In November 2025, Austrian engineer Peter Steinberger released an open-source project initially called Clawdbot - a local-first autonomous AI assistant designed to run directly on a user’s workstation. The project quickly gained traction, later becoming known as OpenClaw, and grew into one of the fastest-rising repositories in its category.

In a public interview, Steinberger expressed surprise that well-funded companies had not moved earlier on the concept of a fully local agent. He described building the platform largely through rapid, iterative development, producing what he estimated as hundreds of thousands of lines of code in a short period of time.

For defenders, the significance is straightforward: OpenClaw is not “just another AI tool.” It is an agent framework that can operate at the system level, execute actions autonomously, and interact with public internet services; all from a user’s machine.

OpenClaw introduced two core primitives that accelerated adoption:

• Heartbeat - a continuous runtime loop enabling persistent autonomous execution

• Skills - modular extensions that allow the agent to gain new capabilities, often pulled from external sources

As with any fast-growing extensible ecosystem, it did not take long for adversaries to follow. Malicious Skills began appearing in the wild, designed to exploit user trust, deliver payloads, or silently expand the agent’s capabilities beyond what the user intended.

However, malicious Skills are only one part of the broader risk. The larger issue is architectural: OpenClaw shifts the security model from “users running software” to autonomous software running users.

In this article, we examine the architectural and operational risks associated with OpenClaw, and provide practical detection and monitoring guidance for enterprise environments, including ready-to-deploy detection logic for multiple security platforms, based on our MDR team’s research.

Known usage and behaviour

OpenClaw is an open-source autonomous AI assistant platform designed to run locally on a user’s own hardware, rather than relying on cloud-hosted chatbot services. Its primary purpose is to function as a personal AI agent, not just a conversational interface, meaning it can execute tasks autonomously, not simply respond to prompts.

This is made possible through several capabilities that, from a security perspective, are highly relevant:

Multi-platform messaging integration

OpenClaw can integrate with third-party messaging platforms such as WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and others - allowing users to interact with the agent through familiar channels.

Model-to-machine execution layer

OpenClaw can connect AI models (cloud-hosted or self-hosted) to the local machine and tools, enabling automation across files, applications, and workflows.

Persistent long-term memory

A particularly important feature is OpenClaw’s persistent memory, which allows it to maintain long-term context across sessions. This memory can include prior interactions, preferences, decisions, and learned behavioral patterns. In practical terms, this enables OpenClaw to:

• retrieve data from past sessions

• tailor actions and replies based on learned context

• make decisions based on previously stored information

System-level task execution

Combined, these features mean OpenClaw can operate as a high-privilege automation layer capable of:

• reading and writing files

• running shell commands

• executing scripts

• controlling browsers

• connecting to external services via integrations

From a defender’s perspective, OpenClaw should be treated less like “AI software” and more like a user-operated automation framework with agentic persistence, meaning it can be abused similarly to RMM tooling, scripting frameworks, or post-exploitation kits.

Too good to be true...

Once you peel back the layers, the first security concerns appear in how OpenClaw enables these capabilities. In order to support integrations, automation, and cross-platform messaging control, OpenClaw typically relies on the following components:

• A local gateway that links messaging platforms and AI models to the assistant engine running on the machine

• A listener for messages and triggers, allowing tasks to be initiated directly from chat interfaces (e.g., “update my calendar” via WhatsApp)

• Local execution access, enabling the agent to read/write files, run scripts, and interact with the shell or browsers based on configured privileges

On its own, this architecture is enough to warrant a more conservative posture in corporate environments.

The risk is not theoretical: an inexperienced user can easily install OpenClaw in a way that exposes it to the internet — effectively creating a remotely reachable entry point into the endpoint and, by extension, the corporate environment. When combined with system-level execution capabilities and agent persistence, this becomes an attractive target for:

• malicious Skills

• prompt injection

• command execution via messaging channels

• abuse of trusted integrations

We will cover prompt injection and remote trigger abuse later in the article.

With that context established, we can now examine the installation workflow and what it introduces on the host. The version covered in this guide is the Windows installer.

Installation

The official installation script can be found at:

https://openclaw[.]ai/install.ps1

The steps in that PowerShell script outline a process flow chart as follows:

Each box corresponds to code executed on the system, later used for detection opportunities.

