The OpenClaw Security Wake-Up Call: What Business Owners Need to Know Before They Deploy

The Fastest-Growing Project in GitHub History Ran Into the Hardest Problem in Software

OpenClaw went viral almost overnight. The open-source AI agent built by developer Peter Steinberger crossed 135,000 GitHub stars within weeks of launch, a pace rarely seen even in the most hyped software releases. Mainstream press coverage followed. Business owners started reading about it. Companies began exploring deployments.

Then the security incidents started.

This is not unusual for software that explodes in popularity that fast. Security vulnerabilities get found when millions of people start using a product and thousands of researchers start poking at it. What matters for a business owner evaluating OpenClaw is not that these incidents happened, but what they reveal about the risks of deploying an AI agent with broad system access, and what has changed since.

Here is the timeline, explained in plain English.

Incident One: ClawHavoc - Malicious Skills in the Marketplace

OpenClaw's capabilities come largely from "skills," add-on modules that give the agent new abilities. There is a public marketplace called ClawHub where developers share and distribute skills. Think of it like a browser extension store for your AI agent.

Between January 27 and 29, 2026, security researchers discovered that attackers had seeded ClawHub with 341 malicious skills. Out of a total registry of 2,857 skills, that is roughly 12 percent. The malicious skills used professional-looking documentation and harmless-sounding names like "solana-wallet-tracker." They appeared legitimate. Once installed, they instructed users to run external code that installed keyloggers on Windows machines or malware designed to steal cryptocurrency wallets on macOS.

The attack vector here was not a bug in OpenClaw itself. It was the marketplace model: an open registry where anyone can publish, and users trust the listings they find there.

What this means for your deployment: Only install skills from sources you can verify. The ClawHub marketplace is useful, but "available in the marketplace" does not mean "vetted and safe." Before installing any skill in a business environment, read the source code or have someone who can read it do so on your behalf. This is the same principle as not installing browser extensions from random websites. The convenience of a marketplace comes with the risk that not everything in it is trustworthy.

If you are deploying OpenClaw through NemoClaw, the sandboxing layer reduces the damage a malicious skill can do, because skills run in a contained environment with limited filesystem and network access. That does not make a malicious skill harmless, but it limits the blast radius.

Incident Two: A Critical Remote Code Execution Vulnerability

On January 30, 2026, OpenClaw released version 2026.1.29. Buried in the release notes was the fix for a security vulnerability now catalogued as CVE-2026-25253. The vulnerability was patched before public disclosure, which is the correct order of operations, but the nature of the bug is worth understanding.

The vulnerability allowed an attacker to execute code on your machine with a single click. Here is how it worked: OpenClaw runs a local web-based control interface. That interface trusted certain URL parameters without validating them. An attacker could craft a malicious link and send it to you. When you clicked it, the attacker could hijack your OpenClaw instance through a technique called cross-site WebSocket hijacking. This worked even on instances configured to listen only on localhost, meaning even machines that were not publicly exposed to the internet were vulnerable.

On February 3, the vulnerability was publicly disclosed with a CVSS score of 8.8 out of 10. That score puts it in the "high severity" category. The same day, OpenClaw issued two additional advisories covering command injection vulnerabilities found in the same audit.

What this means for your deployment: Always run the latest version of OpenClaw. The 2026.1.29 patch is available and this specific vulnerability is fixed. If you are running an older version, update now. More broadly, this incident illustrates why giving an AI agent broad system access on your primary work machine is a meaningful risk. An attacker who can hijack OpenClaw can potentially do anything OpenClaw can do, which may include accessing your files, sending emails, or making API calls to your business systems.

The architecture lesson here is the same one enterprise security teams have been saying for years: separate the agent from your most sensitive systems. Run OpenClaw on a dedicated machine or virtual environment rather than your primary laptop. Or use NemoClaw, which places the agent in a kernel-level sandbox that limits what it can access even if compromised.

Incident Three: 21,000 Exposed Instances

On January 31, security researchers at Censys published their findings after scanning the internet for publicly accessible OpenClaw instances. They found 21,639 of them.

For context: a few days earlier, the count had been approximately 1,000. The exponential jump was a direct consequence of viral adoption. Thousands of users installed OpenClaw and left the control interface accessible on the open internet, either intentionally (thinking it was convenient) or by accident (not understanding what the default configuration exposed).

The consequences were predictable. Misconfigured instances were leaking API keys, OAuth tokens, and plaintext credentials. An attacker who found your exposed OpenClaw instance did not need to exploit a vulnerability. They could simply connect to the control interface directly, read your stored credentials, and use them to access your email, your cloud services, or your business applications.

The United States had the highest number of exposed instances. China was second, with roughly 30 percent of exposed deployments running on Alibaba Cloud infrastructure.

