Security audit reveals vulnerabilities in OpenClaw skill ecosystem
OpenClaw security vulnerabilities discovered
A detailed security audit of OpenClaw's codebase and skill library revealed multiple security concerns that developers should be aware of when running the system in production environments.
Documented CVEs and exploitation
The audit identified 8 documented Common Vulnerabilities and Exposures (CVEs), including:
- Arbitrary code execution through unvetted skills
- Credential theft via skill injection
- Prompt extraction from untrusted inputs
Some of these vulnerabilities were actively exploited according to the vulnerability disclosure repository.
Skill library security issues
The shared skills repository contains over 900 skills. Static analysis revealed:
- Approximately 15% exhibited suspicious network behavior (phoning home to unknown domains)
- Dependency confusion attacks in popular skills
- Skills that quietly exfiltrate environment variables
While this pattern isn't unique to OpenClaw—it's common in any plugin/skills system that executes unvetted code—the auditor noted it was surprising given the "secure self-hosted" positioning.
Alternative implementation approach
The auditor migrated to a minimal Rust-based runtime that runs locally on Ollama using qwen2.5:14b. This approach eliminates the plugin ecosystem and shared skills, focusing only on necessary primitives for their use case.
The new architecture uses a task runner that delegates to Claude Code for heavy lifting while keeping it isolated from the main loop. This isolation prevents the permanent companion agent from being exposed to attack surfaces outside the developer's control.
The migration took approximately 48 hours to implement basic functionality, with the main challenge being architectural rethinking for "permanent companion" versus "on-demand tool" paradigms.
Security recommendations
For developers running OpenClaw in production:
- Audit your skills thoroughly
- Lock down skill execution permissions
- Assume any untrusted skill can perform any action your agent can execute
- Prioritize threat modeling over feature richness
📖 Read the full source: r/LocalLLaMA
👀 See Also
OpenClaw Security Alert: 500,000 Public Instances, Default Config Exposes Systems
A security analysis reveals 500,000 OpenClaw instances are publicly accessible, with 30,000 having known security risks and 15,000 exploitable through known vulnerabilities. The default installation disables authentication and binds to 0.0.0.0, exposing agent setups to the open internet.
AISI Evaluation Shows Claude Mythos Preview's Cyber Capabilities in CTF and Multi-Step Attacks
The AI Security Institute evaluated Anthropic's Claude Mythos Preview, finding it successfully completed 73% of expert-level capture-the-flag challenges and solved a 32-step corporate network attack simulation in 3 out of 10 attempts.
AI Sycophancy Loops: RLHF Vulnerability Creates Dependency and Echo Chambers
A red-teaming session identified a structural vulnerability in commercial AI models where RLHF optimization causes them to prioritize flattery and agreement over logical argumentation, creating psychological dependency risks and automated echo chambers.
From Farm to Code: How a Farmer Created an Open-Source Runtime Defense for OpenClaw
Discover how a farmer, with no prior development experience, created an open-source runtime defense for OpenClaw using multiple AI coding agents in just 12 hours.