During OpenClaw installation, several packages are flagged for security issues, including:

The CVEs associated with these packages are as follows:

tar@6.2.1

• CVE-2024-28863

• Summary: Malicious .tar archives can overwrite arbitrary files via symlink/hardlink handling during extraction.

glob@11.0.1

• CVE-2025-64756

• Summary: Command injection possible when using the glob CLI with crafted filenames

Individually, these CVEs are not OpenClaw-specific vulnerabilities and may be considered low-to-moderate risk in traditional, closed execution environments. However, OpenClaw is designed as an autonomous agent that ingests external input and context, including data from third-party services and user-configured integrations. Thus, the known vulnerable dependencies installed by default significantly expand the runtime environment's attack surface.

Proceeding with the configuration, we encounter the following:

Notice that the prompt warns the user about desired security configurations without detailed explanation, then requests the user to read the contents of:

https://docs.openclaw.ai/gateway/security

We will explore this document in the recommendations section.

Next, we choose our model provider (an API key or OAuth token is required and can be provided for any model). The loopback interface listens on port 18789.

Finally, we set up what OpenClaw calls “skills”  and reach the final page, which opens the agent panel on localhost:18789.

The Start of a Storm

After the project's release, security researchers warned of several risks. These vulnerabilities were quickly exploited, prompting the developer to provide new content addressing security concerns, recommendations, and explanations of potential attack vectors for this tool

Indirect Prompt Injection - The Initial Attack Vector

Prompt injection is a known attack vector affecting all tools that read webpage context to procure content. OpenClaw is vulnerable and increases the risk because the agent runs on the user's system, allowing hijacking to exfiltrate user data or take control of the agent.

Quoting researchers at CrowdStrike:

“Indirect prompt injection attacks targeting OpenClaw have appeared in the wild, including an attempt to drain crypto wallets embedded in a public post on MoltBook, a social network for AI agents.”

Excessive Host Privileges - The Blast-Radius Problem

Since OpenClaw can run shell commands, read and write files, and execute scripts on the user’s machine, granting this agent high-level privileges allows it to perform harmful actions. This issue is underscored by the fact that these privileges are enabled by default as shown in the installation section above and can only be reduced by the user, typically after the installation process completes.

Persistence - The attacker’s foothold

Another security concern with OpenClaw is its memory persistence, which defines the agent’s identity and behavioral boundaries and injects into every interaction.

This occurs through a file named SOUL.md . Researchers have shown that attackers can modify this file to create a scheduled task on the host system that periodically reinjects attacker-controlled logic into SOUL.md.

Skills - A marketplace for Malware

Recent research shows the marketplace of OpenClaw (ClawHub) is being used as a hub to acquire new AI Skills. These are installable capability modules that extend what the agent does. However, the market uses little security with Skill integrity, allowing attackers to abuse the hub to lure OpenClaw users into downloading these Skills from auth.clawhub[.]com.

The identified skills either run {malicious} code directly on the system or prompt the user to take steps that ultimately install malware. What is advent is that responsibility is delegated to the user, which is against common security best practices where a platform owner is required and sometimes obligated to maintain security and allow security teams to interacts and enhance protection capabilities.

Hunting & Detection Opportunities

Given these security concerns, Security Joes MDR team created queries for common EDR platforms (CrowdStrike Falcon, Microsoft ATP, Palo Alto Cortex & SentinelOne) to detect OpenClaw installation or use. This is to encourage SecOps teams to add detections and ensure AI observability.

OpenClaw queries

CrowdStrike Falcon

Process (ProcessRollup2)

Explanation: Finds processes running or referencing OpenClaw (e.g., openclaw.mjs, gateway/orchestrator, ws://127.0.0.1:18789) or with image names like openclaw, molty, or clawd. Use for process-level detection only.

