The Dangers of OpenClaw: The Most Powerful AI Agent Is Also the Riskiest

Cisco calls it a "security nightmare". Kaspersky raises the alarm. 40,000 instances exposed on the Internet. OpenClaw is arguably the most exciting AI tool of 2026 — but also the most dangerous if misused.

If you've read our article on what OpenClaw is, you know it's a revolutionary autonomous AI agent. Here, we discuss the dark side: real risks documented by security researchers, and what you can do to protect yourself.

Why OpenClaw Is Inherently Risky

Simon Willison's "Lethal Trifecta"

Simon Willison, creator of Datasette and renowned AI expert, identified what he calls the "lethal trifecta" of AI agents — three characteristics that, when combined, create an explosive cocktail:

1. Access to private data — emails, files, passwords, API keys
2. Exposure to untrusted content — web pages, incoming emails, shared documents
3. Ability to communicate externally — sending emails, messages, HTTP requests

“When these three capabilities combine in the same tool, attackers can trick the agent into exfiltrating confidential data through its communication channels.”

And guess what? OpenClaw checks all three boxes simultaneously.

An Agent ≠ A Chatbot: When AI Has the Keys to the House

The fundamental difference between ChatGPT and OpenClaw is that ChatGPT gives you text, while OpenClaw executes actions. ChatGPT cannot delete your files, send emails to your contacts, or run arbitrary code on your machine. OpenClaw can.

The agent has access to the shell, files, emails, APIs — and the project itself admits: "there is no perfectly secure configuration."

The 5 Major Dangers of OpenClaw

1. Exposed Instances on the Internet (40,000+)

According to a SecurityScorecard report published in early February 2026, 40,214 OpenClaw instances are exposed on the Internet, spread across 28,663 unique IP addresses. This means 63% of scanned deployments are vulnerable.

Worse still: 12,812 instances are directly exploitable via remote code execution (RCE). An attacker can take full control of these machines — read emails, access files, execute any code.

2. The One-Click Vulnerability (CVE-2026-25253)

In January 2026, a critical vulnerability was discovered in OpenClaw, classified CVE-2026-25253 with a CVSS score of 8.8 out of 10 (severe).

The concept is devastatingly simple: a single click on a malicious link gives the attacker full control of your OpenClaw instance. And the most concerning part? This attack works even on localhost instances — meaning those the user thought were protected.

The flaw was patched in version 2026.1.29, but how many users have actually updated?

3. Malicious Skills on ClawHub

ClawHub, OpenClaw's skill marketplace, has become a major attack vector. In just 5 days (January 27 to February 1), 230 malicious scripts were published and downloaded by thousands of users.

Cisco's research team tested a popular skill called "What Would Elon Do?" — which turned out to be malware. A security researcher went further: he intentionally created the most downloaded skill on ClawHub... and it was entirely malicious. 7 countries affected, developers running arbitrary code unknowingly.

4. Prompt Injection: The Invisible Attack

Prompt injection is the Achilles' heel of all agentic AI — and OpenClaw is no exception. The concept: hidden instructions in emails, web pages, or documents are interpreted by the agent as legitimate commands.

Concrete example: a seemingly innocent "tech support" email contains invisible instructions that order the agent to exfiltrate your confidential files. The agent cannot distinguish a legitimate instruction from a malicious one — this is an unsolved problem across the entire industry.

5. Massive Data Leaks

Data leaks related to OpenClaw are already significant:

• Moltbook (the social network for AI agents): 1.5 million API keys exposed, discovered by Wiz's security team
• Exposed instances: complete chat histories, authentication tokens, plaintext API keys — accessible to anyone scanning ports
• The Chris Boyd incident: OpenClaw sent hundreds of unsolicited iMessage messages to all of the user's contacts

The Incident That Sends Chills Down Your Spine

The story of Chris Boyd perfectly illustrates the risks of a misconfigured OpenClaw. Boyd, an experienced developer, gave his OpenClaw agent access to iMessage to automate certain communications.

The result: the agent sent hundreds of unsolicited messages to his family, friends, and colleagues — sometimes with incoherent or embarrassing content. His reaction? "This is half-baked and dangerous technology."

This case perfectly illustrates Willison's "lethal trifecta": the agent had access to private data (contacts), was exposed to untrusted content (his own poorly formulated instructions), and could communicate externally (iMessage).

What to Do If You Still Want to Use OpenClaw?

OpenClaw remains a fascinating and potentially very useful tool. Here are our 8 recommendations for using it responsibly:

1. Host on a dedicated VPS (not your personal machine!) — A $5–20/month VPS isolates OpenClaw from your personal data. If compromised, only the VPS is affected. Configure a strict firewall and IP whitelisting.
2. Use a Docker container — Add an extra sandboxing layer to limit access to the host system.
3. Principle of least privilege — No root access, limit permissions to the bare minimum. The agent doesn't need to read everything.
4. NEVER give access to your real email/accounts initially — Test first with dedicated accounts containing no sensitive data.
5. Verify EACH skill before installation — Read the source code. If you don't understand the code, don't install it.
6. Update regularly — Version 2026.2.12 patches critical vulnerabilities. Older versions are dangerous.
7. Monitor the agent's network activity — Use monitoring tools to detect abnormal behavior (requests to unknown domains, data exfiltration).
8. Don't store secrets in plaintext in config files — Use environment variables or a secret manager.

OpenClaw vs Safer Alternatives

If OpenClaw's risks seem too high, safer alternatives exist — even if they are less "agentic":

FAQ — OpenClaw Security

Conclusion

OpenClaw is a major technological breakthrough that foreshadows the future of AI. But like any powerful technology, it requires a security maturity that the ecosystem has not yet achieved.

The important signal isn't so much OpenClaw's problems in particular — it's that what happens to OpenClaw will happen to all AI agents. Prompt injection, malicious skills, exposed instances: these are structural problems of agentic AI, not bugs specific to one project.

Agentic AI is the future, but security must keep pace. In the meantime, use OpenClaw with caution — and don't hesitate to discover what OpenClaw is if you haven't already.