gitGood.dev
Back to Blog

What Is OpenClaw? The Open-Source AI Agent Worth Learning - If You Know What You're Doing

P
Patrick Wilson
12 min read
AISecurityOpen SourceAWSCareer

What Is OpenClaw?

OpenClaw is an open-source, self-hosted AI assistant that connects to your messaging apps - WhatsApp, Slack, Discord, Telegram, Signal, iMessage, Teams - and lets AI agents act on your behalf.

Think of it as giving Claude or ChatGPT hands. It can send messages, browse the web, control your computer, and chain "skills" (plugins) together to complete multi-step tasks autonomously.

Originally called "Clawdbot" when Austrian developer Peter Steinberger released it in November 2025, it got renamed twice - first to "Moltbot" after Anthropic sent a trademark complaint, then to "OpenClaw" because "Moltbot never quite rolled off the tongue."

The project has exploded to 228,000+ GitHub stars, making it one of the fastest-growing open-source projects in history. Chinese tech companies and local governments are adopting it aggressively. Enterprise vendors like Runlayer are building managed OpenClaw offerings. Even Microsoft published an official guide on running it safely - a signal that the project is too significant to ignore.

Why It's Worth Your Time

OpenClaw hit viral status in late January 2026 and the momentum hasn't slowed. Here's what makes it compelling:

  • It's free and open-source - anyone can run it
  • It works where you already are - no new app to download, it connects to your existing chat platforms
  • Voice support - always-on speech recognition on macOS, iOS, and Android
  • Live Canvas - a visual workspace the AI can render and update in real-time
  • Self-hosted - your data stays on your machine
  • Skill chaining - compose multi-step autonomous workflows
  • Active development - multiple releases per week, now on v2026.3.11

The tech stack is Node.js 22+ with TypeScript, organized as a pnpm monorepo. It runs as a daemon via launchd/systemd, so it's always on in the background.

No other open-source project offers this combination of multi-platform messaging, voice, visual workspace, and autonomous agent capabilities in one package.

The Security History (And Why It Matters)

OpenClaw's early days were rough on the security front. If you're going to use this tool, you should understand what happened - not because it's still dangerous in the same ways, but because it informs how you should think about deploying it.

The January 2026 Exposure

SecurityScorecard's STRIKE team found over 135,000 OpenClaw instances exposed to the internet across 82 countries. The root cause was simple: OpenClaw bound to 0.0.0.0:18789 by default - all network interfaces, not just localhost. Most users never changed it.

This has been fixed. OpenClaw now defaults to 127.0.0.1 (localhost only). Users must explicitly opt in to network exposure. The number of exposed instances has dropped significantly, though some legacy deployments remain misconfigured.

The Three Original CVEs (All Patched in v2026.1.29)

CVE-2026-25253 - One-Click RCE via Token Exfiltration (CVSS 8.8)

The headline grabber. OpenClaw's Control UI trusted a gatewayUrl parameter from the query string without validation. A crafted link could exfiltrate the auth token, connect back to the victim's instance, disable sandboxing, escape Docker, and achieve full remote code execution. One click.

CVE-2026-24763 - Docker Sandbox Escape via PATH Injection (CVSS 8.8)

The Docker execution mechanism unsafely handled the PATH environment variable, allowing attackers to inject commands that escaped the sandbox entirely.

CVE-2026-25157 - OS Command Injection via SSH Node Command (CVSS 7.8)

The macOS app's sshNodeCommand function didn't properly escape user-supplied project paths, enabling arbitrary command execution on remote SSH hosts.

All three were patched, and the team has maintained a strong patching cadence since - new CVEs that have appeared in February and March 2026 (an authorization bypass, a Teams plugin issue, a workspace boundary bypass) have been addressed within 72 hours of disclosure.

The ClawHub Cleanup

The ClawHub skill store had a genuinely bad stretch. The ClawHavoc campaign planted over 1,184 malicious skills in a single week. Snyk's comprehensive audit found that 36% of all skills had at least one security flaw and 13.4% contained critical issues.

The community and maintainers responded:

  • Mass cleanup - ClawHub was pruned from 10,700+ skills down to roughly 3,500 vetted ones
  • VirusTotal integration - automated scanning for uploaded skills
  • Community reporting - 3+ unique reports auto-hide a skill from the marketplace
  • SecureClaw - Adversa AI released an open-source security plugin with 56 automated audit checks, automated fixes for critical misconfigurations, and 15 runtime rules mapped to OWASP, MITRE ATLAS, and CoSAI frameworks

Is ClawHub perfect now? No. But it's dramatically better than it was, and the tooling exists to audit what you install.

