TechTide TV

OpenClaw Security: What You Actually Need to Know Before You Install It

OpenClaw is powerful, but it also has real security risks. Palo Alto Networks flagged a 'lethal trifecta' of vulnerabilities. Here's what they are, why they matter, and what you can actually do about them.

ยท 6 min read

OpenClaw Security: What You Actually Need to Know Before You Install It

OpenClaw has taken off fast โ€” 150,000+ GitHub stars, coverage in CNBC, Fortune, and TechCrunch, and a community that's genuinely excited about what it can do. But there's a flip side to all that capability, and it's worth understanding before you install it.

Cybersecurity firm Palo Alto Networks flagged serious risks. Security researchers have found thousands of exposed OpenClaw gateways on the open internet. And the way the tool is architected โ€” local access, persistent memory, external communication โ€” creates a threat surface that doesn't exist with normal chatbots.

Here's what's actually going on.

Why OpenClaw Is Different From a Regular Chatbot

Most AI tools are stateless. You type a message, you get a response, the conversation ends. OpenClaw is fundamentally different in three ways that matter for security:

  1. It has persistent memory. It remembers things across days and weeks. Context doesn't reset.
  2. It has access to your files, apps, and shell. It can read emails, run commands, browse the web โ€” all on your behalf.
  3. It communicates externally. It sends messages through WhatsApp, Telegram, Slack, and other platforms.

Each of these is useful. Together, they create what Palo Alto Networks called a "lethal trifecta" of risk: access to private data, exposure to untrusted content, and the ability to perform external communications โ€” all while retaining memory.

The Three Main Threat Categories

1. Prompt Injection

This is the biggest one. Prompt injection happens when malicious instructions are hidden inside content that OpenClaw reads or processes โ€” a web page it browses, an email it summarizes, a file it opens. For more, see 336 malicious skills found on ClawHub. For more, see how to safely manage OpenClaw skills and ClawHub.

Because OpenClaw has real system access, a successful prompt injection doesn't just produce a bad response. It can make the agent take actions โ€” delete files, send messages, exfiltrate data โ€” all without you knowing.

Example scenario: You ask OpenClaw to summarize your emails. One email contains hidden text designed to instruct the AI to forward your contacts list to an external address. The agent processes it as a legitimate instruction.

2. Delayed-Execution Attacks via Persistent Memory

This one is subtle and genuinely concerning. Because OpenClaw stores memory locally and carries context forward across sessions, an attacker doesn't need to exploit the agent immediately.

The attack pattern works like this:

  • Malicious content is fed to the agent at some point (a web page, a document, a message)
  • The payload doesn't trigger right away โ€” it plants instructions in memory
  • Days or weeks later, when certain conditions are met, the stored instructions activate

Palo Alto Networks specifically called this out: persistent memory enables delayed-execution attacks rather than immediate exploits. This is harder to detect because there's no single moment where something obviously goes wrong.

3. Exposed Gateways

OpenClaw's local gateway (the background service that handles all communication) defaults to running on ws://127.0.0.1:18789. That's localhost โ€” it should only be accessible from your own machine.

But security researchers have found thousands of OpenClaw gateways exposed to the public internet โ€” either because users misconfigured their setup, or because they deployed on cloud instances without proper network isolation.

An exposed gateway is essentially an open door. Anyone who can reach it can potentially send commands to the agent, read its memory, and trigger actions on the owner's machine.

What Andrej Karpathy Said

OpenAI cofounder Andrej Karpathy weighed in on the situation, calling it "a complete mess of a computer security nightmare at scale." He acknowledged it's a "dumpster fire right now" while also recognizing that what OpenClaw is doing โ€” building autonomous agents that actually work โ€” is genuinely significant.

That tension is the real story: the tool works, the security isn't there yet.

What IBM Says About Enterprise Use

IBM Distinguished Engineer Chris Hay cautioned that deploying OpenClaw in workplace environments exposes organizations to significant vulnerabilities. IBM Principal Research Scientist Kaoutar El Maghraoui put it more diplomatically: vertical integration (the kind enterprise AI platforms provide) matters when security is the priority. OpenClaw's loose, open-source approach is powerful for personal use, but the enterprise security bar is different.

The bottom line from IBM: OpenClaw demonstrates that autonomous agents can work. It doesn't yet prove they can work safely at enterprise scale.

What Peter Steinberger (OpenClaw's Creator) Has Said

Steinberger has acknowledged the security risks publicly. He hasn't dismissed them. More work on agentic security is on the roadmap โ€” but right now, the tool moved faster than the security layer around it.

Practical Steps If You Still Want to Use It

If you're a developer or power user and you want to run OpenClaw while being aware of the risks, here's what actually matters:

Lock down your gateway:

  • Make sure the gateway is only accessible from localhost (127.0.0.1)
  • Never expose it on a public IP or cloud instance without a firewall
  • If you deploy on a server, put it behind a VPN or SSH tunnel

Be careful about what you feed it:

  • Don't point it at untrusted content without thinking
  • Be selective about which emails, web pages, and files the agent has access to
  • Treat anything the agent reads as potentially adversarial

Understand what's in memory:

  • Review what OpenClaw has stored locally
  • Memory is stored as Markdown files on your machine โ€” you can read and delete them
  • Periodically clear memory if you're worried about stale context carrying risk

Use local models when possible:

  • Running a local model means your prompts and responses never leave your machine
  • This eliminates one attack vector (man-in-the-middle on API calls)

Keep it off production systems:

  • For now, OpenClaw is best suited for personal or development use
  • Don't connect it to systems where a breach would have serious consequences

The Bigger Picture

OpenClaw isn't uniquely insecure โ€” it's just the first tool to make these risks visible at scale. Every AI agent that has real system access, persistent memory, and external communication will face the same threat model.

The security industry is watching this closely. Palo Alto Networks flagged it. IBM commented on it. The conversation around "agentic security" is accelerating because of OpenClaw, not in spite of it.

The tool is a preview of what's coming. The security layer is catching up.

New to OpenClaw? Start with What Is OpenClaw? The Open-Source AI Agent Everyone Is Talking About. Want to see what happens when AI agents get their own social network? Read Moltbook: The Social Network Where Only AI Agents Post.

You May Also Like

More in AI Tools โ†’
Browse All Articles โ†’