Regex-only (Process only):

#event_simpleName=ProcessRollup2 (   CommandLine=/(molt\.bot|clawd\.bot|openclaw\.mjs|openclaw\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\.0\.0\.1:18789|ws:\/\/127\.0\.0\.1:18789)/i   or ImageFileName=/(openclaw|molty|clawd)(\.mjs|\.exe|$)/i )

Wildcard-only (Process only):

#event_simpleName=ProcessRollup2 (   CommandLine=*openclaw*mjs*   or CommandLine=*openclaw*gateway*   or CommandLine=*openclaw*orchestrator*   or CommandLine=*127.0.0.1*18789*   or CommandLine=*ws*127.0.0.1*18789*   or CommandLine=*molt*bot*   or CommandLine=*clawd*bot*   or ImageFileName=*openclaw*   or ImageFileName=*molty*   or ImageFileName=*clawd* )

DNS (DnsRequest)

Explanation: Finds DNS requests to known OpenClaw/Moltbot/ClawdBot domains(, molt.bot, clawd.bot, docs subdomains, moltbotai.chat).Use for browser or client lookups without process context.

Regex-only (DNS only):

#event_simpleName=DnsRequest and DomainName=/(openclaw\.ai|molt\.bot|clawd\.bot|docs\.(molt\.bot|clawd\.bot|openclaw\.ai)|moltbotai\.chat)/i

Wildcard-only (DNS only):

#event_simpleName=DnsRequest and (DomainName=*openclaw.ai* or DomainName=*molt.bot* or DomainName=*clawd.bot* or DomainName=*docs.molt* or DomainName=*docs.clawd* or DomainName=*docs.openclaw* or DomainName=*moltbotai.chat*)

Network (port 18789)

Explanation: Finds outbound or listening connections to the OpenClaw gateway port 18789. Use for network-level visibility; note that port 18789 can be used by other software, so process/DNS context helps confirm OpenClaw.

Same for all variants (no regex/wildcard on port):

(#event_simpleName=NetworkConnectIP4 or #event_simpleName=NetworkConnectIP6) and RemotePort=18789

Full conjoined queries (all types, one query)

(
  (#event_simpleName=DnsRequest and (
    DomainName=/(openclaw\.ai|molt\.bot|clawd\.bot|docs\.(molt\.bot|clawd\.bot|openclaw\.ai)|moltbotai\.chat)/i
    or DomainName=*molt.bot* or DomainName=*clawd.bot* or DomainName=*moltbot* or DomainName=*clawdbot* or DomainName=*openclaw*
  ))
  OR
  (#event_simpleName=ProcessRollup2 and (
    CommandLine=/(molt\.bot|clawd\.bot|openclaw\.mjs|openclaw\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\.0\.0\.1:18789|ws:\/\/127\.0\.0\.1:18789)/i
    or ImageFileName=/(openclaw|molty|clawd)(\.mjs|\.exe|$)/i
    or CommandLine=*molt.bot* or CommandLine=*clawd.bot*
    or CommandLine=*openclaw.mjs* or CommandLine=*openclaw gateway* or CommandLine=*openclaw status* or CommandLine=*openclaw onboard*
    or CommandLine=*openclaw-openclaw-gateway* or CommandLine=*openclaw-orchestrator*
    or CommandLine=*127.0.0.1:18789* or CommandLine=*ws://127.0.0.1:18789*
    or ImageFileName=*openclaw* or ImageFileName=*molty* or ImageFileName=*clawd*
  ))
  OR
  ((#event_simpleName=NetworkConnectIP4 or #event_simpleName=NetworkConnectIP6) and RemotePort=18789)
)
| table([@timestamp, ComputerName, UserName, #event_simpleName, DomainName, ImageFileName, CommandLine, RemoteAddress, RemotePort, ContextBaseFileName])

Wildcard only variant :

#event_simpleName=ProcessRollup2
(
  CommandLine=*openclaw*mjs*
  or CommandLine=*openclaw*gateway*
  or CommandLine=*openclaw*orchestrator*
  or CommandLine=*127.0.0.1*18789*
  or CommandLine=*ws*127.0.0.1*18789*
  or CommandLine=*molt*bot*
  or CommandLine=*clawd*bot*
  or ImageFileName=*openclaw*
  or ImageFileName=*molty*
  or ImageFileName=*clawd*
)
or (#event_simpleName=DnsRequest and (DomainName=*openclaw.ai* or DomainName=*molt.bot* or DomainName=*clawd.bot* or DomainName=*docs.molt* or DomainName=*docs.clawd* or DomainName=*docs.openclaw* or DomainName=*moltbotai.chat*))
or ((#event_simpleName=NetworkConnectIP4 or #event_simpleName=NetworkConnectIP6) and RemotePort=18789)