What's Still an Open Problem

Prompt injection remains architecturally unsolved - and this is true for every AI agent, not just OpenClaw. OpenClaw's unified context stream means the LLM can't distinguish developer instructions from content in a fetched webpage or document. An attacker who embeds instructions in a Google Doc, web page, or PDF can influence the agent's behavior.

OpenClaw's SOUL.md persistence file adds a wrinkle here - if an injection modifies this file, the change survives restarts. Defenses include file integrity monitoring, using more injection-resistant models (Claude Sonnet 4.5, GPT-4o), and adding explicit security instructions to your SOUL.md. These are mitigations, not solutions. But again, no AI agent framework has solved prompt injection at the architectural level yet.

Our Take: Recommended for Advanced Users

When we first covered OpenClaw, we couldn't recommend it. The defaults were dangerous, the CVEs were actively exploited, and the skill store was compromised.

That's no longer the case. The project has matured meaningfully:

  • Default binding is localhost-only
  • Critical CVEs are patched with a fast response cadence
  • WebSocket origin validation and device pairing are in place
  • Docker sandboxing is available for tool execution
  • The skill store has been cleaned up with automated scanning
  • SecureClaw provides OWASP-aligned hardening out of the box
  • Microsoft, Semgrep, Nebius, and DigitalOcean have all published hardening guides

If you understand security fundamentals - network isolation, credential management, least-privilege principles - OpenClaw is worth running. It's genuinely powerful for automation, AI experimentation, and productivity. The skill-chaining and multi-platform integration capabilities are unmatched in the open-source space.

But "advanced user" is doing real work in that recommendation. Don't just npm install -g openclaw on your daily driver and connect your real Slack account. Deploy it properly.

Deploying OpenClaw on AWS (The Right Way)

AWS gives you the tools to run OpenClaw responsibly. The goal: keep it off the public internet and access it through a secure tunnel.

Architecture

You (laptop)
  -- SSM Session Manager / SSH tunnel
        -- EC2 instance (private subnet, no public IP)
              -- OpenClaw bound to 127.0.0.1

No load balancer. No public IP. No open ports. You access it exclusively through AWS Systems Manager or an SSH tunnel.

Step 1: Launch an EC2 Instance

Use a t3.medium or larger (OpenClaw + LLM API calls need some headroom):

  • AMI: Amazon Linux 2023
  • Subnet: Private subnet (no internet gateway route) - use a NAT gateway for outbound API calls only
  • Public IP: Disabled
  • Security Group: No inbound rules. Zero. Outbound allow HTTPS (443) only, for API calls to Anthropic/OpenAI
  • IAM Role: Attach an instance profile with AmazonSSMManagedInstanceCore policy (for Session Manager access)

Step 2: Connect via Session Manager

No SSH keys needed. No port 22 open.

aws ssm start-session --target i-0abc123def456

Or use port forwarding to access OpenClaw's local web interface from your laptop:

aws ssm start-session \
  --target i-0abc123def456 \
  --document-name AWS-StartPortForwardingSession \
  --parameters '{"portNumber":["3000"],"localPortNumber":["3000"]}'

Now localhost:3000 on your machine tunnels to the EC2 instance. OpenClaw stays off the internet.

Step 3: Install and Configure OpenClaw

# Install Node.js 22+
sudo dnf install -y nodejs22

# Install OpenClaw
npm install -g openclaw

# Run the onboarding wizard
openclaw init

Verify the gateway binds to localhost only in ~/.openclaw/openclaw.json:

{
  "gateway": {
    "host": "127.0.0.1",
    "port": 3000
  }
}

This is now the default, but always double-check.

Step 4: Install SecureClaw

Run the SecureClaw hardening tool to catch common misconfigurations:

npx secureclaw audit
npx secureclaw fix --critical

This checks 56 common security issues and can auto-fix the critical ones. It maps to OWASP Agentic Security Top 10 and MITRE ATLAS frameworks.

Step 5: Store API Keys in AWS Secrets Manager

Don't paste your Anthropic or OpenAI API key directly into OpenClaw's config file. Instead:

# Store the key
aws secretsmanager create-secret \
  --name openclaw-anthropic-key \
  --secret-string "sk-ant-your-key-here"

# Retrieve it at startup and pass as env var
export ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value \
  --secret-id openclaw-anthropic-key \
  --query SecretString --output text)

openclaw start

If the instance is ever compromised, you can rotate the key in Secrets Manager without touching the box.

