惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 最新话题
Help Net Security
Help Net Security
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
W
WeLiveSecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
Webroot Blog
Webroot Blog
T
Troy Hunt's Blog
V
Vulnerabilities – Threatpost
Google Online Security Blog
Google Online Security Blog
N
News and Events Feed by Topic
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tor Project blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
T
Tailwind CSS Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Apple Machine Learning Research
Apple Machine Learning Research
IT之家
IT之家
S
SegmentFault 最新的问题
J
Java Code Geeks
P
Privacy & Cybersecurity Law Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 【当耐特】
博客园_首页
H
Hacker News: Front Page
T
Threatpost
Jina AI
Jina AI
博客园 - Franky
月光博客
月光博客
L
LINUX DO - 热门话题
The Cloudflare Blog
H
Heimdal Security Blog
博客园 - 司徒正美
酷 壳 – CoolShell
酷 壳 – CoolShell
Cloudbric
Cloudbric
雷峰网
雷峰网
Hugging Face - Blog
Hugging Face - Blog
S
Secure Thoughts
T
Tenable Blog
I
Intezer
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻

DigitalOcean Resources

AI Security: 10 Top Risks and Best Practices in 2026 | DigitalOcean 10 Leading AI Cloud Providers for Developers in 2026 | DigitalOcean 10 Top AI Infrastructure Companies Scaling ML in 2026 | DigitalOcean Inference-as-a-Service Explained for Developers | DigitalOcean DigitalOcean vs Heroku: Comparing Cloud Application Platforms | DigitalOcean 10 Alibaba Cloud Alternatives for Businesses in 2026 | DigitalOcean What Is LlamaIndex? A Guide to Building Context-Aware AI | DigitalOcean 10 Platform-as-a-Service Providers for App Dev in 2026 | DigitalOcean 10 Top Cloud Service Providers for Business Infrastructure in 2026 | DigitalOcean What Is AI Inference? The Process Behind Every AI Output | DigitalOcean 15 AI Animation Video Generators for Content Creation in 2026 | DigitalOcean AI Inference vs Training: Key Differences Explained | DigitalOcean 10 Fly.io Alternatives for Global App Deployment in 2026 | DigitalOcean What are OpenClaw Skills? A 2026 Developer’s Guide | DigitalOcean 9 IBM Cloud Alternatives for Enterprise Computing in 2026 | DigitalOcean What Is NotebookLM? Features and How to Use It in 2026 | DigitalOcean 10 Claude Code Alternatives for AI-Powered Coding in 2026 | DigitalOcean What is Moltbook? The Social Network for AI Agents in 2026 | DigitalOcean 8 AWS RDS Alternatives for Managed Databases in 2026 | DigitalOcean What is OpenClaw? Your Open-Source AI Assistant for 2026 | DigitalOcean 8 Amazon EC2 Alternatives for Cloud Compute in 2026 | DigitalOcean DigitalOcean vs AWS Lightsail: Which Cloud is Right? | DigitalOcean 10 Vercel Alternatives for Deploying Apps in 2026 | DigitalOcean 10 Best Object Storage Solutions for Cloud Data in 2025 | DigitalOcean Edge Computing vs Cloud Computing: Key Differences Explained | DigitalOcean 8 AI Paraphrasers for Content Rewriting in 2026 | DigitalOcean Top 6 Collaborative Replit Alternatives for Teams in 2026 | DigitalOcean 8 Top Research-Focused Perplexity Alternatives for 2026 | DigitalOcean 10 Smart GitHub Copilot Alternatives for Coding in 2026 | DigitalOcean ChatGPT vs Gemini: How AI Assistants Stack Up in 2026 | DigitalOcean 10 Powerful Claude Alternative Assistants in 2026 | DigitalOcean GitHub Copilot vs Cursor : AI Code Editor Review for 2026 | DigitalOcean 10 Creative DALL-E Alternatives for AI Art in 2026 | DigitalOcean 5 Network File Storage Options for Your AI/ML Workloads in 2026 | DigitalOcean 10 Modal Alternatives for ML Deployment in 2025 | DigitalOcean Pros and Cons of Crowdfunding Your Startup 14 Educational AI YouTubers Teaching ML in 2025 | DigitalOcean 7 Smart AI Language Learning Apps for Fluency in 2025 | DigitalOcean Grok vs ChatGPT Review: Features, Use Cases, Pricing | DigitalOcean 10 Best AI Voice Generator Tools for Content in 2025 | DigitalOcean 6 Best AI Search Engines in 2025 | DigitalOcean 10 Cost-Effective Lambda Labs Alternatives in 2025 | DigitalOcean 8 Best AI Notetaking Apps for Meetings in 2025 | DigitalOcean 7 On-Demand Runpod Alternatives for GPU Compute in 2025 | DigitalOcean Claude vs ChatGPT: Which AI Assistant Wins