OpenClaw Security Breach: CEO's Agent Sold for $25K, 135K Instances Exposed

Critical OpenClaw Security Vulnerabilities
A UK CEO's OpenClaw instance was listed on BreachForums on February 22 under the handle "fluffyduck" and sold for $25,000 in Monero or Litecoin. The buyer gained access to the CEO's fully trained personal AI assistant, including every conversation, the company's production database, Telegram tokens, Trading 212 API keys, and personal family details disclosed to the assistant. All data was stored in plain-text Markdown files under ~/.openclaw/workspace/ with zero encryption at rest.
Cato Networks VP of Threat Intelligence Etay Maor stated at RSAC 2026: "Your AI? It's my AI now." SecurityScorecard has identified 135,000 OpenClaw instances exposed on the public internet with insecure defaults.
5-Minute Security Check
Check 1: Gateway Exposure (30 seconds)
Run: openclaw config get | grep -E "host|bind"
If you see 0.0.0.0 or nothing at all, your agent is reachable by anyone who finds your IP and port. CVE-2026-25253 (CVSS 8.8) allowed JavaScript on attacker-controlled webpages to silently open WebSocket connections to local OpenClaw gateways, stealing auth tokens and granting full control. Patched in version 2026.1.29.
Fix:
{ "gateway": { "host": "127.0.0.1" } }Access remotely through SSH tunnel only: ssh -L 18789:localhost:18789 user@your-vps
Check 2: Authentication Status (30 seconds)
Run: openclaw config get | grep -E "auth|token"
Researcher fmdz387 found nearly a thousand publicly accessible OpenClaw instances with zero authentication in late January. He could access API keys, Telegram tokens, Slack accounts, full chat histories, and execute admin commands.
Fix: Generate a token with openssl rand -hex 24 and put it under gateway.auth.token. Store in .env, not hardcoded JSON.
Check 3: Plaintext API Keys (30 seconds)
Run: cat ~/.openclaw/openclaw.json | grep -i "key\|token\|secret"
OpenClaw stores everything in plain-text Markdown and JSON. If your Anthropic key, OpenAI key, or any credentials are visible, they're one breach away from being compromised.
Fix: Move credentials to .env and lock permissions: chmod 700 ~/.openclaw/credentials chmod 600 ~/.openclaw/openclaw.json
Rotate your API keys today if they were ever exposed.
Check 4: Installed Skills (60 seconds)
Run: openclaw skills list
820+ malicious skills have been confirmed on ClawHub. The ClawHavoc campaign planted hundreds of professional-looking skills that silently exfiltrated .env files to external servers. At peak, roughly 1 in 12 skills on ClawHub was compromised.
For every skill you haven't personally reviewed the source code of: read it now or remove it with openclaw skills uninstall <skill-name>
Restrict installs:
{ "skills": { "allowSources": ["clawhub:verified"] } }Check 5: Version Status (30 seconds)
Run: openclaw --version
OpenClaw has no automatic update mechanism. 255+ security advisories have been published to the GitHub GHSA page as of mid-March.
Update: npm install -g openclaw@latest openclaw doctor --deep
Read the output carefully.
📖 Read the full source: r/openclaw
👀 See Also

Essential File Blocking for AI Coding Assistants: A Practical Security Checklist
AI coding assistants read from your local disk, not just your repository, exposing files that .gitignore protects from GitHub but not from the agent. A Reddit discussion identifies critical files to block including AI assistant configs with API keys, service credentials, SSH keys, and environment files.

From Farm to Code: How a Farmer Created an Open-Source Runtime Defense for OpenClaw
Discover how a farmer, with no prior development experience, created an open-source runtime defense for OpenClaw using multiple AI coding agents in just 12 hours.

Endo Familiar: Object-Capability Sandbox for AI Agents
Endo Familiar implements object-capability security for AI agents: agents start with zero ambient authority, receive only explicit references to specific files or directories, and can derive narrower capabilities in sandboxed code.

Security Checklist for Claude AI-Generated Applications
A developer shares a checklist of common security and operational gaps found in applications built with Claude Code, including rate limiting, authentication flaws, database scaling issues, and input handling vulnerabilities.