaller models doing notably worse. That figure is single-source and should be read as indicative, but no serious researcher disputes the direction: current models cannot reliably tell instructions apart from content.
ClawHavoc, malicious skills, and your keys
OpenClaw's capabilities come from skills, shared through a marketplace called ClawHub. In early 2026 that marketplace was hit by a coordinated supply-chain campaign dubbed ClawHavoc. Reported figures include 1,184 malicious packages tied to compromised publisher accounts and around 247,000 installations; a separate audit found 341 malicious skills, 335 of them traced to the same operation.
Observed payloads included credential and keychain theft, SSH key and crypto-wallet stealers, and hidden reverse shells. The attackers used typosquatting and gamed marketplace rankings. And the prize was often sitting in plaintext: historically, API keys lived unencrypted in config files in the user's home directory, which is exactly where malicious skills went looking.
So where does that leave a Mauritian business that likes what OpenClaw can do? Not at "never," but at "not casually." Most documented incidents came from misconfiguration, exposure, and unvetted skills, all of which are preventable with disciplined setup and maintenance. Our deployment guide covers the checklist, and for teams who want it handled professionally, that is the work Nexus (nexus.mu) does. The one option we recommend against is pretending these risks are hype. They are documented, sourced, and ongoing.
Powerful agents deserve professional setup, not blind cloning. Explore the wider Nexus health ecosystem.



