TL;DR: OpenClaw (formerly Clawdbot/Moltbot) is an open-source agentic AI framework with 247,000+ GitHub stars and documented security failures. CVE-2026-25253 (CVSS 8.8) exposed a one-click remote code execution chain. Snyk found 36% of ClawHub skills contain prompt injection. SecurityScorecard identified 135,000+ instances exposed to the public internet. Microsoft, Cisco, CrowdStrike, Kaspersky, Sophos, and Trend Micro have all published security advisories. China banned it from state agencies. If your organization is evaluating agentic AI, you need to understand these risks first.

What Is OpenClaw?

OpenClaw is a free, open-source AI agent framework created by Austrian developer Peter Steinberger. It runs locally on a user's machine and connects to LLMs like Claude, GPT, or DeepSeek through messaging platforms: WhatsApp, Telegram, Slack, Discord, and others.

The appeal is obvious. You tell OpenClaw to organize your inbox, book flights, manage calendars, or execute terminal commands, and it does it. Steinberger describes it as an AI that "actually does things." The agent breaks tasks into steps, picks the right tools, and executes with minimal oversight.

That's also why it's dangerous in an enterprise context. OpenClaw stores configuration data and interaction history locally, maintains persistent memory across sessions, and can access email accounts, calendars, messaging platforms, and local filesystems. When misconfigured (which was the default until January 2026), it creates a privileged execution environment that security teams can't see or control.

The Security Problems: A Timeline

OpenClaw's security issues aren't theoretical. They've been documented by nearly every major cybersecurity vendor in about 6 weeks.

CVE-2026-25253: One-Click Remote Code Execution (CVSS 8.8)

Discovered by researcher Mav Levin and patched on January 30, 2026, this vulnerability exploited a design flaw in the Control UI's handling of the gatewayUrl query parameter. As Kaspersky's analysis details, the UI accepted this parameter without validation and automatically initiated a WebSocket connection, transmitting the user's authentication token in the handshake.

The attack chain completed in milliseconds: token exfiltration, then full gateway compromise. An attacker could run arbitrary commands on the victim's machine. Even localhost-bound instances were exploitable.

ClawHub Skill Supply Chain Poisoning

Conscia's security analysis found 341 malicious skills in ClawHub within weeks of OpenClaw's viral surge (12% of the registry at the time), primarily delivering the Atomic macOS Stealer malware. Updated scans found the number had grown to over 800 malicious skills, roughly 20% of all submissions.

Skills in OpenClaw aren't sandboxed scripts. They're executable code packages that run with the same privileges as the agent itself. One malicious skill even appeared on ClawHub's front page before removal.

Snyk ToxicSkills Audit

Snyk's audit of ClawHub found that 36% of all skills contain detectable prompt injection. Of the confirmed malicious samples, 91% combine prompt injection with traditional malware techniques, bypassing both AI safety mechanisms and conventional endpoint security.

2.9% of skills dynamically fetch and execute content from external endpoints at runtime. The published skill appears benign during review, but attackers can modify its behavior at any time by updating the hosted content.

135,000+ Exposed Instances

SecurityScorecard's STRIKE team identified over 135,000 OpenClaw instances exposed to the public internet across 82 countries. Many ran without authentication, which was the default configuration before version 2026.1.29.

China's Government Ban

In March 2026, Chinese authorities restricted state-run enterprises and government agencies from running OpenClaw on office computers. CNCERT issued a formal warning about the platform's weak default security configurations and prompt injection risks.

The Lethal Trifecta: Why AI Agents Are Structurally Risky

Security researcher Simon Willison coined the term "lethal trifecta" to describe the combination that makes agentic AI dangerous. OpenClaw checks all 3 boxes:

  • Access to private data: OpenClaw reads files, emails, calendars, and credentials on the host machine.
  • Exposure to untrusted content: The agent receives messages via chat apps, browses web pages, and processes external data autonomously.
  • Authority to act: OpenClaw can send emails, make API calls, execute shell commands, and modify files.

Sophos's CISO put it bluntly: a prompt injection attack could be as simple as sending a message to an agent-controlled email account asking it to reply with the contents of your password manager. Anyone who can message the agent effectively gets the same permissions the agent holds.

Microsoft's security blog was even more direct: OpenClaw should be treated as "untrusted code execution with persistent credentials."

The Shadow AI Problem

The real enterprise risk isn't someone officially deploying OpenClaw. It's employees installing it on their own machines without IT's knowledge.

Bitdefender's telemetry confirms this is already happening: employees are deploying OpenClaw on corporate devices using single-line install commands with no security review and no SOC visibility. Trend Micro notes that many organizations have OpenClaw running without IT approval, and the first challenge for security teams is simply knowing what's there.

