OpenClaw gives your AI agent access to your files, your messages, your terminal, and your API keys. That's what makes it powerful. It's also what makes a bad setup genuinely dangerous.

In March 2026, security researchers disclosed multiple CVEs against OpenClaw โ€” including one (CVE-2026-25253, "ClawJacked") that allowed any malicious website to fully hijack your agent through a localhost WebSocket exploit. Disable your sandbox, escape Docker, and get full remote code execution on your machine. All from clicking one link.

These aren't theoretical risks. They've happened to real deployments.

๐Ÿ”ด Mistake #1: Running Without Docker Isolation

The risk: Without Docker, your agent runs directly on your host OS. If it gets tricked by a prompt injection attack, it has full access to everything on your machine.

How it happens: The default installation guide is simple: npm install -g openclaw. Done. You're running. But you're running without any isolation between your agent and your operating system.

The Fix:

  • Always run OpenClaw inside Docker containers
  • Use the official docker-compose.yml from the OpenClaw repo
  • Set tools.exec.host to sandbox (never gateway)
  • Limit container access with proper volume mounts โ€” only share what the agent needs
โฑ Time to fix: 30 minutes (5 min if already on Docker)

๐Ÿ”ด Mistake #2: Exposing API Keys in Logs and Chat

The risk: Your agent can accidentally leak API keys, passwords, and secrets in chat messages, log files, or error outputs. If someone gains access to your logs, they get your keys.

How it happens: You paste an API key into chat. Your agent logs a debug error with your Anthropic key. Your workspace files contain credentials in plaintext. Or a prompt injection tricks your agent into forwarding your .env file.

The Fix:

  • Never paste API keys into chat โ€” use .env files and environment variables
  • Add .env to your .gitignore (do this NOW)
  • Set exec.approvals to require confirmation for sensitive commands
  • Search workspace files for hardcoded keys, tokens, or passwords
  • Rotate API keys every 30-90 days
โฑ Time to fix: 15 minutes for a thorough sweep

๐Ÿ”ด Mistake #3: Not Updating OpenClaw

The risk: OpenClaw has had multiple critical CVEs in early 2026. Older versions are vulnerable to known exploits with published attack code.

CVE-2026-25253 (ClawJacked): Any website can hijack your agent via localhost WebSocket. Full RCE chain.

CVE-2026-24763 & CVE-2026-25157: Command injection through unsanitized gateway inputs.

CVE-2026-22708: Indirect prompt injection via web browsing โ€” malicious content can execute commands.

The Fix:

  • Update to v2026.2.25 or later (patches ClawJacked)
  • Enable automatic update checks
  • Subscribe to OpenClaw's security announcements on GitHub
โฑ Time to fix: 5 minutes

๐Ÿ”ด Mistake #4: Leaving the Control UI Exposed

The risk: The web-based Control UI runs on a local port. If you've forwarded that port or are on a VPS without a firewall, anyone on the internet can access your agent's admin panel.

The ClawJacked attack specifically exploited this โ€” even localhost-only UIs could be reached through WebSocket from your browser.

The Fix:

  • Never expose the Control UI port to the public internet
  • Use SSH tunnels or VPN for remote access
  • Configure your firewall to block all incoming except SSH + messaging
  • If you must expose it: strong auth + HTTPS + IP allowlisting
โฑ Time to fix: 20 minutes to audit

๐Ÿ”ด Mistake #5: Installing Unverified ClawHub Skills

The risk: ClawHub has 700+ community skills. As of March 2026, 341 have been flagged as malicious. A bad skill can execute arbitrary code, exfiltrate data, or modify your agent silently.

How it happens: You install a "Gmail integration" skill from ClawHub. It works โ€” but also quietly forwards your email contents to an external server.

The Fix:

  • Only install from verified publishers or the official library
  • Read the SKILL.md and scripts before installing
  • Use OpenClaw's permission system to limit what skills can do
  • Check the GitHub repo: stars, contributors, last update
  • When in doubt, build your own
โฑ Ongoing: 5 minutes per skill to review

โšก The 5-Minute Security Checklist

Run through this right now:

  • Running inside Docker? (not bare metal)
  • .env file exists and is in .gitignore?
  • No API keys hardcoded in workspace files?
  • OpenClaw version is v2026.2.25 or later?
  • Control UI port NOT exposed to the internet?
  • Firewall configured (only SSH + messaging ports)?
  • exec.approvals requires confirmation for sensitive commands?
  • All installed skills reviewed and from trusted sources?
  • API keys rotated in the last 90 days?
  • Sandbox mode enabled?

If you checked all 10, you're in the top 5% of OpenClaw deployments. Seriously.

Want a Professional Security Audit?

ClawReady's $49 Security & Cost Audit covers everything above and more: 25-point security checklist, API key exposure scan, Docker isolation verification, CVE status check, model routing optimization, and a written report with prioritized action items.

Most setups have 2-3 issues we catch that the owner didn't know about. One leaked API key can cost more than $49 in the first hour.

Book Your $49 Audit โ†’

ClawReady is an independent OpenClaw setup and security service. We're not affiliated with the OpenClaw project. We just know it inside and out.