Treat ClawHub like an unvetted package registry, not an app store. Scans during the ClawHavoc campaign found 800+ malicious skills — roughly 20% of the registry at the time. Before installing any skill, read its source code, check what commands it runs and what network calls it makes, prefer skills with established authors and history, and never install a skill that asks for credentials it doesn't need.

Is OpenClaw safer than cloud assistants like ChatGPT?

It's a different risk trade. Cloud assistants hold your data on someone else's servers but handle security patching for you. OpenClaw keeps data on your hardware — better privacy — but makes you responsible for updates, network exposure, and skill vetting. A hardened OpenClaw install is arguably more private than any cloud assistant; an unhardened one is more dangerous.

Is OpenClaw Safe in 2026? CVEs, Exposed Instances, How to Harden It

Q: Is OpenClaw safe to run on my main computer?

It can be, but it's not the recommended setup. OpenClaw executes code and reads files on whatever machine it runs on, so a compromised skill or prompt-injection attack has access to everything on that machine. The safer pattern is a dedicated, isolated device — a Mac Mini, Raspberry Pi 5, or a hardened VPS — with least-privilege API keys and no access to your personal documents.

Q: Were OpenClaw users actually hacked?

Yes. The ClawHavoc supply-chain campaign distributed hundreds of malicious skills through the ClawHub registry, most delivering the Atomic macOS Stealer (AMOS) infostealer to users who installed them. Separately, security researchers found tens of thousands of OpenClaw gateways exposed directly to the internet, a meaningful share of them running versions vulnerable to known CVEs including a critical one-click remote code execution flaw.

The Short Answer

OpenClaw (formerly Clawdbot, briefly Moltbot, renamed OpenClaw in January 2026) is safe if you harden it — and genuinely dangerous if you don't. The 2026 incidents weren't hypothetical: real users installed malicious skills, and real machines were compromised through exposed, outdated gateways.

But every major incident traced back to one of three preventable mistakes: running an outdated version, exposing the gateway to the public internet, or installing unvetted skills from ClawHub. Avoid those and OpenClaw is arguably more private and secure than handing your data to a cloud assistant.

What Actually Happened in 2026

Late January: CVE-2026-25253 — the one-click RCE

The headline vulnerability: simply visiting a malicious webpage while running a vulnerable version could give an attacker full remote code execution on your machine. No download, no dialog — one click. A patch shipped quickly, but unpatched instances stayed exploitable for months.

February–April: exposure grows from 40,214 to 135,000+ instances

In February, SecurityScorecard found 40,214 OpenClaw instances directly reachable from the public internet — 35.4% running versions vulnerable to known CVEs, mostly gateways people had port-forwarded for remote access. By April, scans counted 135,000+ exposed instances across 82 countries. The project's growth simply outpaced its users' security habits.

February–March: the "ClawHavoc" supply-chain campaign

Researchers found 341 malicious skills in the ClawHub registry, with later scans pushing the count past 800 — roughly 20% of the registry at the time. Most delivered the Atomic macOS Stealer (AMOS) infostealer, masquerading as weather tools, crypto trackers, and productivity helpers.

The broader CVE record

Around 138 OpenClaw-related CVEs were catalogued in 2026: beyond the one-click RCE, notably CVE-2026-24763 (command injection), CVE-2026-26322 (SSRF), CVE-2026-26329 (path traversal), and CVE-2026-30741 (prompt-injection code execution). Alarming-sounding — but it reflects intense researcher attention, and fixes shipped fast, with date-based releases (latest ~2026.6.5) including dedicated chat-safety hardening.

The Real Risk Model

"Is it safe?" is the wrong question. The right one: which risks apply to your setup, and have you mitigated them?

