OpenClaw Security in 2026: Risks, Fixes, and How to Stay Safe

Bloomberg called it “a cybersecurity nightmare,” echoing Andrej Karpathy’s warning about OpenClaw, where roughly 400,000 lines of vibe-coded software run with root access on users’ machines. In one case, an agent was even tricked into sending $25,000 to a scammer.

OpenClaw is powerful. It's also dangerous if you don't set it up right. Here's what you need to know — and how to protect yourself.

The Real Risks

Let's not sugarcoat it. OpenClaw runs on your machine with deep access to your files, your tools, and potentially your financial accounts. The risks are real:

⚡ Prompt Injection — Malicious text in emails, websites, or group chats can hijack your agent into executing unintended commands. Someone recently posted a crafted message in a Telegram group that attempted to make every AI agent in the group send money

🔓 Excessive Permissions — By default, OpenClaw can read and modify any file on your system. It can browse the web, execute code, and interact with APIs. If a skill is malicious, it has the same access

📦 Unaudited Skills — The skills ecosystem on ClawHub is community-driven. Most skills haven't been security-audited. A skill labeled "weather checker" could theoretically exfiltrate your files

🌐 Network Exposure — Some users accidentally expose their OpenClaw instance to the public internet. A recent scan found thousands of publicly accessible instances

🤖 Agent Autonomy — The more autonomous your agent, the more damage a single bad decision can cause. An agent with access to your email, bank, and social media is one prompt injection away from disaster

The Security Checklist

Here's how to lock things down without crippling your agent's usefulness:

1. Principle of Least Privilege

🔐 Don't give root access — Run OpenClaw as a non-root user with limited permissions

📁 Sandbox the workspace — Restrict file access to specific directories. Your agent doesn't need access to /etc/ or your SSH keys

🔑 API key isolation — Use separate API keys for different services. If one gets compromised, the blast radius is limited

2. Audit Every Skill Before Installing

📋 Read the code — Before installing any skill from ClawHub, read the scripts. Look for curl | bash, rm -rf, or any network calls to unknown domains

🚫 Watch for privilege escalation — A skill that asks for admin/root access should be treated with extreme suspicion

✅ Prefer popular, maintained skills — Higher install counts and active maintenance usually (but not always) mean better security

3. Network Security

🔒 Never expose OpenClaw to the public internet — Always run behind a firewall. If you need remote access, use SSH tunneling or a VPN

🛡️ Use a reverse proxy with authentication — If you must expose any interface, put it behind nginx with basic auth at minimum

📡 Monitor outbound connections — Know what your agent is connecting to. Unexpected outbound traffic is a red flag

4. Financial Protection

💳 Never give your agent direct access to payment methods — If your agent manages finances, use read-only API keys or dedicated accounts with spending limits

🏦 Separate accounts — Create a dedicated bank account or payment method for agent-managed transactions with a hard cap

✋ Require human approval for transactions — Set up confirmation workflows for any action involving money

5. Prompt Injection Defense

🛑 Be careful with group chats — Any message in a group your agent monitors could contain injection attempts

📧 Email is a vector — Incoming emails can contain hidden instructions. Configure your agent to treat email content as untrusted

🔍 Review agent actions — Regularly check your agent's action logs for anything unexpected

The 400,000-Line Elephant in the Room

Karpathy raised a valid point: OpenClaw's codebase is massive and was largely vibe-coded. It hasn't undergone the kind of security audit that enterprise software typically requires.

This doesn't mean OpenClaw is insecure by design. It means:

The security of your setup depends primarily on how you configure it, not on the codebase itself.

A properly sandboxed, permission-restricted OpenClaw instance with audited skills is reasonably safe. An out-of-the-box installation running as root with random skills from the internet is a time bomb.

Where Managed Hosting Helps

Here's an uncomfortable truth about self-hosting: most people don't have the expertise to properly secure a system like OpenClaw.

Setting up proper sandboxing, firewall rules, permission boundaries, monitoring, and regular security updates is a full-time job. It's the kind of work that security engineers get paid $200K+ per year to do.

MyClaw.ai handles this security layer for you. Managed infrastructure with proper isolation, automatic updates, monitoring for anomalous behavior, and security patches applied without downtime. Your agent gets the same power with significantly reduced attack surface.

You shouldn't have to choose between capability and security. With the right setup — whether self-managed or hosted — you can have both.

The Bottom Line

OpenClaw's security risks are real but manageable. The people getting burned are overwhelmingly those who:

1. Run as root with no sandboxing
2. Install unaudited skills without reading the code
3. Expose their instance to the public internet
4. Give their agent unrestricted financial access

Follow the checklist above, and you'll avoid 95% of the horror stories. OpenClaw is a power tool — and like any power tool, the danger isn't in the tool itself. It's in how you use it.