ClawHosters ClawHosters
Subs -30% SUB30
Cisco Calls OpenClaw 'An Absolute Security Nightmare'
$ ./blog/news
News

Cisco Calls OpenClaw 'An Absolute Security Nightmare'

ClawHosters
ClawHosters by Daniel Samer
3 min read

On January 28, Cisco's AI Threat and Security Research team published a security assessment that didn't hold back. OpenClaw, they wrote, is "a dream for busy professionals" but "an absolute nightmare from a security perspective." Three researchers (Amy Chang, Vineeth Sai Narajala, Idan Habler) laid out four attack vectors that make the platform dangerous in its default configuration.

The Four Threat Vectors

Cisco identified shell command execution, file system access, API key leakage via prompt injection, and messaging app integrations (WhatsApp, iMessage) as the primary attack surfaces. The core problem? OpenClaw was built to run locally on your machine. It trusts the environment it lives in. When users expose it to the internet without hardening, that trust model falls apart.

The team also released an open-source Skill Scanner and ran it against 31,000 ClawHub skills. The result: 26% contained at least one vulnerability. A test skill called "What Would Elon Do?" silently exfiltrated user data via curl commands. The scanner flagged it with 9 findings, 2 of them critical.

The Wider Crisis

Cisco's report didn't land in a vacuum. That same week, security researcher Mav Levin disclosed CVE-2026-25253, a CVSS 8.8 one-click RCE vulnerability. A victim visits a malicious link, and the attacker gets full code execution on the host. Patched in v2026.1.29, but the damage window was real.

Days later, Koi Security revealed the ClawHavoc campaign: 341 malicious skills planted in ClawHub, 335 of which deployed Atomic macOS Stealer targeting crypto credentials. And independent researcher Maor Dayan scanned the internet and found 42,665 exposed OpenClaw instances. 93.4% had authentication bypassed.

That's not a bug. That's an architecture deployed in ways it was never designed for.

What This Means for You

If you're self-hosting OpenClaw, the CDP Institute's summary puts it well: these agents "execute actions and move data across systems without triggering standard controls." You need authentication enabled, network isolation, and regular updates at minimum. Our security hardening guide covers the specifics.

If you'd rather skip the infrastructure work, ClawHosters handles it for you. Every instance runs in an isolated container with authentication enforced by default, restricted network access, and patches applied within hours of release. The safety scanner runs automatically on all managed instances.

Frequently Asked Questions

OpenClaw is safe if properly configured. The Cisco team's concerns target default deployments with no authentication and unrestricted network access. Enable auth, restrict shell access, vet your skills, and keep your version current. Managed hosting removes most of these risks by design.

Cisco scanned 31,000 ClawHub skills and found 26% had at least one vulnerability. One test skill silently sent user data to an external server via curl. The scanner is open-source if you want to audit skills yourself.

Yes. ClawHosters enforces authentication on all instances, runs each customer in an isolated container, restricts network access to prevent SSRF-style attacks, and applies security patches within hours of release.
*Last updated: February 2026*

Sources

  1. 1 published a security assessment
  2. 2 CVE-2026-25253
  3. 3 Koi Security revealed the ClawHavoc campaign
  4. 4 scanned the internet
  5. 5 CDP Institute's summary
  6. 6 security hardening guide
  7. 7 ClawHosters
  8. 8 safety scanner
$ ./related --posts