What this means for your deployment: OpenClaw should not be accessible from the open internet unless you have a specific reason for that and have secured it accordingly. The default configuration is designed for local use. If you need remote access to your OpenClaw instance, use a VPN or SSH tunnel rather than exposing the port directly. Check your firewall settings before and after installation.

This is not an OpenClaw-specific problem. It is a standard misconfiguration risk that applies to any locally hosted service. But OpenClaw's rapid viral growth meant that many of the people setting it up were not experienced systems administrators. They installed the software because it sounded interesting, and they did not think through the network exposure implications.

Incident Four: The Moltbook Breach

Alongside OpenClaw's rise, a social platform called Moltbook emerged. The concept was novel: a network where OpenClaw agents could interact with each other, sharing tasks and context. By early February 2026, the platform had over 770,000 active agents and had become a significant part of the OpenClaw ecosystem.

Security researchers found that Moltbook had an unsecured database. The exposure included 35,000 email addresses and 1.5 million agent API tokens. An API token is essentially a password. If an attacker obtains your agent's API token, they can potentially impersonate your agent and access the services it is connected to.

Moltbook is a third-party platform, not part of OpenClaw itself. But the breach illustrates a broader point: when you connect an AI agent to external services and platforms, you are extending the attack surface beyond your own infrastructure. The security of your agent deployment is only as strong as the weakest link in that chain.

What this means for your deployment: Be deliberate about what third-party services you connect your OpenClaw agents to. Each connection is a potential exposure point. Use dedicated API tokens with limited permissions for each integration, rather than sharing tokens across services. Rotate tokens periodically. If a service you use is breached, revoke and replace the token immediately.

What Has Been Fixed

It is important to be clear about what has actually changed since these incidents. The picture is meaningfully better today than it was in late January.

The critical remote code execution vulnerability (CVE-2026-25253) has been patched. The two command injection vulnerabilities disclosed alongside it have been patched. These fixes are in the current release. If you are running an up-to-date version of OpenClaw, you are not exposed to these specific vulnerabilities.

The ClawHub marketplace has been audited and the known malicious skills have been removed. The OpenClaw team has implemented additional review processes for new skill submissions. This does not make ClawHub perfectly safe, but it is substantially better than the state it was in when the 341 malicious skills were live.

The OpenClaw documentation has been updated with security configuration guidance. Specifically, the installation documentation now includes clearer warnings about network exposure and guidance on securing the control interface. The problem of accidentally exposed instances is a configuration issue, not a software bug, but better documentation helps reduce the frequency of that misconfiguration.

What has not changed is the fundamental architecture of OpenClaw: it is a powerful agent with broad system access, and that power creates risk if mismanaged. No patch eliminates that underlying reality. The right response is not to avoid OpenClaw because of these incidents, but to deploy it with appropriate security hygiene.

Why This Is Actually the Reason NemoClaw Exists

The security incidents described above are not unrelated to NemoClaw's existence. They are precisely the context that motivated NVIDIA's decision to build and launch it.

When Jensen Huang stood on stage at GTC 2026 and called OpenClaw "the operating system for personal AI," he was not ignoring the security problems. He was announcing the enterprise response to them. NemoClaw is NVIDIA's answer to the question that every IT security team was asking after the January and February incidents: "This looks useful, but how do we deploy it safely?"

NemoClaw's security architecture directly addresses the incident categories above. The kernel-level filesystem sandbox (using Linux Landlock technology) limits what an agent can read and write, so a compromised skill cannot freely access files it was not explicitly permitted to touch. The network namespace isolation and egress policy controls prevent an agent from making unauthorized network calls, reducing the risk of credential leakage to external services. The audit trail records what the agent did and when, so if something goes wrong, you can reconstruct the sequence of events.

None of this is magic. NemoClaw is still in early preview, and its own security should be evaluated carefully before production use. But it represents a genuine architectural response to the specific failure modes that the early OpenClaw incidents exposed.

Harrison Chase of LangChain summarized the situation well at the GTC launch: "I guarantee that every enterprise developer out there wants to put a safe version of OpenClaw onto their computer or expose it to their users. The bottleneck has never been interest. It has been the absence of a credible security and governance layer underneath it."

NemoClaw is the attempt to build that layer.

The Hardware Response: ClawGo and the "Dedicated Device" Argument

A different response to the same security problem came from a UK-based startup called ClawGo, which announced a handheld AI agent companion on April 1, 2026.

ClawGo's approach starts from a simple observation: many of the worst OpenClaw security incidents happened because people ran the agent on their primary device alongside their most sensitive data. The malicious skill that installs a keylogger is far more dangerous on a laptop that also contains your banking app, your work email, and your password manager than it would be on a dedicated device running only the agent.