in 2025? | DigitalOcean 10 Best AI Website Builders for No-Code Design in 2025 | DigitalOcean Hugging Face vs Replicate: From Model Discovery to Deployment | DigitalOcean 10 Vast.ai Alternatives for GPU Cloud Computing in 2025 | DigitalOcean 7 CoreWeave Alternatives for Cloud GPU Computing in 2025 | DigitalOcean 7 Platforms for Renting GPUs for Your AI/ML Projects | DigitalOcean 7 Serverless GPU Platforms for Scalable Inference Workloads | DigitalOcean What is Nano Banana (Gemini 2.5 Flash Image)? | DigitalOcean 10 Top LinkedIn Learning AI Courses to Build Skills in 2025 | DigitalOcean 10 AI and Machine Learning Bootcamps to Explore in 2025 | DigitalOcean 10 Major AI Hackathon Events in 2025 Worth Joining | DigitalOcean On-Premise GPU vs Cloud GPU: Which is Better for AI Training? | DigitalOcean 8 Best Managed AI Services for Running AI Models in 2025 | DigitalOcean GPU Options for Finetuning Large Models: Choose the Right Setup | DigitalOcean What Is GPU as a Service? A Guide to Cloud GPUs | DigitalOcean 7 Best Cloud GPU Platforms for AI, ML, and HPC in 2025 | DigitalOcean 5 Best Affordable Cloud GPU Services for Startups in 2025 | DigitalOcean GPU Autoscaling for AI: From Setup to Cost Optimization | DigitalOcean 8 Best AI App Builders to Ship Your Project in 2025 | DigitalOcean Cloud Migration Checklist: Your Pre- and Post-Migration Guide | DigitalOcean What is Data Labeling? Methods, Tools, and Examples | DigitalOcean 11 IT Cost Optimization Strategies for Scalable Savings in 2025 | DigitalOcean What is Lift-and-Shift Migration? Your Fastest Route to the Cloud | DigitalOcean Cloud Migration Assessment: Evaluate Your Readiness | DigitalOcean Complete Cloud Migration Strategy Guide: Planning and Implementation | DigitalOcean Multi-Cloud vs Single-Cloud: Choosing the Right Strategy | DigitalOcean GPT-5 Overview: OpenAI's Most Advanced AI Model Yet | DigitalOcean What is Agentic Commerce? Exploring AI Shopping Agents | DigitalOcean What are Agentic Browsers? Exploring AI-native Web Navigation | DigitalOcean Your Guide to the TradingAgents Multi-Agent LLM Framework | DigitalOcean What are Large Action Models? The Next Frontier in AI Decision-Making | DigitalOcean What is CrewAI? A Platform to Build Collaborative AI Agents | DigitalOcean 10 AI Code Review Tools That Find Bugs & Flaws in 2025 | DigitalOcean 10 Best Vibe Coding Tools: LLM-Powered Code Generators to Try | DigitalOcean 10 AI Transcription Tools to Convert Speech to Text in 2025 | DigitalOcean GitHub Copilot vs Microsoft Copilot: Key Differences | DigitalOcean 7 AI Video Editors for Creative Teams and Businesses in 2025 | DigitalOcean What is Serverless Inference? Leverage AI Models Without Managing Servers | DigitalOcean What is Vertex AI? Unpacking Google's ML Platform | DigitalOcean 10 MLOps Platforms to Streamline Your AI Deployment in 2025 | DigitalOcean 10 Generative AI Use Cases Transforming Industries in 2025 | DigitalOcean What Is an AI Task Manager and How Can It Automate Your Workflow? | DigitalOcean 10 Computer Vision Applications for 2025 | DigitalOcean What are AI-Powered Voice Assistants? Beyond Basic Commands | DigitalOcean 10 Midjourney Alternatives to Create AI Art in 2025 | DigitalOcean 8 Stable Diffusion Alternatives for Image Generation in 2025 | DigitalOcean NLP vs NLU: Key Differences and How They Work Together | DigitalOcean 8 Best AI Presentation Maker Tools for Professional Slides in 2025 | DigitalOcean Best AI Chrome Extensions to Supercharge Your Browsing in 2025 | DigitalOcean 10 AI Meeting Tools to Improve Team Collaboration in 2025 | DigitalOcean TPU vs GPU: Choosing the Right Hardware for Your AI Projects | DigitalOcean Machine Learning vs. Natural Language Processing Explained | DigitalOcean VPC vs VPN: Which One Fits Your Secure Networking Needs? | DigitalOcean 7 AI Content Detectors for Identifying Artificially Generated Text | DigitalOcean What is Conversational AI? How Computers Learn to Converse | DigitalOcean 10 Best AI Discord Servers to Join in 2025 | DigitalOcean
7 OpenClaw Security Challenges to Watch for in 2026 | DigitalOcean
By Fadeke AdegbuyiSenior Manager, Content MarketingPublished: Fe · 2026-02-28 · via DigitalOcean Resources

