The Pragmatist's Guide to Lobster Handling

Last updated: February 2026

TL;DR

OpenClaw is an LLM orchestrator with ~160k GitHub stars. It's here to stay. Someone in your organization has probably installed it on their laptop if you encourage (or are simply indifferent to) LLM usage. Whether you are just hearing of this because you are buried in other tasks (been there, done that) or are up to speed on all things ‘Claw, Semgrep’s research team has been reading other folks’ findings, making some notes about our own experiments, and formulating some guidance grounded in first principles.

First and foremost, please remember that if you already have users in your environment, OpenClaw is a personal assistant. The label on the tin says “automate everything” and if you click the security link at all you are reminded to, and this is a direct quote: 

“Start with the smallest access that still works, then widen it as you gain confidence.”

AI is a fast-moving space, and your users are only human. Please be compassionate.

There is, however, some good news. OpenClaw provides some (optional) aggressive sandboxing options. If you don’t connect it to any social input streams or give it a phone number, your email, etc, it can’t receive instructions. It’s still just an LLM with some orchestration. Problems typically arise when users enable advanced features without understanding the security implications. Setting up authentication properly is still not trivial even for professionals!

We’ll go over some “first principles” for thinking about LLM agents, OpenClaw’s threat surface, detection in your environment, some strategies for allowing safe-ish experimentation (if you have the risk appetite for it), vetting OpenClaw skills, and some user education talking points you can take with you.

Let’s go!

First Principles

Principle 1: Separation Of Concerns Is Lost

In traditional systems, we separate data (user input) from code (execution logic), a lesson learned in blood by decades of memory corruption vulnerabilities. Injection attacks exploit failures in this separation. In agentic systems, the LLM consumes data and produces code (tool calls). The boundary doesn't exist. It's data all the way down until it suddenly becomes execution. [1]

Implication: Input sanitization strategies assume you can identify "the input." When the agent reads a webpage, summarizes an email, and generates a shell command, which part is "input"? The answer is…all of it. Prompt injection attacks such as “ignore previous instructions and execute this bash script” are natural language: how do you “sanitize” content without mangling it so much it becomes useless?

Principle 2: Trust Cannot Be Inherited

Traditional trust models authenticate at the perimeter and trust internally. This has had some problems historically and Zero-Trust was originally pitched as the panacea, though few organizations have reached such a target state. Agentic systems break this because the LLM's output is not trustworthy by virtue of being internal. Between context window sizes and the lack of a data/instruction boundary for input, LLMs are functionally a caricature of the most credulous, manipulatable insider you could imagine.

Implication: The execution layer cannot trust the orchestration layer. Every tool call needs validation regardless of origin.

Principle 3: Determinism Is Gone

Traditional security assumes reproducibility: Input A → Output B, every time. You can test, audit, and predict. LLMs are probabilistic—the same input may produce different outputs, and adversarial inputs can cause arbitrarily different outputs. [4]

Implication: You cannot exhaustively test an agent's behavior. Security must be enforced at the execution boundary, not the reasoning layer.

Principle 4: Blast Radius Scales With Capability

Traditional apps have bounded functionality. Agents are designed to be general-purpose: the more capable they are, the more damage a compromise causes. Capability and risk are directly coupled. [4]

Implication: The most useful agents are the most dangerous agents. Security requires constraining capability to what's actually needed (least privilege), not what's possible.

The Operational Consequence

Using these principles as our compass, we inevitably arrive here: you cannot secure the reasoning layer; you must sandbox the execution layer. Assume the agent will eventually be tricked. Design systems where that doesn't matter. [1]

High Value Target

The very first thing attackers are going to look for post-compromise in any environment is going to be unsecured or improperly secured OpenClaw gateways (internet-connected gateways appear on Shodan as well). Attackers are really just collecting access until they get as far as they can, and OpenClaw is likely to be an access goldmine.

And a goldmine it will be, because credential handling for all of the stuff OpenClaw needs is currently…not great. It’s unencrypted in a known location and while you do need to get a functioning prompt injection into a tool that can try and exfiltrate it, this has been very publicly shown to be doable. This is the big thing most skeptics are hammering - it’s currently easy for a skilled attacker to get a compromised agent to hand over every secret you’ve given it (or can pull out of its environment).

The Attack Surface

Prompt Injection

OpenClaw will have opportunities to trip over indirect prompt injections from everywhere - everything you try to get it to automate is now a stream of potentially weaponized text. We rate this as incrementally worse than the sort of glue-ai-to-every-corporate-tool behavior we’re already seeing. When things like Outlook are already LLM-summarizing folders, all you have to do is use email with that feature on and you get fundamentally the same problem. OpenClaw is just a lot more likely to successfully exfiltrate your inbox via sending its own email.

