OpenClaw Security Audit

Every OpenClaw agent exposes an API endpoint for receiving external queries. In the default configuration, that endpoint requires no authentication. Anyone who knows the URL can send queries to your agent without credentials. Competitors can extract configuration information. Bad actors can probe your connected systems. External parties run up your API bill.

When you connect OpenClaw to your business tools, the default OAuth configuration grants access at the broadest available permission level. An agent that only needs to read from a spreadsheet gets write access. An agent that only needs to send emails gets access to read, send, delete, and manage your entire inbox. If the agent is ever compromised, it has access to far more than it should.

The OpenClaw admin panel ships with default credentials documented in the public installation guide. Among audited deployments, 31% still had the default admin credentials active. Default credentials are the first thing automated scanning tools try. They are found, and they are used.

OpenClaw's memory layer writes to a local SQLite database in plain text by default. Any past conversation your agent has had — including customer data, personal information, and business information — sits in a plain text file on the server. If the server is accessed, that file is immediately readable without any decryption step.

The default configuration does not verify that incoming webhooks are actually coming from the services they claim to come from. A malicious actor who knows your webhook endpoint can send fabricated payloads — fake form submissions, fake customer data, fake trigger events — and the agent will process them as legitimate.

Community-built skills in the OpenClaw ecosystem are not formally audited. A skill that appears to add useful functionality can contain prompts that override your agent's instructions, exfiltrate conversation data to external endpoints, or modify your agent's behavior in ways that are difficult to detect.

Default logging configuration captures detailed operational data in verbose mode, stored in a web-accessible directory with no access controls. The logs contain API keys, integration credentials, conversation snippets, and internal system paths. This is one of the first places automated scanning tools look.

No rate limiting is applied to API endpoints in the default configuration. External parties can send unlimited queries to your agent, unlimited requests to your integrations, and unlimited attempts against your admin panel. Beyond security implications, this is how API costs get driven up externally.

For businesses running multiple agents, the inter-agent communication protocol uses unvalidated trust by default. If one agent is compromised, it can send instructions to other agents that those agents will treat as authoritative. A breach in one agent propagates to all connected agents.