OpenClaw isn’t just another chatbot wrapper. It executes shell commands, controls your browser, manages your calendar, reads and writes files, and remembers everything across sessions. The project runs locally on your machine and connects to WhatsApp, Telegram, iMessage, Discord, Slack, and over a dozen other platforms via pre-built integrations. It functions as a truly connected personal assistant. As a result, the use cases people have dreamed up for OpenClaw are wild.

One user showed an OpenClaw agent making money on Polymarket by monitoring news feeds and executing trades automatically. Another gave their bot access to home surveillance cameras. Someone else unleashed subagents to apply for UpWork freelancing jobs on their behalf.

But this kind of access to your digital life comes with real consequences when things go wrong. And things have gone wrong. Security researchers found that the agent shipped with serious flaws that made it possible for attackers to hijack machines with a single malicious link. Meanwhile, Moltbook, a Reddit-style platform with over 2.8 million AI agents, had its database completely exposed, so anyone could take control of any AI agent on the platform.

None of this means you should avoid OpenClaw entirely. It means you should understand OpenClaw security challenges and take precautions before spinning up an agent with root access to your laptop. Running OpenClaw in an isolated cloud environment can help neutralize some of these risks—DigitalOcean’s 1-Click Deploy for OpenClaw, for example, handles authentication, firewall rules, and container isolation out of the box so your personal machine stays out of the equation.

Key takeaways:

  • OpenClaw is an open-source AI agent that runs locally with deep system access across your messaging apps, files, browser, and terminal—exactly what makes it both powerful and risky.

  • Security researchers have documented exposed instances leaking API keys, malicious skills stealing credentials on ClawHub, one-click remote code execution exploits, and a massive Moltbook database breach affecting millions of agents.

  • Mitigations include running OpenClaw in isolated environments, enforcing authentication, auditing ClawHub skills before installing them, and keeping the software patched.

  • DigitalOcean offers security-hardened deployment options—including a 1-Click Droplet and App Platform—that isolate OpenClaw from your personal machine and apply security hardened defaults out of the box.

