← Back to Blog
SecurityOpenClaw

OpenClaw's Security Crisis: Why Self-Hosting Your AI Assistant Just Got Dangerous

·6 min read

Last week, the OpenClaw ecosystem faced its worst security breach to date. Over 340 malicious "skills" were discovered on ClawHub—the community marketplace for OpenClaw extensions—as part of a coordinated attack campaign dubbed "ClawHavoc." At the same time, security researchers found over 21,000 exposed OpenClaw instances accessible from the public internet, and a critical vulnerability (CVE-2026-25253) was patched that could allow one-click remote code execution.

If you're running OpenClaw on your own server, or considering it, this is your wake-up call.

What Happened: The ClawHavoc Campaign

In partnership with VirusTotal, OpenClaw maintainers scanned the entire ClawHub marketplace—a repository of community-contributed extensions that give OpenClaw new capabilities. The results were alarming: 341 malicious skills were found, representing a 12% infection rate.

These weren't simple scripts. The ClawHavoc campaign was sophisticated:

  • Crypto wallet theft: Skills that scanned local filesystems for wallet files and exfiltrated private keys
  • SSH key harvesting: Malware that copied ~/.ssh directories to attacker-controlled servers
  • Browser credential stealing: Extensions that dumped saved passwords from Chrome, Firefox, and Edge
  • Persistent backdoors: Code that established reverse shells for ongoing access

The attack worked because OpenClaw skills run with the same permissions as the OpenClaw process itself. If you installed a malicious skill, it had full access to everything your OpenClaw instance could touch—which, for most users, means their entire home directory and all locally stored credentials.

The Exposed Instance Problem

While the ClawHavoc campaign targeted users who installed malicious skills, there's an even bigger problem: thousands of OpenClaw instances are running on the public internet with little to no security configuration.

Censys, an internet scanning platform, discovered over 21,000 OpenClaw instances directly accessible without authentication. Many of these instances had:

  • Default credentials unchanged
  • No firewall rules
  • Full filesystem access enabled
  • API tokens exposed in environment variables
  • Cloud service credentials stored in plaintext

China's Ministry of State Security issued a formal warning about these exposed instances, noting they represent "critical infrastructure vulnerabilities" in both government and private networks.

CVE-2026-25253: The One-Click Takeover

On January 29, 2026, OpenClaw patched CVE-2026-25253, a critical vulnerability that allowed attackers to steal authentication tokens through a crafted link. If a user clicked on a malicious OpenClaw share link, their session token could be exfiltrated and used to remotely execute code on their instance.

This vulnerability was particularly dangerous because:

  1. No skills required: Unlike ClawHavoc, this didn't require installing anything
  2. One-click exploitation: A single malicious link in chat, email, or social media was enough
  3. Full RCE: Attackers gained complete remote code execution capabilities
  4. Chained with exposed instances: Combined with the 21,000+ publicly accessible instances, this created a perfect storm

The patch was released within 48 hours of discovery, but here's the problem: self-hosted OpenClaw instances only get patched when their administrators manually update them. How many of those 21,000 exposed instances have been patched? Nobody knows.

Why Self-Hosting Is Hard (Even for Technical Users)

OpenClaw is an incredible piece of software, but it was designed for developers and power users who understand security hardening. Even then, it's a challenge:

You're responsible for:

  • Keeping OpenClaw updated (new patches weekly)
  • Reviewing every skill before installation
  • Configuring firewall rules correctly
  • Managing authentication and session tokens
  • Rotating API keys and credentials
  • Monitoring for suspicious activity
  • Backing up data securely
  • Responding to security incidents

And you need to get it all right, every time. One misconfigured environment variable, one forgotten firewall rule, one malicious skill—and your entire system is compromised.

For non-technical users, this is an impossible burden. Even for experienced developers, it's a significant time investment that takes focus away from actually using your AI assistant.

The Hosted Alternative: Security as a Service

This is exactly why we built Clawer.ai.

Clawer is OpenClaw-as-a-Service: you get all the capabilities of OpenClaw without any of the security headaches. Here's what we handle so you don't have to:

1. Instant Security Patches

When CVE-2026-25253 was announced, every Clawer instance was patched within 2 hours. No action required from users. No "check for updates" button. No risk window.

2. Vetted Skills Only

We don't allow arbitrary skill installation. Every capability in Clawer is reviewed, sandboxed, and monitored. No community marketplace means no ClawHavoc-style campaigns.

3. Isolated Environments

Each Clawer instance runs in its own isolated container with minimal permissions. Even if something goes wrong, it can't access your SSH keys, crypto wallets, or browser data—because those aren't on our servers.

4. Professional Security Monitoring

We run intrusion detection, anomaly detection, and security logging 24/7. If something suspicious happens, our team investigates before it becomes your problem.

5. Secure by Default

No exposed instances. No default credentials. No public APIs without authentication. Everything locked down from day one.

6. Compliance-Ready

Need SOC 2? GDPR compliance? Data residency guarantees? We handle that. Self-hosted OpenClaw? You're on your own.

When Self-Hosting Makes Sense (And When It Doesn't)

To be clear: self-hosting OpenClaw isn't wrong for everyone. If you're a security professional with a dedicated ops team, running sensitive workloads that can't leave your infrastructure, and willing to invest ongoing resources in maintenance—self-hosting might be appropriate.

But if you're a small business owner, a freelancer, a startup founder, or anyone who just wants an AI assistant that works without becoming a part-time sysadmin—self-hosting is a liability, not an asset.

The ClawHavoc campaign and the 21,000 exposed instances prove one thing clearly: most people shouldn't be running their own AI infrastructure. Not because they're not smart enough, but because security is a full-time job.

What This Means for You

If you're currently self-hosting OpenClaw:

  1. Update immediately to version 2026.1.29 or later (patches CVE-2026-25253)
  2. Audit your installed skills and remove anything you didn't personally verify
  3. Check your firewall rules and ensure your instance isn't publicly accessible
  4. Review ClawHub activity and remove any skills from unknown authors
  5. Consider migrating to a hosted solution before the next vulnerability drops

If you're evaluating OpenClaw vs. Clawer:

Choose self-hosted if: You have dedicated ops resources, strict data residency requirements, and in-house security expertise.

Choose Clawer if: You want an AI assistant that works out of the box, stays secure automatically, and doesn't require you to become a security expert.

Try Clawer Today

We built Clawer specifically for people who want the power of OpenClaw without the risk. Your AI assistant should make your life easier, not add another security audit to your to-do list.

Start your free trial →

No credit card required. WhatsApp, Telegram, and Slack support included. Security patches applied automatically, forever.

Clawer.ai is an independent hosted service for AI assistants. We're not affiliated with the OpenClaw project, but we deeply respect their work and believe hosted solutions are the future for non-technical users.