OpenClaw Security: What Business Leaders Must Know

TL;DR: CrowdStrike discovered over 135,000 OpenClaw instances running on the public internet with authentication completely disabled, meaning anyone could access the agent and every credential it holds, including email passwords, API keys, and calendar tokens. This happened because OpenClaw's default configuration binds to all network interfaces with no login required, and API keys are stored in plain text. Security hardening (running the agent in an isolated Docker container, locking down network access with firewall rules, storing credentials in an encrypted vault, and adding authentication middleware) is essential but not handled automatically. Independent audits also found that 36% of community-contributed skills on ClawHub contain security vulnerabilities. Microsoft recommends against connecting OpenClaw to primary work accounts without proper isolation. When evaluating any OpenClaw provider, ask seven questions: where it runs, how authentication works, where credentials are stored, how skills are vetted, what monitoring exists, the incident response plan, and how updates are handled.

What did CrowdStrike find about exposed OpenClaw instances?

In early 2026, CrowdStrike reported that more than 135,000 OpenClaw instances were running on the public internet with no authentication. Each exposed instance gave strangers full access to the agent, its credentials, and every connected system.

CrowdStrike published this finding, and it got buried under the usual AI hype cycle: more than 135,000 OpenClaw instances were sitting on the public internet with authentication disabled. No password. No login screen. Nothing between a stranger and full access to someone's AI agent, along with every API key, email credential, and business document that agent could reach.

That number is worth sitting with for a moment.

If you're new to OpenClaw, start with our complete guide for business leaders. But the short version: OpenClaw is the most popular open-source framework for building autonomous AI agents. It's powerful, flexible, and growing faster than almost any software project in history. It also ships with security settings that assume you know what you're doing.

Most people don't. And that's not an insult; it's a design problem.

Why is the default setup dangerous?

OpenClaw's default configuration creates three overlapping security risks: it listens for connections from anywhere on the internet, requires no authentication, and stores all credentials in plain text. Together, these defaults turn every unmodified install into an open door.

When you install OpenClaw and start it up, three things happen that create real risk.

The gateway binds to 0.0.0.0. In plain English, this means your OpenClaw instance listens for connections from anywhere on the internet, not just your own computer. It's the equivalent of putting a desk in your lobby with an unlocked laptop and a sign that says "help yourself."

Authentication is disabled by default. There's no username, no password, no login. Anyone who finds your instance can use it. They can read your agent's conversation history, see what tools it has access to, and send it new instructions.

API keys sit in plain text. Your OpenAI key, your email credentials, your calendar access tokens are stored in configuration files without encryption. If someone reaches your instance, they can extract every credential your agent uses.

Each of these is fixable. But all three ship as the default. That's what those 135,000 exposed instances look like: default installs that someone put on a server and forgot about, or never realized needed hardening.

What does security hardening actually involve?

Security hardening means adding the protections OpenClaw doesn't include by default: container isolation, network restrictions, credential encryption, and authentication middleware. These are standard practices for internet-connected services, but OpenClaw doesn't do any of them for you.

You'll see the phrase "security hardening" in every technical guide about OpenClaw. Here's what it translates to in practice:

Run it in a container

A Docker container is like a sealed box inside your server. Your OpenClaw instance runs inside the box, and if something goes wrong, the damage stays contained. The agent can't reach the rest of your system. This is table stakes, not optional.

Lock down the network

Firewall rules control who can talk to your OpenClaw instance. Instead of accepting connections from everywhere (that 0.0.0.0 problem), you restrict access to specific IP addresses or internal networks only. Your agent should be reachable by you and your team. Nobody else.

Isolate credentials

Every API key and password your agent uses should be stored in a secrets manager (a purpose-built vault) not in a config file sitting on disk. If someone somehow breaches the container, they shouldn't find a plaintext file with your Gmail password in it.

Add authentication middleware

Since OpenClaw doesn't ship with authentication, you need to put something in front of it. OAuth middleware acts like a bouncer: it checks identity before anyone reaches your agent. This is what Microsoft's security team specifically recommends.

Set read-only permissions where possible

Your agent doesn't need write access to everything. If it's monitoring your inbox, it needs to read emails, not delete them. If it's tracking your calendar, it needs to view events, not cancel meetings. Least privilege means giving the agent only the access it actually needs.

