OpenClaw is showing up fast in personal projects, startups, and enterprise pilots — and it introduces a blunt reality: OpenClaw includes limited built-in security controls. The runtime can ingest untrusted text, download and execute skills (i.e. code) from external sources, and perform actions using the credentials assigned to it.
This effectively shifts the execution boundary from static application code to dynamically supplied content and third-party capabilities, without equivalent controls around identity, input handling, or privilege scoping.
The three risks that materialize quickly
In an unguarded deployment, three risks show up almost immediately:
- Credential exposure. Credentials and accessible data may be exposed or exfiltrated.
- Memory manipulation. The agent's persistent state or "memory" can be modified, causing it to follow attacker-supplied instructions over time.
- Host compromise. The host environment can be compromised if the agent is induced to retrieve and execute malicious code.
Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation.
Two supply chains, one execution loop
Self-hosted agents have two distinct supply chains that converge into a single execution loop:
- Untrusted code — skills and extensions downloaded from registries like ClawHub.
- Untrusted instructions — external text inputs from users, feeds, or other agents.
When these two interact without appropriate guardrails, a single malicious input can result in durable, credentialed execution on your machine.
Runtime vs. platform: understanding the difference
To reason about controls, it's important to separate where code executes from where instructions propagate:
- OpenClaw (runtime): A self-hosted agent runtime that runs on a workstation, VM, or container. It can load skills and interact with local and cloud resources. The key security point: it inherits the trust (and risk) of the machine and the identities it can use. Installing a skill is basically installing privileged code.
- Moltbook (platform): An agent-focused platform where agents post, read, and authenticate through APIs. It can become a high-volume stream of attacker-influenceable content that agents ingest on a schedule.
In practice, OpenClaw expands the code execution boundary within your environment, while Moltbook expands the instruction influence surface at scale.
How agents shift the security boundary
Most of us already know how to secure automation. Agents change the risk because the entity deciding what to do isn't always the one taking the action. At runtime, the agent loads third-party code, reads untrusted input, and acts using durable credentials — making the runtime environment the new security boundary.
That boundary has three components:
- Identity: The tokens the agent uses to do work (SaaS APIs, repos, mail, cloud control planes).
- Execution: The tools it can run that change state (files, shell, infrastructure, messages).
- Persistence: The ways it can keep changes across runs (tasks, config, schedules).
There are two core attack vectors to be aware of:
- Indirect prompt injection: Attackers can hide malicious instructions inside content an agent reads, steering tool use or modifying its memory to affect behavior over time.
- Skill malware: Agents acquire skills from various sources — essentially downloading and running code from the internet — which can contain malicious code.
Self-hosted means you own the blast radius
With managed platforms, security controls typically center on identity scopes and data boundaries, because the runtime is centrally managed. With self-hosted runtimes like OpenClaw, that responsibility shifts entirely to you.
The host system, plugin surface, and local state become part of the trust boundary. If the agent can browse external content and install extensions, it should be assumed that it will eventually process malicious input. Controls should prioritize containment and recoverability, rather than relying on prevention alone.
The poisoned skill: a real attack scenario
This scenario represents a plausible compromise chain in open agent ecosystems. Public reporting has documented malicious skills appearing in public registries — in some cases, straightforward malware packaged as a skill.
Step 1: Distribution
An attacker publishes a malicious skill to ClawHub, sometimes disguised as a utility and sometimes openly malicious, promoted through community channels. The ecosystem evolves quickly and low-friction installation encourages experimentation.
Step 2: Installation
A user or the agent itself initiates installation because the skill appears relevant. In permissive deployments, the runtime may execute the installation without human approval. Installation should be treated as an explicit approval event — equivalent to executing third-party code.
Step 3: State access
The attacker's objective is access to agent state: tokens, cached credentials, configuration data, and transcripts, as well as durable instruction channels that influence future runs. If durable instructions can be modified through normal interactions, a single injection can persist across executions.
Step 4: Privilege reuse
With valid identity material, the attacker performs actions through standard APIs and tooling. This activity often resembles legitimate automation — making it very hard to detect without strong monitoring.
Step 5: Persistence through configuration
Persistence frequently manifests as durable configuration changes: new OAuth consents, scheduled executions, modified agent tasks, or tools that remain permanently approved. The objective is less about deploying traditional malware and more about maintaining long-term control over the automation pathway.
Variant: indirect prompt injection through shared feeds
If agents poll a shared feed, an attacker can place malicious instructions inside content the agents ingest. In multi-agent settings, a single malicious thread can reach many agents at once, steering tool use or triggering sensitive disclosure.
The safe operating posture for OpenClaw
The safest guidance is: do not run OpenClaw with your primary work or personal accounts, and do not run it on a device that contains sensitive data. Assume the runtime can be influenced by untrusted input, its state can be modified, and the host system can be exposed through the agent.
If you decide to run OpenClaw, these guardrails should be your baseline:
1. Run only in isolation
Use a dedicated virtual machine or a separate physical device that is not used for daily work. Treat the environment as disposable. This is the single most important step you can take.
2. Use dedicated credentials and non-sensitive data
Create accounts, tokens, and datasets that exist solely for the agent's purpose. Assume compromise is possible and plan for regular rotation.
3. Monitor for state or memory manipulation
Regularly review the agent's saved instructions and state for unexpected persistent rules, newly trusted sources, or changes in behavior across runs.
4. Back up state to enable rapid rebuild
OpenClaw allows state to be snapshotted and restored:
- Backing up
.openclaw/workspace/captures the agent's working state without including credentials. - Backing up the entire
.openclaw/directory also captures tokens and credentials. While this simplifies restoration, it increases backup sensitivity.
5. Treat rebuild as an expected control
Reinstall regularly and rebuild immediately if anomalous behavior is observed. Persistence may appear as subtle configuration changes rather than overt malware.
Key security areas to address
Whether you manage this yourself or use a service like NestClaw, these are the critical security areas for any OpenClaw deployment:
| Area | What to do |
|---|---|
| Identity | Use dedicated identities for agents. Minimize permissions. Prefer short-lived tokens. Control consent for powerful permissions. |
| Host isolation | Treat agent hosts as privileged. Separate pilots from production. Plan rapid isolation and token revocation. |
| Supply chain | Restrict skill install sources and publishers. Pin versions for approved capabilities. Review updates before applying. |
| Network & egress | Restrict outbound access for agent hosts to known destinations. Block or isolate high-risk external ingestion sources. |
| Data protection | Reduce the chance that sensitive data is ingested into agent prompts or exfiltrated by agent tools. |
| Monitoring | Log agent actions and treat abnormal tool use as an incident signal. Prepare a playbook for agent identity compromises. |
The takeaway
Self-hosted agents combine untrusted code and untrusted instructions into a single execution loop that runs with valid credentials. That is the core risk.
Running OpenClaw is not simply a configuration choice. It is a trust decision about which machine, identities, and data you are prepared to expose when the agent processes untrusted input.
For most people, the right approach is not to run it on your own machine at all. Instead, run it inside a dedicated VM that is isolated from everything you care about. This is exactly the model NestClaw was built around — every agent gets its own isolated virtual machine, dedicated credentials, and a clean environment that can be rebuilt at any time.
If you do choose to self-host, three actions should be taken immediately:
- Inventory where the runtime is deployed.
- Verify the identities it uses and the permissions associated with them.
- Identify which inputs can influence tool execution.
Tighten controls accordingly, monitor activity end to end, and treat every anomaly as an opportunity to reduce blast radius before it is exploited.
This article draws on research originally published by the Microsoft Defender Security Research Team, adapted with a focus on practical guidance for individual users and small teams.