The ClawGo device is designed to be that dedicated endpoint. It runs OpenClaw-native agents on hardware that is separate from your main phone or computer. The agent has access to whatever you give it, but your other data is physically on a different device.

This is an architectural answer rather than a software one. It does not fix the underlying vulnerabilities, but it limits the damage those vulnerabilities can cause by isolating the agent from your most sensitive systems.

The co-founder's framing is worth noting: "The model is the brain. The runtime is the workplace. And ClawGo is the body." The device is intended as infrastructure for persistent agent operation, not a consumer gadget. Whether the product succeeds commercially is uncertain, but the underlying logic of dedicated agent hardware is sound from a security standpoint.

The Transparency Coalition's Broader Assessment

The Transparency Coalition for AI, which published a comprehensive review of the OpenClaw security situation at the end of March 2026, reached a balanced conclusion that is worth quoting in spirit if not verbatim.

Their assessment: OpenClaw's rapid rise created a security crisis in real time. The vulnerabilities were real, the incidents were serious, and the response from both the OpenClaw team and the broader security community was reasonably prompt. The incidents demonstrate something specific about AI agents as a category: they are not like traditional software. A web application that gets hacked typically exposes data. An AI agent that gets compromised can take action on your behalf, which is a qualitatively different kind of damage.

That distinction matters for how you think about the risk. A compromised OpenClaw instance is not just a data breach. It is a potential action breach. The attacker does not just see what the agent knows. They can do what the agent can do. If your agent can send emails, the attacker can send emails as you. If your agent can update your CRM, the attacker can corrupt your CRM data.

This is not a reason to avoid AI agents. It is a reason to think carefully about what permissions you grant them and to use available security layers like NemoClaw when deploying in a business context.

A Practical Security Checklist for OpenClaw Deployments

If you are considering deploying OpenClaw in your business, or if you already have a deployment and these incidents are prompting a review, here is a practical starting point.

Keep the software current. The critical CVE-2026-25253 vulnerability is patched in version 2026.1.29 and later. If you are running an older version, update before doing anything else. Subscribe to OpenClaw's security advisories so you know when future patches are released.

Audit your network exposure. Check whether your OpenClaw control interface is accessible from outside your local network. It should not be unless you have intentionally configured it that way with appropriate authentication. If you need remote access, use a VPN or SSH tunnel.

Review installed skills. If you installed any skills from ClawHub before February 2026, verify they are from known legitimate sources. The known malicious skills have been removed from the registry, but your local installation will retain anything you already installed. Review the list and remove anything you cannot verify.

Audit agent permissions. What can your OpenClaw agent actually access? Review the connections you have authorized and remove anything that is not actively needed. An agent that can read your email does not also need write access to your file system unless there is a specific workflow that requires it. Minimum necessary permissions is the correct default.

Rotate API tokens. If you had an agent connected to Moltbook or any other third-party service that may have been breached, rotate the API tokens for those connections. Treat any token that was stored in an agent's configuration as potentially compromised if the service it was connected to has been involved in a breach.

Consider NemoClaw for business deployments. If you are running OpenClaw in a context where multiple people are using it, or where the agent has access to business systems, NemoClaw's security layer provides meaningful additional protection. It is in early preview, but the core sandboxing and audit capabilities are functional. Read the security explainer to understand what it does and does not protect against.

Run the agent on dedicated hardware if possible. Whether that is a NemoClaw instance on a cloud VPS, a dedicated home server, or something like the ClawGo device when it ships, keeping the agent off your primary work machine limits the damage if something goes wrong.

The Bigger Picture

Software that gains 135,000 stars in weeks will have security problems discovered quickly. That is almost tautological. The speed of adoption means the speed of scrutiny increases proportionally.

What the OpenClaw security incidents from early 2026 actually tell you is something important about the category, not just the product. AI agents that can take actions on your behalf are genuinely powerful and genuinely risky. The power and the risk come from the same source: the agent can do things. A passive chatbot that only answers questions cannot leak your credentials by sending them somewhere. An agent that can send emails, update files, and make API calls can do all of those things if it is compromised or misconfigured.

The responsible path forward is not to dismiss OpenClaw because of these incidents, nor to ignore them because the patches are out. It is to understand the risk model, deploy with appropriate safeguards, and keep the security posture current as the ecosystem evolves.

The tooling to do this safely is improving rapidly. NemoClaw exists specifically to close the gap between "useful but risky" and "useful and manageable." The question for business owners is not whether AI agents are worth using, but whether the deployment is set up in a way that makes the risk proportionate to the benefit.

If you are starting fresh, the safest path is: understand what OpenClaw actually does, follow the install guide carefully, apply the security checklist above, and evaluate NemoClaw before granting the agent access to any business-critical systems.

The agents are becoming capable enough to be genuinely useful. The security infrastructure is catching up. Right now, in April 2026, the responsible approach is to use both.