OpenClaw Security: Sandboxing, Approvals, and the Malicious-Skills Problem
OpenClaw security 2026: 341 malicious skills bypassed the scanner, 40,214 exposed instances, 41.7% of skills vulnerable, no sandboxing or approvals built in.
OpenClaw security is the set of unsolved problems around running the open-source agent framework OpenClaw safely: skills with no permissions boundary, instances exposed to the open internet, and a skills marketplace with no vetting mechanism. As of mid-2026, none of these are solved at the framework level — they are solved (or not) by whoever operates the agent.
The scale of the exposure
SecurityScorecard found 40,214 internet-exposed OpenClaw instances, with 35.4% flagged as vulnerable — meaning over a third of publicly reachable installs have a known weakness an attacker can probe for. eSecurityPlanet’s audit of 2,890 OpenClaw skills found 41.7% contained serious vulnerabilities, and 99.3% shipped with no permissions manifest at all — skills request access to whatever they want, and there’s no declared-scope file for an operator to check against.
The malicious-skills problem
Koi Security’s “ClawHavoc” research identified 341 malicious skills that passed OpenClaw’s official scanner undetected — not flagged as suspicious, not quarantined, just live in the ecosystem. ClawHub, the official skills marketplace, lists 2,800–5,700+ skills and has zero paid-listing or vetting mechanism; anyone can publish. This is the direct cause of the “sandboxing and approvals” search intent — operators are asking for the control layer the framework doesn’t ship with.
What’s missing, named by the industry
At GTC 2026, Mistral CEO Arthur Mensch named the specific gaps enterprises hit when they try to run agent frameworks like OpenClaw at scale: “identity management for agents, audit trails for agent actions, role-based access controls at the agent level, and centralized control planes”. None of these four ship in OpenClaw core. Each is a category enterprise security vendors are now selling separately — see who actually pays for AI agent security for the acquisition numbers behind that market.
Why the framework itself won’t fix this soon
OpenClaw is not resourced to build a security layer. The project ran at a $10–20k/month loss funded by its creator; OpenAI hired that creator, Steinberger, in February 2026; and Anthropic blocked Claude subscription auth from OpenClaw in April 2026, cutting off one of its model backends. A project in that position ships features, not a governance layer — that gap gets filled by third parties, or it doesn’t get filled.
What operators do about it today
There is no single fix; operators combine partial measures:
- Managed hosting with hardened defaults (14+ vendors, $2.99–299/mo) instead of a bare self-hosted install
- Manual review of skills before installing them, since ClawHub doesn’t vet
- Network isolation — not exposing the instance to the open internet, which the 40,214-instance figure above suggests most operators skip
- Third-party control planes that add the identity/audit/RBAC layer Mensch described, since OpenClaw doesn’t ship one
Related
- Who Actually Pays for AI Agents in 2026? We Traced the Money
- Agent governance and the EU AI Act
- Security & trust
- Adversarial agent review
- Sovereign agent substrate
Sources
- https://www.koi.ai/blog/clawhavoc
- https://securityscorecard.com/blog/how-exposed-openclaw-deployments-turn-agentic-ai-into-an-attack-surface/
- https://www.esecurityplanet.com/threats/over-41-of-popular-openclaw-skills-found-to-contain-security-vulnerabilities/
- https://newclawtimes.com/articles/openclaw-enterprise-security-governance-challenges-gtc-2026-huang-mensch-chase/
- https://www.the-ai-corner.com/p/openai-openclaw-peter-steinberger-lessons
- https://techcrunch.com/2026/02/15/openclaw-creator-peter-steinberger-joins-openai/
- https://venturebeat.com/technology/anthropic-cuts-off-the-ability-to-use-claude-subscriptions-with-openclaw-and