Is OpenClaw safe to use in 2026?
The honest answer: OpenClaw itself is powerful software. But self-hosting it without proper security knowledge has led to 42,000+ exposed instances, 6 CVEs, and hundreds of malicious skills. Here is what you need to know.
The security landscape in 2026
42,000+ exposed instances
Security researchers at Bitsight and Censys found over 42,000 OpenClaw instances directly accessible from the internet. Many had no authentication, meaning anyone could connect to someone else's AI agent, read their messages, access their files, and execute commands on their server.
6 CVEs in 2026 alone
Multiple critical vulnerabilities were discovered including CVE-2026-24763, CVE-2026-25157, and CVE-2026-25253 (a one-click remote code execution bug). Path traversal in browser uploads, SSRF in the image tool, and WebSocket hijacking (ClawJacked) were also found and patched.
824+ malicious ClawHub skills
Researchers at Koi Security found that out of 10,700 skills on ClawHub, hundreds contained malware, crypto miners, and data exfiltration code. Installing a skill from ClawHub is like installing an npm package: you trust the author with access to your system.
Prompt injection and data leakage
Palo Alto Networks described OpenClaw as a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally. Microsoft's Security Blog published a full analysis of identity, isolation, and runtime risks.
Why do these problems happen?
OpenClaw is powerful open-source software. The security problems are almost entirely caused by how people deploy it, not the software itself:
- ●Exposed gateway ports — binding to 0.0.0.0 instead of localhost, making the control panel accessible from anywhere on the internet
- ●No firewall — running on a VPS without UFW or iptables means every port is open by default
- ●Skipping authentication — using dangerouslyDisableDeviceAuth for convenience, removing the only barrier between your agent and the world
- ●Installing untrusted skills — grabbing popular-looking skills from ClawHub without reading the code first
- ●Not updating — running old versions with known CVEs because updating might break the config
The common thread: these are infrastructure problems. If you know Linux security, firewalls, reverse proxies, and keep up with CVE patches, self-hosting can be safe. Most people do not.
How PlugAndClaw eliminates these risks
Dedicated VPS per user
Your assistant runs on its own Hetzner server. Not a shared container. Not a multi-tenant cluster. Your own machine with complete filesystem isolation.
LUKS2 full-disk encryption
Every VPS has full-disk encryption with a unique key. Even if someone physically accessed the datacenter hardware, your data is encrypted at rest.
No exposed ports
Gateway binds to localhost only. UFW firewall allows only SSH, HTTP, and HTTPS. The control panel is behind Caddy reverse proxy with HTTPS. You cannot accidentally expose your instance.
Device pairing required
Telegram DM access requires device pairing by default. No dangerouslyDisableDeviceAuth. No open DM policy. Only your approved devices can talk to your assistant.
Automatic security updates
OpenClaw updates are applied automatically. When CVEs are patched upstream, your instance gets the fix without you lifting a finger.
No ClawHub marketplace risk
We pre-install only vetted skills. You are never exposed to the ClawHub skill marketplace where 824+ malicious packages were found.
Self-hosted vs managed security
| Security measure | Self-hosted (typical) | PlugAndClaw |
|---|---|---|
| Firewall configured | Sometimes | Always (UFW, 3 ports only) |
| Gateway bound to localhost | Often missed | Always |
| HTTPS enforced | If you set up Caddy/nginx | Always (auto-TLS via Caddy) |
| Full-disk encryption | Almost never | Always (LUKS2) |
| Device pairing required | Often disabled | Always enforced |
| CVE patches applied | When you remember | Automatic daily updates |
| Malicious skill protection | Read code yourself | Only vetted skills pre-installed |
| Daily backups | If you set up cron | Automatic |
Skip the security headaches
Hardened VPS, encrypted disk, automatic updates. Your assistant is live in under 1 minute.
⚡ Deploy Securely Now$39.50/month · 7-day money-back guarantee · Cancel anytime