What are OpenClaw security challenges?

OpenClaw security challenges boil down to a design tension: the tool needs broad system permissions to be useful, but those permissions create a massive attack surface when something goes wrong. The agent runs with whatever privileges your user account has—full disk, terminal, and network access—by design.

It’s also agentic and self-improving, meaning it can modify its own behavior, update its memory, and install new skills autonomously. This is impressive from a capability standpoint, but another vector that can cause things to spiral when guardrails are missing. Pair that with defaults that skip authentication, an unvetted skill marketplace, and persistent memory storing weeks of context, and trouble follows. The takeaway: approach with caution, isolate from production systems, and carefully scrutinize the defaults.

To his credit, OpenClaw creator Peter Steinberger has been openly vocal about these risks and actively encourages running OpenClaw in a sandboxed environment, which isolates tool execution inside Docker containers to limit filesystem and process access when the model misbehaves. DigitalOcean’s one-click deployment does exactly this out of the box, giving you that isolation without the manual setup.

Run your AI assistant in the cloud with DigitalOcean 1-Click Deploy Droplet OpenClaw—a sandboxed environment that keeps your personal laptop and files out of the equation while handling authentication, firewall rules, and container isolation for you. Follow along as we walk you through how to set up OpenClaw—from spinning up the Droplet to chatting with your bot on Telegram and adding skills like article summarization.

7 OpenClaw security challenges to watch out for

We’ve already seen a security audit uncover 512 vulnerabilities (eight critical) and malicious ClawHub skills stealing cryptocurrency wallets. None of these challenges are theoretical. They’re all based on incidents that have already played out within weeks of OpenClaw’s launch.

These are the challenges you need to have on your radar if you’re experimenting with OpenClaw:

If you’re looking to get OpenClaw running the right way from the start, check out how to run OpenClaw with DigitalOcean. The tutorial walks through setup, configuration, and security best practices step by step.

1. One-click remote code execution through WebSocket hijacking

One of the most alarming OpenClaw vulnerabilities discovered so far is CVE-2026-25253, a one-click remote code execution flaw that Mav Levin, a founding researcher at DepthFirst, disclosed in late January 2026. The attack worked because OpenClaw’s local server didn’t validate the WebSocket origin header—so any website you visited could silently connect to your running agent. An attacker just needed you to click one link. From there, they chained a cross-site WebSocket hijack into full code execution on your machine. The compromise happened in milliseconds. This is the core danger of running an agent locally on the same machine you’re browsing the web with—one careless click and an attacker is already inside.

Levin’s proof-of-concept showed that visiting a single malicious webpage was enough to steal authentication tokens and gain operator-level access to the gateway API—giving an attacker access to change your config, read your files, and run commands.

Security checks: In this instance, the fix landed in version 2026.1.29, so update immediately if you’re a version behind. Beyond that, best practices include avoiding running OpenClaw while browsing untrusted sites and considering putting the agent behind a reverse proxy with proper origin validation for an additional layer of protection.

DigitalOcean’s 1-Click Deploy for OpenClaw provisions a security-hardened Droplet with container isolation, authentication by default, and locked-down firewall rules—so you’re not relying solely on your local machine’s security posture.

2. Tens of thousands of unprotected OpenClaw instances sitting open on the internet

Here’s the thing about OpenClaw’s early defaults: the agent trusted any connection from localhost without asking for a password. That sounded fine until the gateway sits behind a misconfigured reverse proxy—at which point every external request got forwarded to 127.0.0.1, and your agent thought the whole internet was a trusted local user. SecurityScorecard’s STRIKE team found over 30,000 internet-exposed OpenClaw instances.

Security researcher Jamieson O’Reilly showed just how bad this gets. He accessed Anthropic API keys, Telegram bot tokens, Slack accounts, and complete chat histories from exposed instances, even sending messages on behalf of users and running commands with full admin privileges. No authentication required.

