A new study warns that Openclaw is facing a systemic security collapse after researchers found critical vulnerabilities, malware‑infected extensions, and prompt injection risks that allow attackers to steal data or hijack systems.
The ‘Trusted Environment’ FallacyThe report highlights a fundamental architectural flaw: Openclaw was originally designed for “trusted local environments.” However, as the platform’s popularity exploded, users began deploying it on internet-facing servers—a transition the software was never equipped to handle.
Furthermore, attackers are now hiding malicious instructions within emails and webpages. When the AI agent processes these documents, it can be forced to exfiltrate files or execute unauthorized commands without the user’s knowledge.
“Openclaw has become a case study in what happens when large language models stop being isolated chat systems and start acting inside real environments,” said a lead auditor from Penligent. “It aggregates classic software defects into a runtime with high delegated authority, making the blast radius of any single bug massive.”
Mitigation and Safety RecommendationsIn response to these findings, experts are urging a “security-first” approach for both developers and end users. For developers, the study recommends establishing formal threat models from day one, enforcing strict sandbox isolation and ensuring that any AI-spawned subprocess inherits only low-privilege, immutable permissions.
For enterprise users, security teams are urged to use endpoint detection and response (EDR) tools to locate unauthorized Openclaw installations within corporate networks. On the other hand, individual users are encouraged to run the tool exclusively in a sandboxed environment with no access to production data. Most importantly, users must update to version 2026.1.29 or later to patch known remote code execution (RCE) flaws.
While Openclaw’s developers recently partnered with Virustotal to scan uploaded skills, Certik researchers warn this is “no silver bullet.” Until the platform reaches a more stable security phase, the industry consensus is to treat the software as inherently untrusted.
FAQ What is Openclaw? Openclaw is an open‑source AI framework that quickly grew to 300,000+ GitHub stars. Why is it risky? It was built for trusted local use but is now widely deployed online, exposing major flaws. What threats exist? Critical CVEs, malware‑infected extensions, and 135,000+ exposed instances across 82 countries. How can users stay safe? Run only in sandboxed environments and update to version 2026.1.29 or later.