None of this is exotic. It's standard practice for any internet-connected service. The problem is that OpenClaw doesn't do any of it for you, and the getting-started guides mostly skip it.

| Hardening step | What it prevents | Difficulty | |---|---|---| | Container isolation | Agent accessing host system after a breach | Moderate | | Network restriction (firewall) | Unauthorized external access | Moderate | | Credential encryption (secrets vault) | Plaintext credential theft | High | | Authentication middleware (OAuth) | Unauthenticated access to agent | High | | Read-only permissions | Agent exceeding intended access scope | Low |

Why are community skills a security risk?

Security researchers found that 36% of skills on ClawHub contain security flaws, ranging from sloppy code to skills that send data to unauthorized external servers. Installing a community skill gives that code access to your agent's full environment.

OpenClaw has an ecosystem of community-built "skills," pre-made capabilities you can add to your agent. Need your agent to scrape websites? There's a skill for that. Parse PDFs? Skill. Post to social media? Skill.

Here's the part that should give you pause: security researchers have found that 36% of skills on ClawHub contain security flaws. Our OpenClaw skills guide includes a five-step vetting process for every skill before it touches production.

That's not a typo. More than a third.

Some of these flaws are minor, sloppy code that could crash under edge cases. Others are serious: skills that request more permissions than they need, skills that send data to external servers you didn't authorize, skills that store credentials insecurely.

When you install a community skill, you're giving that code access to your agent's environment. If the skill has a vulnerability, anyone who exploits it gets whatever access the skill had. Your email. Your files. Your API keys.

This isn't hypothetical. SlowMist's security practice guide on GitHub documents real attack patterns that exploit community skills to extract credentials and pivot into connected systems.

The takeaway isn't "never use community skills." It's that every skill needs to be audited before it touches your production agent. Someone needs to read the code, check the permissions, and test it in isolation first. That's a significant operational commitment that most organizations aren't set up for.

What do Microsoft and CrowdStrike recommend?

Both companies have published security guidance specifically about OpenClaw. Their core advice: treat OpenClaw like production infrastructure, use dedicated service accounts, isolate the environment, and add authentication to every endpoint.

Here's what matters for business leaders, without jargon.

Microsoft's core advice is to "avoid installing and running OpenClaw with primary work or personal accounts." Use dedicated service accounts with limited permissions. If your agent's credentials get compromised, the blast radius should be small (a throwaway account, not your CEO's inbox).

Microsoft also recommends:

• Running OpenClaw in an isolated environment (containers, separate virtual machines)
• Implementing authentication on every endpoint
• Monitoring agent activity with logging and alerts
• Reviewing all third-party skills before deployment

CrowdStrike's research found that the majority of exposed instances weren't the result of sophisticated attacks. They were misconfiguration. People followed a tutorial, got their agent working, and never circled back to security. CrowdStrike recommends:

• Binding the gateway to localhost only (127.0.0.1), never 0.0.0.0 (covered in our OpenClaw installation guide)
• Placing OpenClaw behind a reverse proxy with TLS encryption
• Rotating credentials regularly
• Treating your OpenClaw instance like any other production server, because it is one

The common thread: OpenClaw is powerful software that requires the same security discipline as any server that handles sensitive data. For Nashville business leaders evaluating this tradeoff, our Nashville executive's guide to AI agents puts it in local context. The problem isn't the tool. The problem is treating it like a consumer app when it's really enterprise infrastructure.

What does proper OpenClaw security look like?

Proper security means isolated containers, mandatory authentication, encrypted credential storage, IP-restricted network access, manual skill review, and active monitoring for unusual agent behavior. No single measure is sufficient on its own.

We won't pretend this section is objective. We've made specific choices about how to deploy OpenClaw agents, and security drove most of them.

Every agent we deploy runs in an isolated container with no direct internet exposure. Authentication is mandatory. Credentials are stored in a vault, not config files. Network access is restricted to the client's authorized IPs. Every community skill goes through a manual review before it gets anywhere near a production environment.

We also set up monitoring. If your agent starts behaving unusually (making API calls it shouldn't, accessing data outside its scope, running at odd hours) alerts fire. You know about it. We know about it.

This isn't because we're paranoid. It's because an autonomous agent with access to your email, calendar, and business documents is a high-value target. Treating it otherwise is negligent.

If you're weighing the build-vs-buy decision, our breakdown of why self-setup creates hidden risks covers the operational side. The security dimension makes that calculation even more lopsided.

What should you ask any OpenClaw provider?