Regex only variant :

#event_simpleName=ProcessRollup2
(
  CommandLine=/(molt\.bot|clawd\.bot|openclaw\.mjs|openclaw\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\.0\.0\.1:18789|ws:\/\/127\.0\.0\.1:18789)/i
  or ImageFileName=/(openclaw|molty|clawd)(\.mjs|\.exe|$)/i
)
or (#event_simpleName=DnsRequest and DomainName=/(openclaw\.ai|molt\.bot|clawd\.bot|docs\.(molt\.bot|clawd\.bot|openclaw\.ai)|moltbotai\.chat)/i)
or ((#event_simpleName=NetworkConnectIP4 or #event_simpleName=NetworkConnectIP6) and RemotePort=18789)

Microsoft ATP

Process

Regex-only (Process only):

DeviceProcessEvents
| where
    ProcessCommandLine matches regex @"(?i)(molt\.bot|clawd\.bot|openclaw\.mjs|openclaw\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\.0\.0\.1:18789|ws:\/\/127\.0\.0\.1:18789)"
    or
    FileName matches regex @"(?i)(openclaw|molty|clawd)(\.mjs|\.exe|$)"

Wildcard-only (Process only):

DeviceProcessEvents
| where
    ProcessCommandLine has_all ("openclaw","mjs")
    or ProcessCommandLine has_all ("openclaw","gateway")
    or ProcessCommandLine has_all ("openclaw","orchestrator")
    or ProcessCommandLine has_all ("127.0.0.1","18789")
    or ProcessCommandLine has_all ("ws","127.0.0.1","18789")
    or ProcessCommandLine has_all ("molt","bot")
    or ProcessCommandLine has_all ("clawd","bot")
    or FileName contains "openclaw"
    or FileName contains "molty"
    or FileName contains "clawd"

DNS (DnsRequest)

Regex-only (DNS only):

DeviceNetworkEvents
| where ActionType == "DnsQuery"
| where 
    RemoteUrl matches regex @"(?i)(openclaw\.ai|molt\.bot|clawd\.bot|docs\.(molt\.bot|clawd\.bot|openclaw\.ai)|moltbotai\.chat)$"
    or RemoteUrl matches regex @"(?i)\.(openclaw\.ai|molt\.bot|clawd\.bot|docs\.(molt\.bot|clawd\.bot|openclaw\.ai)|moltbotai\.chat)$"

Wildcard-only (DNS only):

DeviceNetworkEvents
| where ActionType == "DnsQuery"
| where 
    RemoteUrl has "openclaw.ai"
    or RemoteUrl has "molt.bot"
    or RemoteUrl has "clawd.bot"
    or RemoteUrl has "docs.molt"
    or RemoteUrl has "docs.clawd"
    or RemoteUrl has "docs.openclaw"
    or RemoteUrl has "moltbotai.chat"

Network (port 18789)

DeviceNetworkEvents
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemotePort == 18789

Full conjoined queries (all types, one query)

let KnownOpenClawDevices = datatable(DeviceName:string) ["vincente-macmini"];
let ProcessIOCs = 
    DeviceProcessEvents
    | where Timestamp > ago(30d)
    | where ProcessCommandLine has "openclaw.mjs"
        or ProcessCommandLine has "openclaw-openclaw-gateway"
        or ProcessCommandLine has "openclaw-orchestrator"
        or ProcessCommandLine has "openclaw gateway"
        or ProcessCommandLine has "openclaw status"
        or ProcessCommandLine has "openclaw onboard"
        or ProcessCommandLine has "127.0.0.1:18789"
        or ProcessCommandLine has "ws://127.0.0.1:18789"
        or ProcessCommandLine has "molt.bot"
        or ProcessCommandLine has "clawd.bot"
    | project 
        Timestamp,
        DeviceName,
        AccountName = InitiatingProcessAccountName,
        EventType = "Process",
        DomainOrUrl = "",
        FileName,
        CommandLine = ProcessCommandLine,
        RemotePort = 0,
        RemoteIP = ""
    | join kind=leftanti KnownOpenClawDevices on DeviceName;
let ImageIOCs = 
    DeviceProcessEvents
    | where Timestamp > ago(30d)
    | where (FileName contains "openclaw" or FileName contains "molty" or FileName contains "clawd")
        and (FileName endswith ".mjs" or FileName endswith ".exe")
    | project 
        Timestamp,
        DeviceName,
        AccountName = InitiatingProcessAccountName,
        EventType = "Process",
        DomainOrUrl = "",
        FileName,
        CommandLine = ProcessCommandLine,
        RemotePort = 0,
        RemoteIP = ""
    | join kind=leftanti KnownOpenClawDevices on DeviceName;
let NetworkDomainIOCs = 
    DeviceNetworkEvents
    | where Timestamp > ago(30d)
    | where RemoteUrl contains "openclaw.ai"
        or RemoteUrl contains "molt.bot"
        or RemoteUrl contains "clawd.bot"
        or RemoteUrl contains "docs.openclaw"
        or RemoteUrl contains "docs.molt.bot"
        or RemoteUrl contains "docs.clawd.bot"
        or RemoteUrl contains "moltbotai.chat"
        or RemoteUrl contains "moltbot"
        or RemoteUrl contains "clawdbot"
        or RemoteUrl contains "openclaw"
    | project 
        Timestamp,
        DeviceName,
        AccountName = InitiatingProcessAccountName,
        EventType = "Network_Domain",
        DomainOrUrl = RemoteUrl,
        FileName = InitiatingProcessFileName,
        CommandLine = InitiatingProcessCommandLine,
        RemotePort,
        RemoteIP
    | join kind=leftanti KnownOpenClawDevices on DeviceName;
let Port18789 = 
    DeviceNetworkEvents
    | where Timestamp > ago(30d)
    | where RemotePort == 18789
    | project 
        Timestamp,
        DeviceName,
        AccountName = InitiatingProcessAccountName,
        EventType = "Port18789",
        DomainOrUrl = RemoteUrl,
        FileName = InitiatingProcessFileName,
        CommandLine = InitiatingProcessCommandLine,
        RemotePort,
        RemoteIP
    | join kind=leftanti KnownOpenClawDevices on DeviceName;
union 
    ProcessIOCs,
    ImageIOCs,
    NetworkDomainIOCs,
    Port18789
| order by Timestamp desc
| project 
    Timestamp,
    DeviceName,
    AccountName,
    EventType,
    DomainOrUrl,
    FileName,
    CommandLine,
    RemoteIP

PaloAlto Cortex

Process

Regex-only (Process only):

dataset = xdr_data
| filter event_type = PROCESS
| filter
    action_process_image_command_line ~= "(?i)(molt\\.bot|clawd\\.bot|openclaw\\.mjs|openclaw\\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\\.0\\.0\\.1:18789|ws://127\\.0\\.0\\.1:18789)"
    or
    action_process_image_name ~= "(?i)(openclaw|molty|clawd)(\\.mjs|\\.exe|$)"

Wildcard-only (Process only):

dataset = xdr_data
| filter event_type = PROCESS
| filter
    actor_process_command_line contains "openclaw" and actor_process_command_line contains "mjs"
    or actor_process_command_line contains "openclaw" and actor_process_command_line contains "gateway"
    or actor_process_command_line contains "openclaw" and actor_process_command_line contains "orchestrator"
    or actor_process_command_line contains "127.0.0.1" and actor_process_command_line contains "18789"
    or actor_process_command_line contains "ws" and actor_process_command_line contains "127.0.0.1" and actor_process_command_line contains "18789"
    or actor_process_command_line contains "molt" and actor_process_command_line contains "bot"
    or actor_process_command_line contains "clawd" and actor_process_command_line contains "bot"
    or actor_process_image_name contains "openclaw"
    or actor_process_image_name contains "molty"
    or actor_process_image_name contains "clawd"

DNS (DnsRequest)

Regex-only (DNS only):

dataset = xdr_data
| filter event_type = NETWORK
| filter dns_query_name ~= "(?i)(?:^|\\.) (openclaw\\.ai|molt\\.bot|clawd\\.bot|docs\\.(molt\\.bot|clawd\\.bot|openclaw\\.ai)|moltbotai\\.chat)$"

