Three common misconfigurations that leave your AI agent – and everything it connects to – wide open.
In early 2026, security researchers ran a Shodan scan targeting OpenClaw’s default gateway port. They found over 30,000 instances exposed directly to the internet with no authentication. No reverse proxy. No firewall rules. No SSH tunnel. Just a raw gateway endpoint, listening on 0.0.0.0, waiting for anyone on earth to connect.
These weren’t test instances. Many had active Slack integrations, Telegram channels, and API keys loaded in plaintext environment files. Some were running community skills pulled straight from ClawHub – the same registry where the ClawHavoc campaign later uncovered 824+ malicious skills hiding in roughly 20% of all listed packages.
If you’re running a self-hosted OpenClaw instance right now, there’s a good chance you’re making at least one of these three mistakes. Let’s walk through them.
Mistake #1: Your Gateway Is Bound to 0.0.0.0
This is the most common and most dangerous misconfiguration in the OpenClaw ecosystem.
When you first deploy OpenClaw via Docker Compose, the default gateway configuration binds to 0.0.0.0:3000. On your local machine during development, this is fine – nothing outside your laptop can reach it. But the moment you deploy that same docker-compose.yml to a VPS or cloud server, that binding means your gateway is listening on every network interface. Your agent is now accessible to the entire internet.
Here’s the part nobody mentions: OpenClaw’s gateway does not ship with authentication enabled by default. There is no login screen. There is no API key requirement. If your gateway port is reachable, anyone can send commands to your agent, read its conversation history, and interact with every integration you’ve connected.
The fix is straightforward. Bind the gateway to 127.0.0.1 so it only accepts local connections:
ports:
– “127.0.0.1:3000:3000”
Then access it through an SSH tunnel (ssh -L 3000:localhost:3000 your-server) or place it behind a reverse proxy like Nginx or Caddy with proper authentication. A comprehensive breakdown of OpenClaw security risks and exposure points details several additional gateway hardening steps beyond binding, including rate limiting and header validation.
This single change – 0.0.0.0 to 127.0.0.1 – would have protected the majority of those 30,000 exposed instances.
Mistake #2: You’re Installing ClawHub Skills Without Auditing Them
ClawHub has over 5,700 community-contributed skills. They extend your agent’s capabilities: calendar management, email drafting, CRM lookups, code execution, file operations. Most of them work exactly as described.
But that’s not the real problem.
The ClawHavoc report, published by security researchers in Q1 2026, found 824 skills containing malicious code. Some exfiltrated environment variables – which, in an OpenClaw setup, often include your AI model API keys, Slack tokens, and database credentials. Others opened reverse shells. A handful modified the agent’s behavior silently, injecting instructions into prompts that redirected sensitive conversation data to external endpoints.
The attack surface is significant because OpenClaw skills run with the same permissions as the agent process itself. There is no sandboxing by default. A skill that says it manages your calendar has the same filesystem access as a skill that explicitly handles code execution. The trust boundary is “did you install it.”
What should you do?
First, read the source code of every skill before installing it. Yes, every one. If the skill is obfuscated or minified, don’t install it. Period.
Second, pin skill versions in your configuration. ClawHub allows skill authors to push updates without version bumps. An OpenClaw security checklist published earlier this year recommends hash-pinning skills and checking diffs on any update – the same practice you’d apply to any third-party dependency in a production codebase.
Third, run your agent in a Docker container with a read-only filesystem and limited network access. Use –read-only and explicit –network flags to constrain what a compromised skill can do. This won’t prevent every attack, but it dramatically reduces the blast radius.
Mistake #3: You’re Running Without Transport Encryption
This one surprises people. OpenClaw’s gateway communicates over HTTP by default – not HTTPS. If you’re accessing your agent’s web interface or API over an unencrypted connection, every message, every API key rotation, every skill installation command travels in plaintext.
On a local machine, this doesn’t matter. On a remote server, it means anyone on the network path between you and your VPS can intercept everything. This includes your cloud provider’s internal network, any VPN intermediary, and any compromised hop along the route.
Stay with me here – this gets worse when you consider OpenClaw’s channel integrations.
Webhook endpoints for Slack, Discord, and Telegram need to be publicly accessible. If you’re running those without TLS, the webhook payloads – containing user messages, channel IDs, and auth tokens – are transmitted in cleartext. An attacker performing a man-in-the-middle attack on your server’s network can capture incoming webhooks and replay them or extract tokens.
The fix: terminate TLS at your reverse proxy. Caddy does this automatically with Let’s Encrypt. Nginx requires a few more steps but is well-documented. Never expose OpenClaw’s raw HTTP port to the internet, even behind a firewall rule – defense in depth matters.
The Underlying Problem Isn’t Technical
All three of these mistakes share a root cause: OpenClaw is designed as a developer tool, not a production service. Its defaults prioritize fast local development – bind everything, trust everything, encrypt nothing – because that’s what makes a good getting-started experience.
The project assumes you’ll harden it before deploying. But most people don’t. They follow a tutorial, get their agent working on a VPS, connect it to Slack, and move on to the thing they actually care about: what the agent does, not how it’s hosted.
This is why CVE-2026-25253 – the one-click RCE vulnerability patched in late January – was so devastating. It didn’t just exploit a bug. It exploited the gap between how OpenClaw is deployed in practice and how it should be deployed in theory. Thousands of instances were still unpatched weeks later because their operators didn’t have monitoring, didn’t subscribe to security advisories, and didn’t have a patch management process.
Managed deployment platforms like BetterClaw, xCloud, and ClawHosted exist precisely to close this gap – they handle gateway isolation, transport encryption, and skill vetting for OpenClaw deployments by default, so the security posture doesn’t depend on the operator remembering every configuration detail. But whether you use a managed service or not, the three fixes above are non-negotiable if you’re self-hosting.
A Quick Self-Audit You Can Do Right Now
If you have a running OpenClaw instance, check these three things today:
Open your docker-compose.yml. Is the gateway bound to 127.0.0.1 or 0.0.0.0? If it’s the latter, change it now. Not tomorrow. Now.
Run docker exec into your OpenClaw container and check which skills are installed. For each one, verify the source repository exists, the author is identifiable, and the code is readable. Remove anything you can’t verify.
Try accessing your gateway URL over HTTP from outside your network. If it loads, you have a problem. Set up a reverse proxy with TLS termination and block direct access to the gateway port via your firewall.
These three steps take about 20 minutes. They address the three most exploited attack vectors in the OpenClaw ecosystem right now. The framework itself is powerful and flexible – 230K GitHub stars and 44K forks reflect genuine utility. But no open-source tool can protect you from its own defaults. That’s your job, and it starts with the configuration file you probably haven’t looked at since the day you deployed.