This has since been addressed—gateway auth is now required by default, and the onboarding wizard auto-generates a token even for localhost.

Security checks: At a minimum, check whether your instance is reachable from the public internet. Use a firewall to restrict access, enable gateway token authentication, and never expose the control plane without a VPN or SSH tunnel in front of it. This is a case where a managed cloud deployment can solve the problem outright—because your personal API keys, chat histories, and credentials aren’t sitting on an exposed local machine in the first place.

3. Malicious skills on ClawHub are poisoning the supply chain

ClawHub, OpenClaw’s public skill marketplace, lets anyone publish an extension—the only requirement is a GitHub account older than one week. That low bar has unfortunately turned the marketplace into a target. Koi Security audited all 2,857 skills on ClawHub and found 341 that were outright malicious. Bitdefender’s independent scan put the number closer to 900 malicious skills, roughly 20% of all packages. A single account—“hightower6eu”—uploaded 354 malicious packages by itself.

The attack is clever. You install what looks like a useful skill and the documentation looks professional. But buried in a “Prerequisites” section, it asks you to install something first—and that something is Atomic Stealer (AMOS), a macOS credential-stealing malware.

Security checks: OpenClaw has since partnered with VirusTotal to scan new skill uploads, but Steinberger himself admitted this isn’t a silver bullet. At a minimum, before installing any skill, read its source code. Check the publisher’s account age and history. Put simply, treat every skill as untrusted code running with your agent’s full permissions. Unlike some exposure risks, malicious skills are a threat regardless of where OpenClaw runs—a poisoned skill executes the same way on a cloud server as it does on your laptop.

4. Credential storage in plaintext and API key leakage

One of the less glamorous but more dangerous issues is how OpenClaw handles secrets. The platform stores credentials in plaintext—including API keys for your LLM provider and tokens for every messaging platform your agent connects to—and those become targets the moment your instance is accessible to anyone other than you. Prompt injection attacks can also trick the agent into exfiltrating credentials by embedding hidden instructions in content the agent processes.

Cisco’s team tested a skill called “What Would Elon Do?” and surfaced nine security findings, two of them critical. The skill instructed the bot to execute a curl command sending data to an external server controlled by the skill’s author. Functionally, it was malware hiding behind a joke name.

Security check: At a minimum, rotate your API keys regularly and store secrets using environment variables or a dedicated secrets manager rather than config files. It’s also worth setting spending limits on your LLM provider accounts. That way, even if a key is compromised, it can’t rack up thousands in charges.

5. Prompt injection attacks amplified by persistent memory

What makes prompt injection in OpenClaw worse than in a typical chatbot is the persistent memory. The agent retains long-term context, preferences, and conversation history across sessions—which is one of its best features. But it also means a malicious instruction embedded in a website, email, or document doesn’t have to execute immediately. Palo Alto Networks warned that these become “stateful, delayed-execution attacks”. A hidden prompt in a PDF you opened last Tuesday could sit dormant in the agent’s memory until a future task triggers it days later.

Security check: There’s no perfect fix for prompt injection right now; it’s an unresolved problem in agentic AI. But you can reduce the blast radius by limiting what tools and permissions your agent has access to, segmenting its access to sensitive systems, and reviewing its memory and context periodically for anything unexpected.

6. Shadow AI spreading through enterprise networks

This one’s for anyone working at a company where developers tinker on their work machines. Token Security found that 22% of their enterprise customers have employees running OpenClaw as shadow AI without IT approval. Bitdefender confirmed the same, showing employees deploying agents on corporate machines connected to internal networks. An OpenClaw agent on a developer’s laptop with VPN access to production means every vulnerability above is now a business problem.

Security check: If you’re on a security team, you should scan your network for OpenClaw instances now. Set up detection for its WebSocket traffic patterns, and mandate that any approved use runs in an isolated environment—a VM or cloud server—rather than on laptops with internal access. Giving teams an approved, isolated deployment path is the fastest way to get ahead of shadow AI—it’s much easier to enforce guardrails when the alternative isn’t ‘don’t use it at all.’