Risk	Who's Affected	Mitigation
Known CVEs (RCE, command injection, SSRF, path traversal)	Anyone running an outdated version	Update promptly — releases are date-based, so it's obvious when you're behind
Exposed gateway (port 18789)	Anyone who port-forwarded for remote access	Never port-forward; use Tailscale, an SSH tunnel, or a VPN
Canvas Host binding 0.0.0.0 by default	Anyone on an untrusted network (coffee shop, dorm, office)	Rebind to localhost or firewall the port
Malicious skills (ClawHavoc / AMOS)	Anyone who installs ClawHub skills without reading them	Audit skill source before install; prefer known authors
Prompt injection (CVE-2026-30741 class)	Anyone whose agent reads untrusted content (web pages, emails)	Latest chat-safety hardening + restrict what the agent can execute

How to Audit a Skill Before Installing It

ClawHavoc worked because people installed code they never read. Five minutes of review catches almost everything the campaign shipped:

•Read the source, all of it - Skills are small. If a "weather skill" downloads a binary, pipes curl to shell, touches your keychain, or hides logic in base64 blobs and eval calls, walk away — AMOS droppers leaned heavily on exactly these tricks.
•Check network destinations - List every URL and domain the skill contacts. Anything that isn't the obvious API for the skill's purpose is a red flag.
•Check the author's history - A skill published yesterday by an account with no other activity deserves far more scrutiny than one with months of public commits and issues.
•Question credential requests - A note-taking skill asking for cloud-provider keys is malware until proven otherwise.

The Hardening Checklist

If you do nothing else, do these five things. They neutralize every major 2026 incident class:

1. Stay on the latest release

Date-based versioning makes it obvious when you're behind. The ~2026.6.5 line includes chat-safety hardening against prompt injection. Most compromised instances in the scan data were simply months out of date.

2. Never expose the gateway

Port 18789 must never be port-forwarded. For remote access use Tailscale, an SSH tunnel, or a VPN. This single rule would have kept all 135,000+ exposed instances off the scanners.

3. Fix the Canvas Host binding

Canvas Host binds 0.0.0.0 by default, so anyone on your local network can reach it. Rebind to 127.0.0.1 or firewall the port — especially on laptops that join public Wi-Fi.

4. Audit skills and use least-privilege API keys

Use the audit steps above — treat ClawHub like npm in 2016: useful, full of gems, occasionally full of malware. And give every integration its own key scoped to the minimum it needs, so a compromised skill burns one narrow key, not your whole account.

5. Isolate the install

Run OpenClaw on a dedicated machine or VM rather than your daily driver. We cover the full setup in our security hardening guide and the most frequent misconfigurations in common OpenClaw setup mistakes.

The Balanced Verdict

OpenClaw in 2026 is like running your own server in any era: powerful, private, and entirely dependent on you doing the basics. The CVE count looks scary, but patches ship fast and the project has visibly invested in safety hardening. The people who got burned skipped updates, exposed ports, or installed unread code.

Hardened properly — prompt updates, audited skills, gateway behind Tailscale, least-privilege keys — OpenClaw gives you an assistant whose messages, files, and credentials never leave hardware you control. No cloud assistant can offer that.

Frequently Asked Questions

Is OpenClaw safe to run on my main computer?

It can be, but it's not recommended. A compromised skill or prompt-injection attack can reach everything on the machine OpenClaw runs on. The safer pattern is a dedicated, isolated device — Mac Mini, Raspberry Pi 5, or hardened VPS — with least-privilege keys.

Were OpenClaw users actually hacked?

Yes. ClawHavoc distributed hundreds of malicious skills through ClawHub, most delivering the AMOS infostealer. Separately, tens of thousands of gateways sat exposed to the internet, many running versions vulnerable to known CVEs including the critical one-click RCE.

Is ClawHub safe?

Treat it like an unvetted package registry, not an app store — ClawHavoc-era scans found 800+ malicious skills, roughly 20% of the registry. Read every skill's source before installing and prefer established authors.

Is OpenClaw safer than cloud assistants?

A different risk trade. Cloud assistants hold your data but patch themselves; OpenClaw keeps everything on your hardware but makes you responsible for updates, exposure, and skill vetting. Hardened, it's more private than any cloud assistant; unhardened, more dangerous.