The Exposed Gateway Problem
This is the most critical security risk with OpenClaw, and it is alarmingly common. By default, OpenClaw's gateway API listens on port 18789 on all network interfaces. This means if your computer or server is connected to the internet without a firewall, anyone in the world can reach your agent's control interface.
What can an attacker do with access to an exposed gateway?
- Send messages as you through all connected messaging platforms
- Read your entire email inbox and send emails from your account
- Access, modify, or delete your files
- Modify your calendar
- Install malicious skills that run code on your machine
- Use your AI API key (costing you money)
This vulnerability was formally assigned CVE-2026-25253 and is classified as critical. Security researchers identified over 135,000 exposed installations in early 2026 — meaning 135,000 people had their personal AI agents wide open to the internet.
The Fix
Bind the gateway to localhost so it only accepts connections from the local machine:
- Set
OPENCLAW_HOST=127.0.0.1in your configuration - Enable authentication tokens so even local connections require a secret
- Configure your firewall to block port 18789 from external access
These steps are part of every security hardening we perform at OpenClawGTA.
Malicious Skills
OpenClaw supports "skills" — third-party extensions that add capabilities to your agent. The community-run ClawHub marketplace lets anyone publish skills, and the vetting process is minimal.
Security audits found 1,184 malicious packages on ClawHub in 2026 — roughly 1 in 12 published skills. These malicious skills can:
- Exfiltrate your data to external servers
- Install backdoors on your machine
- Modify your agent's behaviour without your knowledge
- Steal your AI API keys
The Fix
- Only install skills from verified publishers or the official OpenClaw organization
- Review the source code of any skill before installing
- Use the
--verified-onlyflag when searching ClawHub - Regularly audit installed skills with
openclaw skills list
Unintended Agent Behaviour
Even with a properly secured installation, the AI agent itself can make mistakes. There have been documented cases of agents taking unintended destructive actions — including one widely-reported incident where an agent permanently deleted a user's entire Gmail inbox while trying to "clean up" old messages.
The risk increases when:
- The agent has broad permissions without guardrails
- Ambiguous instructions are given (e.g., "clean up my email" without specifying what that means)
- No human-in-the-loop confirmation is configured for destructive actions
The Fix
- Configure human-in-the-loop confirmation for all destructive actions (deleting, sending, modifying)
- Start with read-only permissions and expand gradually
- Be specific in your instructions — "archive emails older than 30 days in the Promotions tab" is safer than "clean up my email"
- Test new workflows with low-stakes accounts before connecting production email
The Root Access Problem
Some installation guides suggest running OpenClaw as root (the superuser account) for convenience. This is dangerous. If the agent — or an attacker who gains access to the gateway — can execute commands as root, they have unrestricted access to your entire system.
The Fix
- Never run OpenClaw as root
- Create a dedicated user account with limited permissions for running the agent
- Use the
openclaw doctorcommand to verify your installation is not running with elevated privileges
Security is not optional with OpenClaw — it's the difference between a powerful personal assistant and a wide-open backdoor to your digital life. If you're unsure about your setup, book a free security assessment or read more about our security hardening process.