OpenClaw Security Breach: CEO's Agent Sold for $25K, 135K Instances Exposed

Critical OpenClaw Security Vulnerabilities

A UK CEO's OpenClaw instance was listed on BreachForums on February 22 under the handle "fluffyduck" and sold for $25,000 in Monero or Litecoin. The buyer gained access to the CEO's fully trained personal AI assistant, including every conversation, the company's production database, Telegram tokens, Trading 212 API keys, and personal family details disclosed to the assistant. All data was stored in plain-text Markdown files under ~/.openclaw/workspace/ with zero encryption at rest.

Cato Networks VP of Threat Intelligence Etay Maor stated at RSAC 2026: "Your AI? It's my AI now." SecurityScorecard has identified 135,000 OpenClaw instances exposed on the public internet with insecure defaults.

5-Minute Security Check

Check 1: Gateway Exposure (30 seconds)

Run: openclaw config get | grep -E "host|bind"

If you see 0.0.0.0 or nothing at all, your agent is reachable by anyone who finds your IP and port. CVE-2026-25253 (CVSS 8.8) allowed JavaScript on attacker-controlled webpages to silently open WebSocket connections to local OpenClaw gateways, stealing auth tokens and granting full control. Patched in version 2026.1.29.

Fix:

{ "gateway": { "host": "127.0.0.1" } }

Access remotely through SSH tunnel only: ssh -L 18789:localhost:18789 user@your-vps

Check 2: Authentication Status (30 seconds)

Run: openclaw config get | grep -E "auth|token"

Researcher fmdz387 found nearly a thousand publicly accessible OpenClaw instances with zero authentication in late January. He could access API keys, Telegram tokens, Slack accounts, full chat histories, and execute admin commands.

Fix: Generate a token with openssl rand -hex 24 and put it under gateway.auth.token. Store in .env, not hardcoded JSON.

Check 3: Plaintext API Keys (30 seconds)

Run: cat ~/.openclaw/openclaw.json | grep -i "key\|token\|secret"

OpenClaw stores everything in plain-text Markdown and JSON. If your Anthropic key, OpenAI key, or any credentials are visible, they're one breach away from being compromised.

Fix: Move credentials to .env and lock permissions: chmod 700 ~/.openclaw/credentials chmod 600 ~/.openclaw/openclaw.json

Rotate your API keys today if they were ever exposed.

Check 4: Installed Skills (60 seconds)

Run: openclaw skills list

820+ malicious skills have been confirmed on ClawHub. The ClawHavoc campaign planted hundreds of professional-looking skills that silently exfiltrated .env files to external servers. At peak, roughly 1 in 12 skills on ClawHub was compromised.

For every skill you haven't personally reviewed the source code of: read it now or remove it with openclaw skills uninstall <skill-name>

Restrict installs:

{ "skills": { "allowSources": ["clawhub:verified"] } }

Check 5: Version Status (30 seconds)

Run: openclaw --version

OpenClaw has no automatic update mechanism. 255+ security advisories have been published to the GitHub GHSA page as of mid-March.

Update: npm install -g openclaw@latest openclaw doctor --deep

Read the output carefully.