These seven questions reveal whether a provider takes security seriously. Clear, specific answers to each one are a baseline requirement, whether you work with us or someone else.

Whether you work with us or someone else, these questions will tell you if a provider takes security seriously:

1. Where does the agent run? Look for isolated containers or dedicated virtual machines. "On our shared server" is a red flag.

2. How is authentication handled? There should be a specific answer: OAuth, API keys with rotation, SSO integration. "We turned on the built-in auth" isn't enough because there is no built-in auth worth trusting.

3. Where are credentials stored? A secrets manager or encrypted vault. If they mention config files or environment variables, push harder.

4. How do you vet community skills? There should be a review process. If the answer is "we install whatever looks good on ClawHub," that 36% failure rate applies to your agent.

5. What monitoring is in place? Activity logging, anomaly alerts, and regular access reviews. Your agent runs 24/7; someone should be watching.

6. What happens if credentials are compromised? A clear incident response plan: revoke keys, rotate credentials, assess impact, notify the client. Not "we'll figure it out."

7. How do you handle updates? OpenClaw moves fast. Security patches need to be applied promptly, but updates can also break things. There should be a testing process.

If a provider can't answer these clearly, that tells you something. Understanding the real costs of autonomous AI agents means factoring in the cost of doing security right, or the much higher cost of getting it wrong.

Related guides

• What Is OpenClaw? A Guide for Business Leaders -- understand the platform and its security tradeoffs
• Why You Shouldn't Set Up OpenClaw Yourself -- security is a primary reason to choose managed deployment
• OpenClaw Skills: How They Work and How to Vet Them -- the five-step skill audit process
• OpenClaw Docker Setup: Container Config Explained -- container isolation and gateway binding in practice

Key takeaways

• CrowdStrike found 135,000+ OpenClaw instances exposed on the public internet with no authentication, all due to default configuration settings.
• The three default risks are: gateway bound to all interfaces, no authentication, and plaintext credential storage. All are fixable but none are fixed automatically.
• Security hardening requires container isolation, firewall rules, credential encryption, authentication middleware, and least-privilege permissions.
• 36% of community skills on ClawHub contain security flaws. Every skill needs manual review before production use.
• Microsoft recommends against connecting OpenClaw to primary work or personal accounts without proper isolation.
• An autonomous agent with access to your email and calendar is a higher-value target than a stolen laptop, and should be secured accordingly.
• Ask any provider seven specific questions about isolation, authentication, credential storage, skill vetting, monitoring, incident response, and update handling.

Frequently Asked Questions

Is OpenClaw safe to use for business?

OpenClaw itself is well-built open-source software with an active security community. The safety issues come from deployment: how it's configured, where it runs, and who manages it. With proper hardening (containers, authentication, credential isolation, network restrictions), OpenClaw is safe for business use. Without those measures, it's a liability. The 135,000 exposed instances CrowdStrike found were all configuration failures, not software failures.

What are the biggest OpenClaw security risks?

Three risks stand out. First, the default configuration exposes your instance to the entire internet with no authentication. Second, API keys and credentials stored in plain text can be extracted by anyone who reaches your instance. Third, more than a third of community skills on ClawHub contain security flaws that could compromise your agent's access to connected systems. All three are manageable with proper deployment practices, but none are handled automatically.

Can someone hack my OpenClaw agent?

If your instance is running with default settings and exposed to the internet, yes, trivially. No hacking skill required. Someone just needs to find it, and tools for scanning the internet make that straightforward. With proper security hardening, the risk profile changes dramatically. A containerized, authenticated, network-restricted instance with credential isolation is a fundamentally different target than an open default install.

How do I know if my OpenClaw instance is exposed?

Check the gateway binding in your configuration. If it's set to 0.0.0.0 (the default), your instance accepts connections from any IP address. You can verify by running a port scan on your server's public IP. If port 3000 responds, your agent is reachable from the internet. Change the binding to 127.0.0.1 and place a reverse proxy with authentication in front of it.

What's the minimum security setup for a production OpenClaw agent?

At a minimum, you need container isolation (Docker), the gateway bound to localhost only, a reverse proxy with TLS and authentication, credentials stored in a secrets manager rather than config files, and firewall rules restricting access to known IP addresses. Anything less than this leaves your agent and its connected accounts exposed.

Security-first deployment. That's what we do. If you want an OpenClaw agent that's locked down from day one, let's talk.