⚠️ Security Warning: OpenClaw grants AI full system access ⚠️
🦞

NOT FOR EVERYONE

OpenClaw gives AI agents FULL ACCESS to your system.
Read the risks. Then decide.

🔴 See Security Risks 🔒 Safety Checklist

Real Incidents (Not Hypothetical)

These are documented security issues from official sources.

critical

Cisco Discovers Malicious Skill "What Would Elon Do?"

A popular skill in OpenClaw's marketplace was found to contain active data exfiltration and prompt injection attacks.

  • 9 security findings: 2 critical, 5 high severity
  • Skill executed curl commands to send data to external servers
  • Direct prompt injection bypassed safety guidelines
  • Skill was artificially inflated to rank #1 in marketplace
Status: Cisco released open-source Skill Scanner tool View Source →
high

iMessage Auto-Sends Pairing Codes to Strangers

OpenClaw's iMessage integration with dmPolicy='pairing' automatically responds to ANY unknown contact with pairing codes.

  • Information disclosure: strangers learn you run an AI assistant
  • Social engineering attack vector
  • No rate limiting on auto-responses
Status: Reported, pending fix View Source →
high

Security Restrictions Bypassed by exec Tool

Setting commands.restart=false blocks the gateway tool, but the exec tool can still run 'openclaw gateway restart'.

  • Security policies can be circumvented
  • Inconsistent enforcement of restrictions
  • exec tool implies high trust but bypasses controls
Status: PR #5018 in progress View Source →
medium

Subagent Sandbox Boundary Failure

Subagent sessions can bypass sandbox restrictions for cross-session reads, and browser proxy allows path traversal.

  • Cross-session data leakage
  • Browser proxy reads files based on user-provided paths
  • Path traversal risk for file exfiltration
Status: Feature request, pending hardening View Source →
119k+
GitHub Stars
4
Verified Security Issues
26%
AI Skills Have Vulnerabilities*
$2000+
Potential API Bill/Day

* Academic research on 31,132 agent skills (arXiv 2601.10338)