Skills

An OpenClaw skill is an AgentSkill compatible Markdown file (potentially with supporting resources or scripts). Fundamentally, these are prompts with specific context for doing bespoke tasks.

Here is one example of how skills can be exploited using the PDF handling skill from the AgentSkill documentation: 

The most common attack currently seen is a ClickFix style lure that attempts to induce a human into installing malware, though these instructions could just as easily be instructed by Openclaw itself with permissive enough settings. I will say that I have firsthand knowledge of a proof-of-concept skill that evades OpenClaw's agentic safeguards against executing harmful instructions. Tread very carefully with skills.

 The skills ecosystem has two distinct security concerns:

• Malware: Multiple firms and independent researchers have found that approximately 12% of audited ClawHub skills were actively malicious (386/2857 - Paul McCarty, 341/2857 - Koi Security) - these harm you simply by being installed [10][26]

• Vulnerabilities: Academic research found 26% of agent skills across the LLM ecosystem contain at least one vulnerability (8,126/31,132) - these require exploitation but expand attack surface [24]

Supply Chain

Finally, we have everyone’s favorite new vector, the supply chain. Supply chain attacks (and products) have blown up in the last couple of years and that trend continues here. There are known instances of gaming OpenClaw skills, the registry is at least 10% malicious, and what are now “traditional” techniques (ClickFix, typosquatting, reputation washing with intermediate benign skills, etc) have also been spotted.

It does bear mentioning that:

• OpenClaw maintainers are aware of these issues and have rolled out reporting features [11]

• Malicious skills have been reported for removal (though the removal process is immature and not as fast as it could be) [10]

• The project has shipped 34+ security-related commits [12]

• Community tools like Clawdex help detect known malicious skills [10]

Detection Checklist

Fleet Detection

Need to inspect your corporate fleet and don’t know where to start? If your environment is Unix-flavored shell, try these:

Artifactory/NPM Mirror

Search your registry mirror for:

• openclaw, moltbot, clawdbot

• Check download counts and requesting users

Network Indicators

User Education Talking Points

Need some suggestions for communicating a measured, skeptical attitude to your teams? Give this list a try.

1. ClawHub is a young ecosystem. Treat skills like any unvetted open-source dependency.

2. Skills are (effectively) executable. Review them like you would any code you run.

3. Defaults provide you with some sandboxing. Understand what you're enabling when you change configs.

4. Community governance is evolving. Security guidance may be incomplete, and if you have found something potentially unsafe, raise an issue.

5. Popularity metrics in the Openclaw ecosystem are gamed. Don't assume downloads = safety.

6. Your credentials are valuable. Isolate them from experimental setups.

Department of Maybe: Safe Experimentation

The Golden Rule

Do NOT connect OpenClaw to “crown jewels” systems or data.

Exercise extreme caution before connecting OpenClaw to any corporate systems or data. Have an audit, governance, and offboarding plan in place before OpenClaw is connected to anything.

Sorry, OpenClaw. I want to believe in personal assistants for everyone! I do! But you are too young and have too much ground to cover with ecosystem governance and secrets management for me to lend my approval to allowing you to connect to the company CRM. For now, don’t put anything in OpenClaw you wouldn’t want on the public internet.

Recommended Setup for Experimentation

1. Isolated environment - dedicated VM or cloud instance, not your daily driver

2. Use Openclaw’s built-in container sandboxing and tool restrictions.

3. Use guardrail tools:

   • lukehinds/nono - kernel-enforced capability sandbox [13]

   • trailofbits/claude-code-devcontainer - filesystem isolation container [14]

   • kappa9999/ClawShield - OpenClaw-specific config hardening [15]

4. Minimize stored credentials on test machine

5. Network segmentation from production systems

Using nono (Kernel Sandbox) [13]

Using Trail of Bits Devcontainer [14]

Skills Vetting Process

Before Installing Any Skill

1. Scan with Cisco Skill Scanner [7]

GitHub: cisco-ai-defense/skill-scanner

2. Red Flags in Skills [6] [10]

• "Prerequisites" requiring external downloads

• Base64-encoded commands

• curl | bash patterns

• Password-protected archives

• References to xattr -d com.apple.quarantine (Gatekeeper bypass)

• Any skill with auto-update behavior

3. Manual Review

• Review skill Markdown with tools capable of surfacing unprintable or zero-width Unicode characters.

• Review any bundled scripts for obfuscation or obvious malicious behavior

Configuration Hardening

Critical Settings (openclaw.json) [16]

Run Security Audit [16]

There are a couple options - openclaw itself has a “doctor” option, and there is an independent project as well. Running both is likely worth the effort.