7. The Moltbook database breach exposing millions of agent credentials

The security mess isn’t limited to OpenClaw itself. Moltbook, the social network for AI agents built by Matt Schlicht, suffered a database exposure that cybersecurity firm Wiz discovered in early February. The database had zero access controls. Anyone who found it could view 1.5 million API tokens, 35,000 email addresses, and private messages between agents—enough to take control of any agent on the platform. China’s Ministry of Industry and Information Technology issued a formal warning about OpenClaw security risks, citing incidents like this breach.

Security check: If you’ve used Moltbook, rotate every API key and token associated with your agent. Treat third-party platforms in the OpenClaw ecosystem with the same skepticism you’d apply to any new service asking for your credentials and consider additional security checks.

OpenClaw security challenges FAQ

Why are security professionals concerned about OpenClaw?

OpenClaw agents run with deep system privileges—terminal, file system, and browser control—and ship with weak default security. Broad permissions plus poor out-of-the-box configuration has led to leaked API keys, hijacked agents, and malicious skills stealing credentials.

What are the most critical misconfigurations that expose OpenClaw instances to attackers?

The biggest one appears to be running the gateway without authentication enabled, especially behind a misconfigured reverse proxy that makes localhost-trusted connections accessible from the internet. Not updating past the critical RCE vulnerability (CVE-2026-25253) is another. Installing unvetted ClawHub skills without reviewing their source code rounds out the top three.

Is running OpenClaw on a dedicated cloud server safer than running it on a personal laptop or corporate workstation?

Yes. A dedicated server isolates the agent from your personal files, browser sessions, and work credentials. If something goes wrong, the damage stays contained to that server. DigitalOcean’s 1-Click Deploy and App Platform options both include security hardening that you’d otherwise need to configure manually.

Are ClawHub skills identified as safe to use?

No, not by default. Researchers found hundreds of malicious skills disguised as legitimate tools, some of which installed credential-stealing malware. OpenClaw now scans new uploads with VirusTotal, but that doesn’t catch everything—particularly skills using prompt injection payloads. Always read a skill’s source code before installing it, and stick to well-known publishers with established track records.

What steps can individuals and security teams take to harden an OpenClaw deployment?

Start by running OpenClaw in an isolated environment—a VM, container, or cloud server like a DigitalOcean Droplet. At a minimum, you should enable authentication on the gateway, keep the software updated, restrict network access with firewall rules, audit any ClawHub skills before installation, and rotate API keys regularly. For enterprises, monitor your network for unauthorized OpenClaw instances and treat the agent as a privileged user in your access control policies.

Deploy your OpenClaw agents on DigitalOcean

Running OpenClaw on your personal laptop means the agent inherits every vulnerability on that machine and introduces new ones. A dedicated cloud server won’t eliminate risks entirely, but it isolates the blast radius and keeps the agent away from your personal files and production credentials.

DigitalOcean offers two deployment paths built for this.

OpenClaw on DigitalOcean App Platform is designed for teams that want to run multiple agents at scale without managing infrastructure:

  • Define multiple agents declaratively—sales, support, personal assistant—in a single App Platform spec

  • Push updates via Git with zero-downtime deploys and automatic rollbacks

  • Scale predictably by resizing known instance types with transparent pricing

DigitalOcean’s 1-Click Deploy for OpenClaw starts at $12/month and provisions a hardened server with security baked in from the start:

  • Container-based isolation keeps agent execution sandboxed from the host system

  • Authentication is enforced by default with a unique gateway token generated per deployment

  • Firewall rules, non-root execution, and locked-down permissions are configured out of the box

Get started with OpenClaw on DigitalOcean

Any references to third-party companies, trademarks, or logos in this document are for informational purposes only and do not imply any affiliation with, sponsorship by, or endorsement of those third parties.

Pricing and product information accurate as of February 2026.