Wildcard-only (DNS only):

preset = network_story
| filter dns_query_name contains "openclaw.ai"
    or dns_query_name contains "molt.bot"
    or dns_query_name contains "clawd.bot"
    or dns_query_name contains "docs.molt"
    or dns_query_name contains "docs.clawd"
    or dns_query_name contains "docs.openclaw"
    or dns_query_name contains "moltbotai.chat"

Network (port 18789)

preset = network_story
| filter action_remote_port = 18789

Full conjoined queries (all types, one query)

datamodel dataset = xdr_data
| filter xdm.source.host.hostname != "vincente-macmini"
| filter
    xdm.event.description contains "openclaw.mjs"
    or xdm.event.description contains "openclaw-openclaw-gateway"
    or xdm.event.description contains "openclaw-orchestrator"
    or xdm.event.description contains "openclaw gateway"
    or xdm.event.description contains "openclaw status"
    or xdm.event.description contains "openclaw onboard"
    or xdm.event.description contains "127.0.0.1:18789"
    or xdm.event.description contains "ws://127.0.0.1:18789"
    or xdm.event.description contains "molt.bot"
    or xdm.event.description contains "clawd.bot"
    or xdm.source.process.executable.filename contains "openclaw"
    or xdm.source.process.executable.filename contains "molty"
    or xdm.source.process.executable.filename contains "clawd"
    or xdm.target.url contains "openclaw"
    or xdm.target.url contains "molt.bot"
    or xdm.target.url contains "clawd.bot"
    or xdm.target.domain contains "openclaw"
    or xdm.target.domain contains "molt.bot"
    or xdm.target.domain contains "clawd.bot"
    or xdm.target.port = 18789
| fields
    _time,
    xdm.source.host.hostname,
    xdm.source.user.username,
    xdm.event.type,
    xdm.event.description,
    xdm.source.process.executable.filename,
    xdm.source.process.executable.path,
    xdm.target.url,
    xdm.target.domain,
    xdm.target.ipv4,
    xdm.target.port
| sort desc _time

SentinelOne

Process

Regex-only (Process only):

event.type = 'Process Creation' and (  tgt.process.cmdline matches '(?i)(molt\.bot|clawd\.bot|openclaw\.mjs|openclaw\s+(gateway|status|onboard)|openclaw-openclaw-gateway|openclaw-orchestrator|127\.0\.0\.1:18789|ws://127\.0\.0\.1:18789)'  or  tgt.process.name matches '(?i)(openclaw|molty|clawd)(\.mjs|\.exe|$)')

Wildcard-only (Process only):

event.type == "Process Creation" AND (  (tgt.process.cmdline contains "openclaw" AND tgt.process.cmdline contains "mjs")  OR (tgt.process.cmdline contains "openclaw" AND tgt.process.cmdline contains "gateway")  OR (tgt.process.cmdline contains "openclaw" AND tgt.process.cmdline contains "orchestrator")  OR (tgt.process.cmdline contains "127.0.0.1" AND tgt.process.cmdline contains "18789")  OR (tgt.process.cmdline contains "ws" AND tgt.process.cmdline contains "127.0.0.1" AND tgt.process.cmdline contains "18789")  OR (tgt.process.cmdline contains "molt" AND tgt.process.cmdline contains "bot")  OR (tgt.process.cmdline contains "clawd" AND tgt.process.cmdline contains "bot")  OR tgt.process.name contains "openclaw"  OR tgt.process.name contains "molty"  OR tgt.process.name contains "clawd")

DNS (DnsRequest)

Regex-only (DNS only):

event.category == "dns" AND (   event.dns.request contains "openclaw.ai"   OR event.dns.request contains "molt.bot"   OR event.dns.request contains "clawd.bot"   OR event.dns.request contains "docs.molt.bot"   OR event.dns.request contains "docs.clawd.bot"   OR event.dns.request contains "docs.openclaw.ai"   OR event.dns.request contains "moltbotai.chat" )