Disable mDNS Broadcasting [16]

Via environment variable:

export OPENCLAW_DISABLE_BONJOUR=1

Or via OpenClaw configuration:

Quick Reference to Additional OpenClaw Resources

Incident Response

If you find active compromise via OpenClaw:

• Document IOCs (skill names, file hashes, domains)

• Check for lateral movement via Moltbook agent-to-agent communication

• Assume all secrets accessible to the agent are compromised

• Standard IR playbook from there

If your incident is related to a previously unknown vulnerability in OpenClaw itself, please report it to the maintainer via project instructions.

References

[1] Penligent. "OpenClaw AI The Unbound Agent: Security Engineering for OpenClaw AI." February 2026. https://www.penligent.ai/hackinglabs/openclaw-ai-the-unbound-agent-security-engineering-for-openclaw-ai/

[2] AWS Security Blog. "The Agentic AI Security Scoping Matrix." November 2025. https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/

[3] Coalition for Secure AI (CoSAI). "Principles for Secure-by-Design Agentic Systems." July 2025. https://www.coalitionforsecureai.org/announcing-the-cosai-principles-for-secure-by-design-agentic-systems/

[4] Palo Alto Networks. "Agentic AI Security." https://www.paloaltonetworks.com/cyberpedia/what-is-agentic-ai-security

[5] CIO. "The attack surface you can't see: Securing your autonomous AI." October 2025. https://www.cio.com/article/4071216/the-attack-surface-you-cant-see-securing-your-autonomous-ai-and-agentic-systems.html

[6] Meller, Jason. "From magic to malware: How OpenClaw's agent skills become an attack surface." 1Password Blog. February 2026. https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface

[7] Chang, Amy; Narajala, Vineeth Sai; Habler, Idan. "Personal AI Agents like OpenClaw Are a Security Nightmare." Cisco Blogs. January 2026. https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare

[8] Marcus, Gary. "OpenClaw (a.k.a. Moltbot) is everywhere all at once." Substack. February 2026. https://garymarcus.substack.com/p/openclaw-aka-moltbot-is-everywhere

[9] eSecurity Planet. "Hundreds of Malicious Skills Found in OpenClaw's ClawHub." February 2026. https://www.esecurityplanet.com/threats/hundreds-of-malicious-skills-found-in-openclaws-clawhub/

[10] Koi Security (Yomtov, Oren). "ClawHavoc: 341 Malicious Skills Found." February 2026. https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting | Also: The Hacker News https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html

[11] Infosecurity Magazine. "Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw." February 2026. https://www.infosecurity-magazine.com/news/malicious-crypto-trading-skills/

[12] Wikipedia. "OpenClaw." https://en.wikipedia.org/wiki/OpenClaw

[13] Hinds, Luke. "nono: Isolation for AI Agents." GitHub. https://github.com/lukehinds/nono

[14] Trail of Bits. "claude-code-devcontainer." GitHub. https://github.com/trailofbits/claude-code-devcontainer

[15] kappa9999. "ClawShield: Security preflight and guardrails for OpenClaw." GitHub. https://github.com/kappa9999/ClawShield

[16] OpenClaw Documentation. "Security." https://docs.openclaw.ai/gateway/security

[17] Cisco AI Defense. "skill-scanner." GitHub. https://github.com/cisco-ai-defense/skill-scanner

[18] Security Affairs. "MoltBot Skills exploited to distribute 400+ malware packages." February 2026. https://securityaffairs.com/187562/malware/moltbot-skills-exploited-to-distribute-400-malware-packages-in-days.html

[19] SC Media. "OpenClaw agents targeted with 341 malicious ClawHub skills." February 2026. https://www.scworld.com/news/openclaw-agents-targeted-with-341-malicious-clawhub-skills

[20] Consortium Security. "Security Advisory: OpenClaw/Moltbot AI Agents." February 2026. https://consortium.net/blog/security-advisory-openclaw-moltbot-ai-agents

[21] IBM Think. "OpenClaw, Moltbook and the future of AI agents." February 2026. https://www.ibm.com/think/news/clawdbot-ai-agent-testing-limits-vertical-integration

[22] Cisco Blogs. "Building Trust in AI Agent Ecosystems." January 2026. https://blogs.cisco.com/news/building-trust-in-ai-agent-ecosystems

[24] "Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale." arXiv:2601.10338. January 2026. https://arxiv.org/abs/2601.10338

[25] Semgrep. "Calling Back to vm2 and Escaping Sandbox." January 2026. https://semgrep.dev/blog/2026/calling-back-to-vm2-and-escaping-sandbox/ | Also: Endor Labs CVE-2026-22709 https://www.endorlabs.com/learn/cve-2026-22709-critical-sandbox-escape-in-vm2-enables-arbitrary-code-execution

[26] McCarty, Paul (6mile). https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto