Security audit reveals vulnerabilities in OpenClaw skill ecosystem
OpenClaw security vulnerabilities discovered
A detailed security audit of OpenClaw's codebase and skill library revealed multiple security concerns that developers should be aware of when running the system in production environments.
Documented CVEs and exploitation
The audit identified 8 documented Common Vulnerabilities and Exposures (CVEs), including:
- Arbitrary code execution through unvetted skills
- Credential theft via skill injection
- Prompt extraction from untrusted inputs
Some of these vulnerabilities were actively exploited according to the vulnerability disclosure repository.
Skill library security issues
The shared skills repository contains over 900 skills. Static analysis revealed:
- Approximately 15% exhibited suspicious network behavior (phoning home to unknown domains)
- Dependency confusion attacks in popular skills
- Skills that quietly exfiltrate environment variables
While this pattern isn't unique to OpenClaw—it's common in any plugin/skills system that executes unvetted code—the auditor noted it was surprising given the "secure self-hosted" positioning.
Alternative implementation approach
The auditor migrated to a minimal Rust-based runtime that runs locally on Ollama using qwen2.5:14b. This approach eliminates the plugin ecosystem and shared skills, focusing only on necessary primitives for their use case.
The new architecture uses a task runner that delegates to Claude Code for heavy lifting while keeping it isolated from the main loop. This isolation prevents the permanent companion agent from being exposed to attack surfaces outside the developer's control.
The migration took approximately 48 hours to implement basic functionality, with the main challenge being architectural rethinking for "permanent companion" versus "on-demand tool" paradigms.
Security recommendations
For developers running OpenClaw in production:
- Audit your skills thoroughly
- Lock down skill execution permissions
- Assume any untrusted skill can perform any action your agent can execute
- Prioritize threat modeling over feature richness
📖 Read the full source: r/LocalLLaMA
👀 See Also
Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection
Bitwarden's new Agent Access SDK enables AI agents to access credentials from Bitwarden's vault with human approval, while OneCLI acts as a gateway that injects credentials at the network layer without exposing raw values to agents.
OpenClaw Skill Safety Scanner: 7.6% of 31,371 Skills Flagged as Dangerous
A developer built a tool that scanned the entire ClawHub registry and found 2,371 out of 31,371 skills contain dangerous patterns like wallet drainers, credential theft, and prompt injection. The tool provides API access and badges for checking skills before installation.
Critical OpenClaw Security Vulnerabilities Patched in 2026.3.28
OpenClaw version 2026.3.28 patches 8 critical security vulnerabilities found by Ant AI Security Lab, including sandbox bypass, privilege escalation, and SSRF risks. Users on versions ≤2026.3.24 should update immediately.
MCPwner AI Pentesting Tool Finds Multiple 0-Day Vulnerabilities in OpenClaw
MCPwner, an MCP server that orchestrates AI agents for automated penetration testing, identified several critical 0-day vulnerabilities in OpenClaw including environment variable injection, permission bypass, and information disclosure flaws that standard scanners missed.