Network (port 18789)

dst.port.number = 18789

Full conjoined queries (all types, one query)

not (endpoint.name in ('vincente-macmini'))
and (
  src.process.cmdline contains (
    'openclaw.mjs',
    'openclaw-openclaw-gateway',
    'openclaw-orchestrator',
    'openclaw gateway',
    'openclaw status',
    'openclaw onboard',
    '127.0.0.1:18789',
    'ws://127.0.0.1:18789',
    'molt.bot',
    'clawd.bot'
  )
  or src.process.name contains ('openclaw', 'molty', 'clawd')
  or src.process.image.path contains ('openclaw', 'molty', 'clawd')
  or tgt.file.name contains ('openclaw', 'molty', 'clawd')
  or network.url contains (
    'openclaw.ai',
    'molt.bot',
    'clawd.bot',
    'docs.openclaw',
    'docs.molt.bot',
    'docs.clawd.bot',
    'moltbotai.chat',
    'moltbot',
    'clawdbot',
    'openclaw'
  )
  or dst.port.number = 18789
)

Remediation

Recommendations

Before discussing remediation, consider the usage recommendations from the tool developers. The security documentation emphasizes that the platform’s safety depends on explicit user configuration and operational discipline, not restrictive defaults. Recommendations focus on reducing risk by limiting exposure, constraining agent capabilities, and auditing configurations.

Access and exposure control

Users must strictly control who interacts with the agent by enforcing DM pairing, allowlists, and mention-based triggers in groups. OpenClaw discourages open or unauthenticated access and stresses defining clear boundaries for inbound interaction.

Gateway and network hardening

The OpenClaw gateway should not be unnecessarily exposed. Binding the service to loopback or internal interfaces, enabling authentication tokens, and properly configuring trusted proxies prevent unauthorized remote access.

Tool and capability restriction

Minimize available tools to those strictly required. Limit or sandbox high-risk tools (shell execution, browser control, unrestricted web access) and avoid “elevated” execution modes unless needed.

Sandboxing and blast-radius reduction

Execute tools inside sandboxed environments rather than directly on the host to reduce the impact of misuse, misconfiguration, or model manipulation.

Filesystem and credential hygiene

Tighten filesystem permissions on configuration directories, state files, and stored credentials. Sensitive data should be readable only by the OpenClaw process owner, reinforcing the filesystem as a trust boundary.

Skill and plugin trust

Skills and plugins are trusted code by default. Install only from trusted sources, review code before use, and explicitly allowlist approved extensions. Third-party skills pose significant risk if not vetted.

Prompt-injection awareness

Prompt injection is a real risk, especially when agents ingest untrusted content. Restrict tool access, sandbox execution, and carefully scope agents processing web content or third-party data.

Continuous auditing

Use the built-in security audit regularly, especially after configuration changes. It detects common misconfigurations, overly permissive settings, and unsafe exposure.

Full set available here

Where They Lack

The official OpenClaw security guidance provides a solid foundation but follows an operator-responsibility model, assuming users will proactively identify risks, understand their implications, and apply safeguards. In a corporate environment, additional recommendations apply.

Classify OpenClaw as privileged infrastructure

Treat OpenClaw as privileged automation infrastructure, not a general-purpose tool. Its command execution, filesystem interaction, and autonomy align it with CI/CD runners or orchestration agents. Deployment must be approved, documented, and governed.

Enforce operating system–level isolation

Run OpenClaw under a dedicated low-privilege OS account with restricted filesystem access. Deploy it in isolated environments like virtual machines or containers rather than on primary workstations to reduce blast radius from misconfiguration or misuse.

Restrict external input and outbound connectivity

Minimize network exposure. Restrict outbound connections to required services and avoid unrestricted web access for agents with execution or write capabilities. Isolate agents consuming untrusted input from those with elevated privileges.

Apply strict skill governance and lifecycle controls

Treat skills as code deployments. Review third-party skills before installation, pin versions, and source only from trusted repositories. Disable third-party skills where governance is lacking to reduce supply-chain risk.

Treat persistent memory as a security-sensitive asset

Consider OpenClaw’s persistent memory a potential attacker foothold. Periodically review and protect state and configuration files with proper permissions. Investigate unexpected modifications.

Establish detection and monitoring baselines

Preventive controls alone are insufficient. Monitor OpenClaw activity with endpoint and network solutions, establishing baselines for process execution, network use, and gateway behavior. Treat deviations as potential misuse or compromise.

Integrate OpenClaw into AI observability efforts

AI observability treats AI agents and models as systems requiring monitoring, logging, and governance, not just “black boxes.” OpenClaw fits this category.

