OpenClaw's Security Problem: Hundreds of Thousands of Exposed Instances and Malicious Plugins
OpenClaw is one of the most popular open-source projects in the world, with over 300,000 GitHub stars — surpassing React, Linux, and nearly every other repository on the platform. It can control your computer, manage your calendar, send emails, browse the web, and run shell commands. OpenClaw represents the future of AI — autonomous agents that act on your behalf.
But OpenClaw has a serious security problem.
What security researchers found
Over 135,000 exposed instances
SecurityScorecard initially discovered over 40,000 OpenClaw instances exposed on the public internet. Subsequent research by Censys and Bitdefender found the problem was far worse: over 135,000 exposed instances across 82 countries, with some estimates exceeding 220,000. Researchers found that 63% of observed deployments were vulnerable.
OpenClaw binds to 0.0.0.0:18789 (all network interfaces) by default rather than localhost, and lacks rate limits — meaning many instances are effectively exposed even when the Gateway's token-based authentication is present. Many users never change the defaults.
CVE-2026-25253: One-click remote code execution
In early 2026, researchers disclosed CVE-2026-25253, a critical vulnerability (CVSS 8.8) that allowed one-click remote code execution via crafted URLs. An attacker could send a link that, when clicked by someone running OpenClaw, would execute arbitrary commands on their machine. The vulnerability was patched in v2026.1.29, but many instances remain unpatched.
12% to 20% of community plugins are malicious
The ClawHub marketplace allows developers to share plugins (called "skills") that extend OpenClaw's capabilities. Koi Security audited 2,857 ClawHub skills and found 341 malicious entries — roughly 12% — containing data exfiltration, cryptocurrency miners, and backdoor access.
As ClawHub grew to over 10,700 skills by mid-February 2026, the problem scaled with it. Bitdefender identified 824+ malicious skills, pushing the malicious rate to approximately 20%.
OpenClaw has no code signing, no sandboxing, and no mandatory review process for community plugins.
Plaintext credentials
OpenClaw stores API keys, passwords, and authentication tokens in plaintext configuration files at ~/.openclaw/agents/*/agent/auth-profiles.json. If an attacker gains access to the instance, they get every credential the agent has been configured with.
No encryption at rest or in transit
By default, OpenClaw does not encrypt data at rest. Communication between the agent and LLM providers is encrypted via HTTPS, but local storage, logs, and conversation history are unprotected.
The Moltbook incident
The ecosystem around OpenClaw has its own security problems. Moltbook, a social network for OpenClaw agents, leaked 35,000 email addresses and 1.5 million API tokens through an exposed Supabase database — giving attackers direct access to users' LLM provider accounts and billing.
Why this matters
OpenClaw is not a chatbot. It is an AI agent — software that takes actions on your behalf. When an agent is compromised, the attacker doesn't just read your messages. They can:
- Send emails as you — phishing, impersonation, fraud
- Access your files — documents, photos, credentials
- Execute system commands — install malware, exfiltrate data, delete files
- Control connected services — calendar, task managers, smart home devices
The attack surface of an AI agent is fundamentally larger than a chatbot. Security cannot be an afterthought.
OpenClaw's governance problem
OpenClaw's original creator, Peter Steinberger, joined OpenAI on February 15, 2026. Sam Altman announced the hire personally. Steinberger, previously the founder of PSPDFKit (sold for approximately $116M in 2021), was one of Austria's most prominent tech founders.
The project was moved to an independent open-source foundation backed by OpenAI, but its future direction and governance remain uncertain. When a project's lead moves to one of the largest AI companies in the world — and that same company funds the foundation — questions about independence, roadmap, and long-term maintenance are legitimate.
eustella: The secure alternative
eustella gives you the same agentic capabilities as OpenClaw — task execution, workflow automation, communication, app integrations — but secure, private, and hosted entirely in Europe.
How eustella addresses OpenClaw's security gaps
| Issue | OpenClaw | eustella |
|---|---|---|
| Authentication | Binds to all interfaces by default | Required, multi-factor |
| Data encryption | Plaintext storage | Encrypted at rest and in transit |
| Plugin security | No review, 12–20% malicious | Curated, sandboxed, reviewed |
| Credential storage | Plaintext config files | Encrypted secrets management |
| Hosting | Self-hosted (user responsible) | Managed EU data centres |
| Data sovereignty | Depends on LLM provider | All data stays in the EU |
| Vulnerability response | User must patch manually | Managed, automatic updates |
eustella is designed for people who want the power of an AI agent without the responsibility of securing one themselves. No exposed databases, no malicious plugins, no plaintext credentials.
Sign up for early access to eustella →
Sources
- Star History Blog — "OpenClaw surpasses React as most-starred software project"
- Infosecurity Magazine — "Researchers find 40,000 exposed OpenClaw instances"
- Bitdefender — "135K OpenClaw AI agents exposed online"
- OpenClaw Gateway Security Documentation — docs.openclaw.ai/gateway/security
- NVD — CVE-2026-25253 (CVSS 8.8, 1-click RCE)
- Tiamatenity / Dev.to — "OpenClaw skill malware audit: 341 malicious skills infecting ClawHub"
- Particula Tech — "OpenClaw security crisis: Malicious AI agents"
- GitHub Issue #7139 — Plaintext credential storage in auth-profiles.json
- Wiz Research — "Exposed Moltbook database reveals millions of API keys"
- TechCrunch — "OpenClaw creator Peter Steinberger joins OpenAI"
- Euronews — "Austrian creator of viral OpenClaw joins OpenAI"
- Yahoo Finance — "OpenClaw founder Steinberger joins OpenAI, project moves to foundation"