Security audit reveals vulnerabilities in OpenClaw skill ecosystem

OpenClaw security vulnerabilities discovered
A detailed security audit of OpenClaw's codebase and skill library revealed multiple security concerns that developers should be aware of when running the system in production environments.
Documented CVEs and exploitation
The audit identified 8 documented Common Vulnerabilities and Exposures (CVEs), including:
- Arbitrary code execution through unvetted skills
- Credential theft via skill injection
- Prompt extraction from untrusted inputs
Some of these vulnerabilities were actively exploited according to the vulnerability disclosure repository.
Skill library security issues
The shared skills repository contains over 900 skills. Static analysis revealed:
- Approximately 15% exhibited suspicious network behavior (phoning home to unknown domains)
- Dependency confusion attacks in popular skills
- Skills that quietly exfiltrate environment variables
While this pattern isn't unique to OpenClaw—it's common in any plugin/skills system that executes unvetted code—the auditor noted it was surprising given the "secure self-hosted" positioning.
Alternative implementation approach
The auditor migrated to a minimal Rust-based runtime that runs locally on Ollama using qwen2.5:14b. This approach eliminates the plugin ecosystem and shared skills, focusing only on necessary primitives for their use case.
The new architecture uses a task runner that delegates to Claude Code for heavy lifting while keeping it isolated from the main loop. This isolation prevents the permanent companion agent from being exposed to attack surfaces outside the developer's control.
The migration took approximately 48 hours to implement basic functionality, with the main challenge being architectural rethinking for "permanent companion" versus "on-demand tool" paradigms.
Security recommendations
For developers running OpenClaw in production:
- Audit your skills thoroughly
- Lock down skill execution permissions
- Assume any untrusted skill can perform any action your agent can execute
- Prioritize threat modeling over feature richness
📖 Read the full source: r/LocalLLaMA
👀 See Also

Secure Remote Access with Tailscale for OpenClaw

Claude Code Plugin Bug Causes CPU Spikes and Battery Drain
A user discovered that Claude Code's Telegram plugin spawns multiple bun.exe processes that run at 100% CPU even with the laptop lid closed, causing rapid battery drain. The processes survive sleep/wake cycles and require specific cleanup steps to remove.

Sandboxing AI Agents with WebAssembly: Zero Authority by Default
Cosmonic argues that traditional sandboxing (seccomp, bubblewrap) fails for AI agents due to ambient authority. WebAssembly's capability-based model grants zero authority by default, requiring explicit imports for filesystem, network, or credentials.

MCP Server CVE Exposure Mapping and Public API Released
Researchers have mapped CVE exposure across thousands of MCP servers and built a public API for querying dependency vulnerabilities. The API allows searching by repo/name, filtering by severity, and sorting by CVE count or recency.