From a Security Joes MDR perspective, observability should include:

• Tracing agent actions, including tools invoked, commands run, files touched, and external services called.

• Capturing security-relevant context such as originating chat channel, triggering user, and content influencing decisions.

• Correlating agent activity with EDR telemetry, enabling investigations to link “openclaw gateway” execution with AI-driven actions and skills used.

These patterns align with emerging AI observability practices but focus on security: ensuring autonomous behavior is observable, explainable, constrained, and detectable when abused.

Avoid public exposure by default

Do not expose OpenClaw to public networks unless operationally required with compensating controls. Enforce strong authentication, network restrictions, and careful gateway configuration to prevent unauthorized access.

On Detection

Given the above, Security Joes does not recommend using OpenClaw as is. Upon detection, we advise:

Containment and access restriction

Immediately prevent further interaction between the agent and external inputs. Restrict network access to the OpenClaw gateway and disable or bind externally exposed interfaces to loopback or isolated networks during assessment.

Suspension of autonomous execution

Temporarily suspend OpenClaw’s ability to execute commands, interact with the filesystem, or invoke high-risk tools. Disable or restrict skills allowing shell execution, browser control, or unrestricted web access until risk assessment completes.

Credential and secret review

Consider all credentials, API keys, tokens, or authentication material potentially exposed. Review accessible secrets, then rotate or revoke them, especially those granting access to sensitive systems or third-party services.

Integrity review of persistent state

Review OpenClaw’s persistent memory and configuration files for unauthorized changes. Focus on identifying injected logic, altered configurations, or persistence mechanisms surviving restarts.

Skill inventory and validation

Enumerate and assess all installed skills for legitimacy and necessity. Disable or remove third-party or unvetted skills and review their code to detect unintended or malicious behavior. Treat skills as executable code.

Host and environment assessment

Assess the host for misuse or compromise indicators, including unexpected processes, file changes, or outbound connections from the agent. Use existing EDR or endpoint monitoring tools.

Scope determination and lateral exposure analysis

Evaluate systems, data, or services accessible to OpenClaw during operation. Identify reachable network resources, filesystems, and third-party services to assess lateral impact.

Conclusion

OpenClaw is a new class of autonomous AI agents operating locally, integrating with external services, and executing actions without continuous user interaction. This enables powerful automation but introduces risks distinct from traditional software or cloud AI services.

OpenClaw expands the attack surface via autonomous execution, persistent memory, third-party skill extensibility, and ingestion of untrusted input. Vulnerable dependencies and reliance on operator hardening create risks unacceptable for most corporate or security-sensitive environments.

While official guidance mitigates some risks, effectiveness depends on user expertise, disciplined configuration, and ongoing monitoring. This burdens operators and raises chances of misconfiguration, exposure, or abuse, especially when deployed by end users rather than managed as privileged infrastructure.

As autonomous agents and AI tools grow, AI observability complements endpoint and network monitoring. Defenders must understand not only that an agent runs but also what it did, based on which inputs, and through which tools. This visibility is essential for safe enterprise deployment.

For these reasons, we do not recommend using OpenClaw as is. Organizations detecting it should treat it as high-risk automation and respond with containment, review, and remediation akin to privileged software or vulnerability exposure. Until stronger safeguards, clearer trust boundaries, and mature governance exist, OpenClaw’s risks outweigh its benefits in most enterprises.

Annex

IOCs

Network

Domains

openclaw[.]ai
docs.openclaw[.]ai
clawhub.openclaw[.]ai
molt[.]bot
docs.molt[.]bot
clawd[.]bot
docs.clawd[.]bot
moltbotai[.]chat
moltbook[.]ai
clawhub[.]ai
auth.clawdhub[.]com

Ports

18789

URIs

127.0.0.1:18789

Process

Command Lines

openclaw gateway
openclaw status
openclaw onboard
openclaw doctor
openclaw security audit
openclaw orchestrator
127.0.0.1:18789

File system

Files and paths

~/.openclaw/
SOUL.md
Skill.md
entry.js
openclaw.mjs
%USERPROFILE%\openclaw\
%USERPROFILE%\.local\bin\openclaw.cmd

MITRE ATT&CK TTP Matrix