OpenClaw audit scores 26/100

OpenClaw is an autonomous AI agent framework — the kind that can read messages, call tools, browse the web, and sometimes run shell commands on a machine. That is the exciting part. It is also the dangerous part. The recent audits around OpenClaw matter because they show what happens when you bolt broad permissions onto an LLM and then expose it through chat apps, plugins, and web dashboards. The short version is simple: the model is not the main problem. The surrounding system is. ### What is OpenClaw actually doing? OpenClaw acts like a self-hosted assistant that connects an LLM to outside services and local tools — Discord, Telegram, browser automation, files, process execution, and admin controls. That means a prompt is not just text anymore. A prompt can become an action on a host machine or inside a connected account. ### Why did the audits land so hard? Because the failures were not subtle. Public writeups and tools around OpenClaw kept hitting the same classes of mistakes: hardcoded API keys, open gateway bindings, weak channel policies, plaintext tokens, and tool permissions that were far broader than they needed to be. The GitHub hardening tool for OpenClaw basically reads like a list of “please do not ship it like this” warnings — bind the gateway to localhost, require strong tokens, avoid open access policies, and never leave keys in config files. (giskard.ai) ### Where does prompt injection fit in? Prompt injection is the ugly multiplier. If an agent can read untrusted text from the web or from a chat channel, and that agent also has access to tools, then malicious instructions can hitch a ride inside normal-looking content. In OpenClaw’s case, researchers showed that misconfigurations turned that into data leakage, unauthorized tool use, and even account takeover paths. Basically, the model stops being “just a chatbot” and starts acting like a confused sysadmin with too many privileges. (github.com) ### Is this just one bad deployment? No — that is the uncomfortable part. Different groups looked at different layers and still converged on the same story. Giskard described data leakage and prompt-injection risks in a live deployment. Gerardo Castro’s cloud review found 31 unpatched security updates in an AWS Lightsail blueprint plus a plaintext gateway token and risky execution settings. ClawSecure went even broader and said OpenClaw scored 2/100 on its benchmark, with 41.7% of 2,890+ audited skills showing substantive findings. (giskard.ai) ### Why are skills and plugins such a big deal? Because they widen the attack surface faster than most people realize. A skill can look like a harmless capability pack, but it may pull in external binaries, API calls, hidden behaviors, or vague permissions. ClawSecure’s audit said 30.6% of audited skills had at least one high or critical issue, and 99.3% shipped without a config file declaring permissions upfront. That is like installing browser extensions that do not tell you what tabs they can read — except these extensions may also run commands. (giskard.ai) ### So what is the real lesson here? Keep the agent narrow. Keep the permissions narrower. Put the gateway on localhost or behind a VPN. Use tokens. Use allowlists. Treat every connected skill, webhook, and chat surface as untrusted input. And never assume “self-hosted” means “safe by default.” The IBM takeaway is broader than OpenClaw itself — agentic AI is expanding attack surfaces faster than normal security habits are adapting. (clawsecure.ai) ### Does this mean agentic AI is doomed? Not really. But it does mean the fun demo version and the production-safe version are very different products. OpenClaw made that gap visible. The audits are useful because they show the failure mode in concrete terms — not abstract AI risk, but leaked tokens, loose bindings, unsafe defaults, and tool access that turns bad prompts into real damage. (github.com) ### Bottom line? OpenClaw is less a one-off scandal than a preview. If an AI agent can act, every permission around it becomes part of the model’s safety story. And right now, that outer layer is where a lot of systems are still failing. (clawsecure.ai) (giskard.ai)