Step 6: Be Smart About Skills and Permissions

The skill store is much cleaner now, but treat skills like any third-party dependency:

  • Vet before installing. Read the source of any skill before you install it. The automated scanning catches a lot, but not everything.
  • Keep auto-approval off. OpenClaw's exec.approvals.set setting controls whether skills can execute commands without asking. Keep it on always.
  • Monitor SOUL.md for changes. This persistence file defines the agent's behavior. Set up a simple integrity check:
# Save a hash of the clean SOUL.md
sha256sum ~/.openclaw/SOUL.md > ~/.openclaw/.soul-hash

# Check it periodically (add to crontab)
sha256sum -c ~/.openclaw/.soul-hash || echo "SOUL.md has been modified!"

Step 7: Limit the Blast Radius

A few more best practices:

  • Start with throwaway accounts for messaging integrations. Once you're comfortable with your deployment's security posture, you can connect real accounts - but start sandboxed.
  • Set up a billing alarm. A CloudWatch billing alert at your comfort threshold catches runaway API calls.
  • Use a dedicated AWS account if you have AWS Organizations - keep it separate from production workloads.
  • Restrict outbound traffic. Your security group should only allow HTTPS (443) outbound to specific CIDR ranges for your LLM provider.

What This Gets You

  • OpenClaw runs in an isolated VPC with no public exposure
  • Access is through authenticated AWS Session Manager only (IAM-controlled, CloudTrail-logged)
  • API keys are in Secrets Manager, not on disk in plaintext
  • SecureClaw hardening applied
  • No inbound ports open, ever
  • If it gets weird, terminate the instance - it's disposable

What You Should Still Be Aware Of

Network isolation doesn't protect against prompt injection. If OpenClaw processes a webpage or document containing hidden instructions, those instructions can influence its behavior through legitimate channels. This is a limitation of all current AI agent systems, not just OpenClaw.

Practical mitigations: use injection-resistant models, keep exec.approvals.set on always so you approve every action, monitor SOUL.md integrity, and be thoughtful about what content you ask the agent to process.

What This Means for Engineers

Whether you're job hunting or building your career, the OpenClaw story - from security disaster to maturing project - teaches valuable lessons:

1. AI agent security is the next big hiring area. Companies need engineers who understand how autonomous agents interact with systems, how to sandbox them, and how to audit their permissions. OpenClaw gives you hands-on experience with exactly these concepts.

2. The "vibe coding" debate is a real interview topic. OpenClaw was described as "vibe-coded" - built fast with AI assistance, features over security. Being able to articulate the tradeoffs of rapid AI-assisted development (speed vs. security, convenience vs. correctness) and how to balance them is a differentiator in interviews.

3. Default configurations matter. OpenClaw's original 0.0.0.0 binding is a textbook example of why defaults should be restrictive. The fix was a one-line change. The damage from the bad default affected 135K+ deployments. This is a real-world case study for system design and security interviews.

4. Supply chain security is increasingly valuable. The ClawHub saga - 1,184 malicious skills in one week, community cleanup, automated scanning rollout - mirrors what happened with npm and PyPI. Understanding how to vet dependencies, audit extensions, and build secure plugin architectures is a high-demand skill.

5. Prompt injection is the new SQL injection. This is the defining vulnerability class for AI systems. OpenClaw's SOUL.md persistence mechanism shows how a single injection can create a backdoor that survives restarts. Engineers who understand this attack class will be in high demand for years.

Interview Questions This Could Help You Answer

If you're preparing for tech interviews, the OpenClaw story gives you fresh material:

  • "Describe a recent security vulnerability and how you would fix it" - CVE-2026-25253's one-click RCE chain and the fix (validate gatewayUrl, check WebSocket Origin header, require re-authentication)
  • "How would you design a plugin/extension system?" - Contrast ClawHub's early permissive approach with defense-in-depth: code signing, sandboxed execution, automated scanning, community reporting, least-privilege APIs
  • "What are the risks of AI agents in production?" - Prompt injection persistence, confused deputy attacks, supply chain compromise, and the mitigations for each
  • "Tell me about a project that improved its security posture over time" - OpenClaw's journey from 135K exposed instances and actively exploited CVEs to secure defaults, 72-hour patch cadence, SecureClaw hardening, and community-driven cleanup
  • "How would you secure a self-hosted AI agent?" - Network isolation, credential management via secret stores, file integrity monitoring, egress filtering, SecureClaw-style automated auditing, and treating deployments as disposable

Preparing for tech interviews? Practice security and system design questions on gitGood.dev - 1000+ problems covering the topics that actually come up in FAANG interviews.

More Articles