OpenClaw Security
OpenClaw’s security track record in early 2026 has been challenging. Microsoft, CrowdStrike, Kaspersky, and Sophos have all published advisories. Here’s what happened and how Curate-Me addresses every known attack vector.
The Security Landscape
| Event | Date | Severity | Source |
|---|---|---|---|
| CVE-2026-25253 — One-click RCE via WebSocket hijacking | Jan 2026 | CVSS 8.8 | NVD |
| 512 vulnerabilities in security audit (8 critical) | Jan 2026 | Critical | Independent audit |
| 341 malicious ClawHub skills (ClawHavoc campaign) | Feb 2026 | High | Security researchers |
| 42,665 publicly exposed instances | Feb 2026 | High | Shodan scan |
| OpenClaw creator joins OpenAI — project to foundation | Feb 14, 2026 | Governance risk | Official announcement |
Our Security Architecture
Layer 1: Sandbox Isolation
Every agent session runs in an isolated sandbox with one of four access tiers:
| Tier | Filesystem | Network | Use Case |
|---|---|---|---|
| READ_ONLY | Read project files, write only /tmp | None during execution | Analysis, reporting |
| WRITE_RESTRICTED | Explicit path patterns only | Allowlisted domains only | Controlled automation |
| WRITE_PROJECT | Anywhere in project tree | Bridge network | Development tasks |
| FULL_ACCESS | Unrestricted | Full network | Trusted admin only |
Deny patterns (always blocked, regardless of tier):
.env,.env.*— Environment files with secrets*.pem,*.key— Cryptographic keys.git/config— Git credentials~/.ssh/*— SSH keys~/.aws/*— AWS credentials
Per-session byte-level write tracking with configurable size limits. Immutable paths are never writable regardless of tier.
Layer 2: Network Phase Separation
Agent execution is divided into phases with different network access:
| Phase | Network | Purpose |
|---|---|---|
| SETUP | ON | Install dependencies, git clone, download models |
| EXECUTION | OFF | Agent runs locally — no outbound connections |
| TEARDOWN | ON | Upload artifacts, push results, send notifications |
During the EXECUTION phase, agents cannot make outbound network calls. This prevents:
- Data exfiltration to attacker-controlled servers
- C2 (command & control) communication
- Cryptocurrency mining pool connections
- Unauthorized API calls
Four access levels per phase: FULL, ALLOWLIST_ONLY, LOCAL_ONLY, NONE.
Domain and port filtering available in allowlist mode.
Layer 3: PII & Secrets Scanning
Every LLM request is scanned for sensitive content before it reaches the provider:
14 built-in patterns:
- Social Security Numbers (SSN)
- Credit card numbers (Luhn validation)
- API keys (OpenAI, Anthropic, AWS, Stripe, etc.)
- Email addresses
- Phone numbers
- IBAN / VAT numbers (EU compliance)
- Passport numbers
- Medication dosages (EU AI Act)
Presidio NER integration (feature-flagged):
- Named entity recognition for PII that regex misses
- Person names, addresses, medical records
- Configurable confidence threshold
When PII is detected:
- allow — Log finding, forward request (audit trail only)
- block — Deny request, return governance error
- needs_approval — Queue for human review (HITL)
Layer 4: Human-in-the-Loop (HITL)
High-cost or sensitive operations require human approval:
| Trigger | Default Threshold | Configurable |
|---|---|---|
| Cost > threshold | $10/request | Yes |
| External API calls | Always | Yes |
| File deletions | Always | Yes |
| Git push | Always | Yes |
| New skill installation | CAUTION-rated | Yes |
Approval queues visible in the dashboard with SLA tracking. Auto-deny after configurable timeout (default: 24 hours).
CVE Protection
Curate-Me tracks all known OpenClaw CVEs and enforces a minimum version floor:
MIN_SUPPORTED_VERSION = "2026.3.7" # Updated after each CVE disclosureRunners below the minimum version:
- Cannot start new sessions
- Show CVE exposure warnings in the dashboard
- Are flagged for auto-upgrade in the next maintenance window
The Security Posture dashboard (/runners/security) shows:
- CVE exposure per runner
- CVSS scores and severity
- Affected vs patched status
- One-click auto-patch button
- Remediation history
Incident Prevention Map
| Known Attack | How We Block It |
|---|---|
| CVE-2026-25253 (RCE) | Network phase separation blocks outbound during execution |
| Docker sandbox escape | 4-tier sandbox with deny patterns prevents host access |
| ClawHavoc malicious skills | ClawHavoc-hardened scanner with VirusTotal + YARA rules |
| 42,665 exposed instances | Agents run behind gateway auth — zero public surface |
| Runaway agent purchases | HITL approval queues for high-cost operations |
| API key / PII leakage | PII scanning intercepts secrets before they reach providers |
Security Score
The Security Posture dashboard calculates an aggregate score (0-100) based on:
- CVE exposure (are all runners patched?)
- Skill scan coverage (are all installed skills scanned?)
- Policy compliance (are governance policies configured?)
- Patch currency (is the OpenClaw version current?)
Trend tracking over 30 days shows whether your security posture is improving.
Compliance
- Immutable audit trail for every agent action
- Export formats: JSON, PDF
- SOC 2 compatible log structure (Enterprise plan)
- GDPR: Data residency options, PII scanning, right to deletion
- EU AI Act: Medication dosage scanning, VAT/IBAN detection