CyberArk frames this as a new identity security attack surface. A developer accessing their OpenClaw environment from an enterprise machine, or deploying it within the corporate network to integrate with Slack or Salesforce, creates a gateway where autonomous agents operate outside traditional identity and access management controls.

Kaspersky went as far as calling OpenClaw "the biggest insider threat of 2026."

Can OpenClaw Be Hardened for Enterprise Use?

OpenClaw has shipped significant security updates since the initial disclosures. Version 2026.2.12 fixed over 40 vulnerabilities. Version 2026.2.23 added HTTP security headers, hardened session management, and shifted the browser SSRF policy to "trusted-network" mode by default.

But the fundamental architecture challenge remains. OpenClaw is designed as a personal tool with a single trusted operator boundary. Its own maintainer warned on Discord: "if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."

Sophos's analysis concluded: OpenClaw should be considered an interesting research project that can only be run "safely" in a disposable sandbox with no access to sensitive data. Even organizations with deep AI and security experience will find it challenging to configure OpenClaw in a way that mitigates compromise risk while retaining productivity value.

What Enterprises Should Do Instead

The demand behind OpenClaw is real. Enterprises want AI agents that execute tasks, access company data, and operate across communication channels. The mistake is trying to get those capabilities from a tool built for individual developers.

Enterprise-grade agentic AI platforms solve the same problem with guardrails bolted on from the start. Here's what to look for:

  • Centralized governance: Role-based access controls, audit trails, and admin dashboards that let IT see exactly what agents are doing.
  • Data isolation: Company data on infrastructure you control (ideally EU-hosted, GDPR-compliant servers), never used for model training.
  • Security certifications: SOC 2, ISO 27001, and EU AI Act compliance as a baseline.
  • Multi-model access without API key management: Access to GPT, Claude, Gemini, and other models through a managed gateway so your team never handles raw API keys.
  • No-code agent building: Non-technical teams should be able to create and deploy agents without command-line access.
  • Connector controls: Granular permissions on what agents can read, write, or update across CRMs, CMSs, Slack, Teams, and other third-party systems.

TextCortex: Secure Enterprise AI Infrastructure

TextCortex was built for exactly this scenario. It's an EU-based enterprise AI infrastructure platform where organizations deploy and govern AI agents on their own company data. The platform connects to third-party systems like CRMs and CMSs, and deploys to workspace apps like Slack and Microsoft Teams. Every agent's permissions are fully controlled by admins: what it can access, write, or update is always within the user's hands.

Security certifications: ISO 27001, SOC 2 Type II, GDPR compliant, EU AI Act compliant. All data stays on EU-hosted infrastructure. No data is ever used for model training. Full security documentation at trust.textcortex.com.

TextCortex Security and Compliance Program
TextCortex Continuously Monitored Controls

MAHLE (DAX 40 automotive supplier) deployed TextCortex and hit 65% adoption in under 1 month, saving 5+ hours per week per user, with agents running on SharePoint data. b2venture (VC firm, 800M+ EUR AUM) saw 7x growth in AI usage across their investment team with 10+ specialized agents.

Frequently Asked Questions

Is OpenClaw safe for enterprise use?

Based on security assessments from Microsoft, Cisco, CrowdStrike, Kaspersky, Sophos, and Trend Micro: no, not in its current form. OpenClaw is designed as a personal tool with a single trusted operator boundary. Microsoft recommends treating it as untrusted code execution, and Sophos says it should only run in disposable sandboxes with no access to sensitive data.

What is CVE-2026-25253?

A critical vulnerability (CVSS 8.8) in OpenClaw's Control UI that allowed one-click remote code execution. The flaw let attackers exfiltrate authentication tokens by crafting a malicious URL, then take full control of the gateway. It was patched in version 2026.1.29 on January 30, 2026.

What is the "lethal trifecta" in AI agent security?

A term coined by security researcher Simon Willison describing the three traits that make AI agents dangerous when combined: access to private data, exposure to untrusted content, and the authority to act on behalf of the user. OpenClaw exhibits all three.

Can I harden OpenClaw for corporate use?

You can improve its security posture by enabling authentication, restricting filesystem scope, disabling broad terminal permissions, running it in isolated VMs, and auditing all connected services. But the fundamental challenge (prompt injection against agents that process untrusted content) can't be patched away. It requires governance at the platform level.

What's a safer alternative to OpenClaw for enterprises?

Enterprise AI agent platforms like TextCortex provide the same agentic capabilities (task execution, knowledge base integration, multi-channel deployment) with centralized governance, SOC 2 and ISO 27001 certification, GDPR-compliant EU hosting, and admin controls over agent permissions.

Why did China ban OpenClaw?

In March 2026, Chinese authorities restricted state agencies and state-owned enterprises from running OpenClaw on office computers. CNCERT cited the platform's weak default security configurations and risks from prompt injection that could lead to data exfiltration.