OpenClaw Security: The Honest Post

Let me be frank: some of the security criticism of Clawdbot/OpenClaw is absolutely valid. Some of it is jealous FUD. And some of it is just the internet being the internet.

Here’s what actually happened, where we are, and where the community is going.

What They Got Right

The Wiz research was real. The CVEs were real. The exposed API keys were real.

OpenClaw started as an experiment in what’s possible with autonomous AI agents—unburdened by what’s practical. The original codebase prioritized capability over security. Config files stored credentials in plaintext. The default posture was permissive. Authentication was optional.

Peter and the project as a whole made this posture 100% clear and warned appropriately.

For a research project running on a handful of machines? Fine.

Then it took off faster than anyone could have expected. Clawdbot was--somewhat literally overnight– being run by tens of thousands of users, on premise but also on cloud VPSs with real API keys and real data?

Not fine.

Here’s what the critics correctly identified:

Credential storage: Early versions stored API keys in plain JSON config files. No encryption, no secrets management, no keychain integration. If someone got access to your filesystem, they got your keys.

Default permissions: The default configuration was wide open. Shell access enabled. File system access enabled. Network access enabled. This was intentional—Peter wanted to see what agents could do without artificial limits. But it meant users who didn’t lock things down were running with maximum attack surface.

Skill verification: ClawHub launched without cryptographic verification of skills. Bad actors uploaded malicious packages disguised as utilities. Users who installed unvetted skills were essentially running arbitrary code.

Authentication gaps: Early API endpoints lacked proper auth. The Wiz research found exposed instances on Shodan. CVE-2026-25253 documented a real 1-click RCE vector via token exfiltration.

All of this is valid criticism. We’re not going to pretend otherwise.

What They Got Wrong (Or Exaggerated)

Not everything in the security discourse is accurate.

The “1.5M exposed keys” claim conflated total agent registrations on Moltbook with actual exposed credentials. The real exposure was serious but not that scale.

The rug pull narratives blame OpenClaw for scammers who created fake tokens during the rebrand confusion. That’s like blaming Linux for ransomware. Opportunistic grifters gonna grift.

The “zero security” framing ignores that OpenClaw always had security *options*—sandbox modes, permission controls, allowlists. They just weren’t defaults. There’s a difference between “no security exists” and “security isn’t the default.”

The competitive FUD is real. Every week there’s a new “OpenClaw killer” that’s “secure by design” with a fraction of the capabilities. Some of these projects are legitimate. Some are literally just wrappers around the same attack surface with better marketing.

And yes, some criticism comes from people who fundamentally oppose autonomous AI agents and will attack any project in this space regardless of its security posture.

How We Got Here

OpenClaw wasn’t supposed to be this popular this fast.

The original goal was exploring autonomous agent capabilities—what happens when you give an AI persistent memory, tool access, and the ability to operate ²⁴⁄₇ without constant human supervision. It was a research project that happened to be open source.

Then it went viral.

Suddenly (as in, within a week) there were thousands of users, hundreds of contributors, forks, tutorials, YouTube videos, and a community building things we never anticipated. The codebase that was fine for experimentation was now running in production environments with real stakes.

Peter had two choices: slow down and rebuild from scratch, or keep shipping capabilities while bolting on security. We chose the second path—partly because the community momentum was incredible, partly because we were learning in real-time what security in agentic AI actually requires.

That was a tradeoff with consequences. The security researchers are right that the team shipped fast and broke things. What they don’t see is the 200+ security-related commits in the last month, the incident response, the coordinated disclosures, the rapid patches.

Where We Are Now

Security heavyweights are now on the core team.

I’m not going to name-drop or credential-wave, but people who’ve built security infrastructure at scale—people who actually understand threat modeling for autonomous systems—are now actively working on OpenClaw.

What’s shipping now and in the next 30 days:

Encrypted credential storage: API keys encrypted at rest using system keychain integration (macOS Keychain, Windows Credential Manager, Linux Secret Service). Plain JSON configs are deprecated.

Sandboxed execution by default: New installs run in restricted mode. Shell access requires explicit opt-in. File system access is scoped. Network access uses allowlists.

Skill signing and verification: ClawHub now requires cryptographic signatures. Unsigned skills trigger warnings. Known malicious packages are blocklisted.

Authentication everywhere: All API endpoints require auth. Exposed Shodan instances are being actively notified. The default is locked down.

Security scanning in CI: Every PR runs through automated security analysis. Known vulnerability patterns are blocked before merge.

Responsible disclosure program: We now have a proper security@ contact, a bug bounty structure, and coordinated disclosure process.

The Next 30 Days

Here’s my prediction, and you can hold me to it:

OpenClaw will go from “most criticized for security” to “most secure agentic AI platform” within 30 days.

Not because we’re going to suddenly become paranoid and disable everything useful. But because:

1. We now have the right people. Security expertise that previously didn’t exist on the team now does.
2. We have the architecture. The plugin system, the permission model, the sandbox infrastructure—it’s all there. It just needed to be the default, not the option.
3. We have the motivation. Nothing focuses the mind like seeing your project dragged through security Twitter. The team is locked in.
4. We’re building for agentic AI specifically. Generic security frameworks don’t fully address autonomous agent threats. We’re developing security primitives that understand agent-to-agent communication, skill composition, and long-running autonomous operation.

The critics gave us a gift: a very public, very thorough audit of everything wrong with the early architecture. We’re taking that feedback seriously.

What Users Should Do Now

If you’re running OpenClaw today:

1. Update immediately. Run git pull && pnpm install or whatever your update path is. Security patches are shipping daily.
2. Review your config. Look at your clawdbot.json. If you see plaintext API keys, migrate to encrypted storage.
3. Enable sandbox mode if you haven’t. The capability loss is minimal; the security gain is significant.
4. Audit your skills. If you installed skills from ClawHub before verification was mandatory, review them. Remove anything you don’t recognize.
5. Don’t expose to the internet without authentication. If you’re running on a VPS, use proper firewall rules and access controls.

The Bigger Picture

Autonomous AI agents are coming whether or not OpenClaw exists. The security challenges we’re facing—credential management for AI, permission models for autonomous systems, trust in agent-to-agent communication—these are industry-wide problems that need industry-wide solutions.

We’re building in public, making mistakes in public, and fixing them in public. That’s uncomfortable. It’s also how open source works.

The alternative is security through obscurity—closed systems that hide their vulnerabilities until they’re catastrophically exploited. We’ve seen how that movie ends.

OpenClaw’s security story isn’t finished. But the next chapter is being written by people who know what they’re doing, with full awareness of what went wrong, and with a community that’s now deeply invested in getting it right.

Thirty days. Watch this space.

If you want to follow the security improvements in real-time, watch the GitHub security advisories and the #security channel in OpenClaw Discord.