Is OpenClaw Safe? Lessons from the Moltbot Security Incidents

OpenClaw promises to be your "personal AI assistant that actually does things." It can clear your inbox, send emails, manage your calendar, and execute code on your machine. But in February 2026, security researchers discovered something alarming: over 40,000 OpenClaw instances were exposed to the public internet, many vulnerable to remote code execution.

If you are considering OpenClaw for your business or personal workflow, you need to understand what went wrong and how to avoid becoming a security headline.

The Timeline: From Viral Sensation to Security Crisis

November 2025: Clawdbot Launches

Peter Steinberger—founder of PSPDFKit, the PDF framework used by Apple on over a billion devices—released Clawdbot as an open-source side project. It gained 60,000 GitHub stars in 72 hours. The premise was simple: a local AI agent that connects to messaging apps to automate real tasks.

January 26, 2026: The Moltbot Rebrand

Anthropic sent a trademark notice. "Clawdbot" was too similar to "Claude." The project rebranded to Moltbot (referencing lobsters molting). Three days later, on January 29, it became OpenClaw after completing trademark searches.

February 9, 2026: The SecurityScorecard Bombshell

SecurityScorecard's STRIKE threat intelligence team published research revealing 40,214 exposed OpenClaw instances across 28,663 unique IP addresses. The situation was worse than exposed dashboards:

• 63% of deployments were vulnerable
• 12,812 instances exploitable via remote code execution
• 549 instances correlated with prior breach activity
• 1,493 associated with known vulnerabilities

By February 11, The Register reported the number had grown to over 135,000 exposed instances.

Verified Vulnerabilities (CVEs)

Three high-severity CVEs have been published against OpenClaw:

CVE-2026-25253 (CVSS 8.8)

A one-click remote code execution vulnerability. Attackers can create malicious links that steal authentication tokens and grant full control over the AI agent—even when running on localhost.

CVE-2026-25157 (CVSS 7.8)

SSH command injection in the macOS app. A malicious project or skill can inject commands through SSH operations.

CVE-2026-25254 (CVSS 7.5)

API key exposure through log files. Conversation histories and configuration data were being written to accessible locations.

Why These Vulnerabilities Happened

Default Configuration: Gateway on 0.0.0.0

By default, OpenClaw's gateway service binds to 0.0.0.0 (all network interfaces) instead of 127.0.0.1 (localhost only). Users who did not manually change this setting exposed their control panels to the entire internet.

The Skills Supply Chain Problem

ClawHub hosts 5,705 community-built skills. Security audits have flagged 396 as potentially malicious. Unlike app stores, there is no rigorous review process. Skills are code that runs on your machine with your permissions.

Deep System Access

OpenClaw requires elevated permissions to be useful. It can read files, execute commands, access browsers, and control applications. This is the feature that makes it powerful—and dangerous when compromised.

6 Essential Security Steps (Verified)

Step 1: Bind Gateway to Localhost Only

Verify your gateway configuration:

``` openclaw gateway status ```

Must show: 127.0.0.1:18789 Must NOT show: 0.0.0.0

If exposed, edit `~/.openclaw/config/clawdbot.json`:

``` { "gateway": { "host": "127.0.0.1", "port": 18789 } } ```

Step 2: Update to Patched Versions

Ensure you are running OpenClaw v2026.1.2 or later, which patches CVE-2026-25253 and CVE-2026-25157. Check your version:

``` openclaw --version ```

Step 3: Enable Approval Workflows

Configure execution approval for sensitive actions:

``` { "gateway": { "approvalRequired": true, "approvalActions": [ "file.delete", "file.write", "shell.execute", "email.send" ] } } ```

Step 4: Vet Every Skill Before Installing

Before installing from ClawHub:

1. Check the VirusTotal security scan (OpenClaw partners with VirusTotal)
2. Review source code on GitHub
3. Test in Docker sandbox first
4. Avoid cryptocurrency/financial automation skills (672 flagged as high-risk)

Step 5: Use Network Isolation

Run OpenClaw on an isolated network segment or VLAN. Never expose it directly to the internet. If you need remote access, use Tailscale or a VPN—never port forwarding.

Step 6: Monitor for Exfiltration

Check conversation logs and memory files regularly. Look for:

• Unexpected API calls
• Large data transfers
• Unusual file access patterns
• Commands you did not approve

The Verdict: Is OpenClaw Safe?

OpenClaw is as safe as your configuration. The February 2026 incidents were not sophisticated attacks—they were configuration errors at scale. 135,000 exposed instances represents a systemic failure of default settings and user education.

OpenClaw can be safe IF you:

• Bind to localhost only (not 0.0.0.0)
• Keep updated with security patches
• Enable approval workflows
• Vet skills before installing
• Run on isolated networks

OpenClaw is dangerous IF you:

• Use default gateway settings
• Install skills without review
• Expose ports to the internet
• Skip updates
• Run on production systems without hardening

Before installing, understand [@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop. If you proceed, follow our [@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop. Once hardened, explore [@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop.

The power of AI agents comes with responsibility. The February 2026 security crisis proves that convenience without security is a recipe for disaster.

Sources:

• SecurityScorecard STRIKE Report (February 9, 2026)
• The Register (February 9, 2026)
• MITRE CVE Database (CVE-2026-25253, CVE-2026-25157, CVE-2026-25254)