OpenClaw Security: Why 42,000+ Instances Are Exposed (And How to Fix It)

OpenClaw has become the default platform for personal AI assistants — and attackers have noticed. In the past 90 days, security researchers have uncovered a critical remote code execution vulnerability, a coordinated malware campaign targeting the skill marketplace, and over 42,000 OpenClaw instances running naked on the public internet. If you're self-hosting OpenClaw, this is the article you need to read.

The Numbers Are Ugly

Let's start with the facts before we get into the fix:

• 42,000+ OpenClaw instances are publicly accessible without proper authentication, according to Censys and Shodan scans from January 2026
• CVE-2026-25253 — a critical RCE vulnerability that lets attackers execute arbitrary code through a crafted share link
• 341 malicious skills discovered on ClawHub in the "ClawHavoc" campaign, representing a 12% infection rate across the marketplace
• Unknown patch rate — nobody knows how many of those 42,000 instances have applied the security fix

This isn't a theoretical risk. These are active attack vectors being exploited right now.

CVE-2026-25253: One Click to Full Compromise

Discovered on January 29, 2026, CVE-2026-25253 is about as bad as vulnerabilities get. The attack is elegant in its simplicity: an attacker crafts a malicious OpenClaw "share link" — the kind users routinely exchange to share conversation threads or skill configurations. When a victim clicks the link, the attacker steals their session token and gains full remote code execution on the victim's OpenClaw instance.

Why it's particularly dangerous:

1. Zero installation required — unlike malware skills, this needs no user consent beyond clicking a link
2. Looks legitimate — the share link format is identical to real OpenClaw shares
3. Full RCE — attackers get complete code execution with the permissions of the OpenClaw process
4. Scales trivially — drop the link in a Discord, Reddit thread, or email, and wait

OpenClaw maintainers patched the vulnerability within 48 hours. The problem? Self-hosted instances only get patched when their admins manually update. Based on historical patch adoption rates for OpenClaw, fewer than 30% of instances are likely updated within the first month.

That means roughly 29,000 instances remain vulnerable right now, weeks after the fix was available.

The ClawHavoc Campaign: 341 Trojan Skills

While CVE-2026-25253 was the headline, the ClawHavoc campaign may be more damaging long-term. Working with VirusTotal, OpenClaw maintainers scanned the entire ClawHub marketplace and found 341 malicious skills — about 12% of all published skills.

The campaign was sophisticated. These weren't crude scripts. The malicious skills:

• Crypto wallet theft — scanned local filesystems for wallet files, exfiltrated private keys to attacker-controlled servers
• SSH key harvesting — copied entire ~/.ssh directories, giving attackers lateral movement across connected servers
• Browser credential stealing — dumped saved passwords from Chrome, Firefox, and Edge profiles
• Persistent backdoors — established reverse shells for ongoing, stealthy access
• Environment variable exfiltration — stole API keys for OpenAI, AWS, GCP, and other cloud services

The attack succeeded because OpenClaw skills run with the same permissions as the OpenClaw process. There's no sandboxing, no permission model, no review process. If you install a skill, it can do anything your user account can do.

Many victims didn't realize they were compromised. The malicious skills actually worked as advertised — they just also stole your data in the background.

42,000 Open Doors

Internet scanning platforms Censys and Shodan identified over 42,000 OpenClaw instances running on the public internet without adequate security configuration. These instances had some combination of:

• Default or no authentication
• No firewall rules restricting access
• Full filesystem access enabled
• API tokens and cloud credentials exposed in environment variables
• Outdated versions with known vulnerabilities

The number is double what was reported just six months ago. OpenClaw's popularity is growing faster than its users' ability to secure it. Every new Docker tutorial that ends with "expose port 3000" creates another target.

If You're Self-Hosting: Immediate Actions

If you run your own OpenClaw instance, do this today:

1. Update to the latest version — this patches CVE-2026-25253 and other recent fixes
2. Audit your installed skills — remove anything you didn't personally verify. Check each skill's source code, not just its description
3. Check your firewall — your instance should NOT be accessible from the public internet. Use a VPN or reverse proxy with authentication
4. Rotate all credentials — if you had any ClawHavoc-era skills installed, assume your API keys, SSH keys, and stored passwords are compromised
5. Enable authentication — if you haven't already, enable OpenClaw's built-in auth and set a strong password
6. Monitor logs — watch for unusual outbound connections, unexpected file access, or new processes

This is the minimum. If you want to do it right, you also need automated updates, intrusion detection, and regular security audits. That's a lot of work for something that's supposed to be a productivity tool.

How Clawer Solves This

We built Clawer specifically because we saw this coming. The OpenClaw project is excellent software, but security is a full-time job that most users aren't equipped for. Here's how we handle it:

Containerized Isolation

Every Clawer instance runs in its own isolated container with minimal permissions. There are no SSH keys to steal, no browser profiles to dump, no crypto wallets to exfiltrate — because none of that exists in the container. Even if a skill somehow went rogue, the blast radius is contained to an empty sandbox.

Skill Allowlists

We don't connect to ClawHub. Period. Every skill available on Clawer comes from our curated marketplace. Each skill is code-reviewed, sandboxed-tested, and continuously monitored. No community-contributed code runs without our explicit approval. The ClawHavoc campaign couldn't happen here because there's no open marketplace to poison.

Automated Security Scanning

Every container image is scanned for known vulnerabilities before deployment. We run automated CVE checks, dependency audits, and behavioral analysis. When CVE-2026-25253 was announced, every Clawer instance was patched within 2 hours — with zero user action required.

No Exposed Surfaces

Clawer instances are never directly exposed to the internet. All access goes through our authenticated API gateway with rate limiting, anomaly detection, and DDoS protection. There's no port to scan, no default credential to guess, no misconfigured firewall to exploit.

Automatic Updates

Security patches are applied automatically across all instances. No admin action required. No update notification to ignore. No "I'll do it this weekend" that turns into never. When a CVE drops, you're patched before you finish reading the advisory.

Self-Hosted vs. Managed: The Security Comparison

The Bottom Line

OpenClaw is powerful software. But power without security is a liability. The 42,000 exposed instances, the ClawHavoc campaign, and CVE-2026-25253 aren't anomalies — they're the predictable result of putting complex infrastructure in the hands of users who want an AI assistant, not a second job as a security engineer.

If you have a dedicated security team and the time to maintain hardened infrastructure, self-hosting can work. For everyone else — freelancers, small businesses, startups, anyone who just wants AI that works — managed hosting isn't a luxury. It's the responsible choice.

Clawer.ai is an independent managed hosting service built on OpenClaw. We respect the OpenClaw project and its maintainers. This article is intended to help users make informed decisions about their deployment strategy.