Developers across the globe have quickly taken to running OpenClaw at home, with Censys tracking over 21,000 publicly exposed deployments in just under a week. However, the rapid adoption of this open-source AI agent has raised significant security concerns. Bitdefender’s GravityZone telemetry revealed that employees were deploying OpenClaw on corporate machines with single-line install commands, granting the agent shell access, file system privileges, and OAuth tokens to sensitive services like Slack, Gmail, and SharePoint.
Two critical vulnerabilities, CVE-2026-25253 and CVE-2026-25157, were identified, allowing attackers to steal authentication tokens and execute arbitrary commands on compromised systems. A security analysis of ClawHub marketplace skills found that 7.1% of the registry contained critical security flaws, exposing sensitive credentials in plaintext. Additionally, roughly 17% of skills analyzed exhibited malicious behavior.
Moltbook, a social network built on OpenClaw infrastructure, was found to have left its entire Supabase database publicly accessible, exposing millions of API authentication tokens, email addresses, and plaintext OpenAI API keys. The widespread credential exposure posed a significant risk to organizations using OpenClaw.
As OpenClaw continues to gain popularity, security leaders must find a middle ground between ignoring the tool and deploying it on production hardware. Cloudflare’s Moltworker framework offers a solution by using ephemeral containers to isolate the agent, encrypted storage for persistent data, and Zero Trust authentication for the admin interface.
The inherent security risks of running OpenClaw locally were highlighted, as the agent operates with full host user privileges, making it vulnerable to prompt injection attacks. Cloudflare’s sandboxed approach with Moltworker provides a secure evaluation environment, decoupling the agent’s logic from the host machine and containing any potential breaches within the ephemeral container.
Setting up a secure evaluation instance with Moltworker involves configuring storage and billing, generating tokens, deploying the agent, enabling Zero Trust authentication, and connecting a test messaging channel. The total cost for a 24/7 evaluation instance is minimal compared to the security benefits it provides.
Security leaders are advised to conduct a 30-day stress test before expanding access, using synthetic data and throwaway identities to assess the agent’s behavior and credential handling. Adversarial tests can be conducted safely in the sandbox environment, allowing for risky experiments without compromising production systems.
By following a structured evaluation framework that includes isolated execution, tiered integrations, and thorough validation, organizations can mitigate the risks associated with deploying agentic AI agents like OpenClaw. Building a strong security model now will help organizations capture the productivity gains of AI technology without falling victim to potential breaches.
