OpenClaw Security Best Practices: What You Need to Know (2026)

OpenClaw Security: What You Actually Need to Know

OpenClaw is the most popular open-source AI agent in the world right now. 250,000+ GitHub stars. Every second developer I meet in Sydney has tried it or is about to.

But the security story is complicated, and most of the tutorials skip right past it.

I'm not here to scare you off OpenClaw. I use it myself. But I use it carefully, and if you're going to deploy it anywhere near business data, you need to understand the risk surface.

What's Actually Happened

Cisco's findings: Cisco's AI security research team tested third-party OpenClaw skills and found data exfiltration and prompt injection happening without user awareness. The skill repository lacked adequate vetting to prevent malicious submissions. This isn't theoretical — they demonstrated active exploitation.

China's response: Chinese authorities restricted state-run enterprises and government agencies from running OpenClaw on office computers. Whether you agree with the approach, it signals how seriously governments are taking the risk.

The fundamental issue: OpenClaw's power comes from its skills system — modular capabilities that anyone can write and share. That same openness means a malicious skill can read your messages, exfiltrate data, or inject prompts that change the agent's behaviour. The agent runs with whatever permissions you give it, and most users give it broad access.

The Risks, Plainly

1. Third-party skill trust When you install a community skill, you're giving it access to everything OpenClaw can touch. There's no sandboxing, no permission system, no code review process for the public skill repository (at least not yet). Read the SKILL.md before installing anything. Read the actual code if you can. If you can't read the code, don't install the skill.

2. Data flow transparency OpenClaw sends your prompts and data to whichever LLM provider you've configured — Claude, OpenAI, DeepSeek. Your data leaves your machine and goes to their servers. For personal use, that's probably fine. For business data subject to Australian privacy regulations, you need to understand what you're sending and where it goes.

3. Messaging platform exposure Your OpenClaw conversations live on the messaging platform you're using — WhatsApp, Signal, Telegram. Your agent's responses, which may contain sensitive information, are stored in that platform's infrastructure. Think about what that means for data residency and retention.

4. Prompt injection If your agent processes content from untrusted sources (emails, web pages, documents from unknown senders), that content can include instructions that manipulate the agent's behaviour. This is the prompt injection problem, and it's not solved at the OpenClaw level.

My Recommendations

For personal use: Go for it. Stick to official skills, run it on a dedicated device or VM, and don't feed it anything you wouldn't post publicly. The productivity gain is real and the risk at this level is manageable.

For small business: Proceed carefully. Audit every skill. Use read-only tasks first (summarisation, research). Separate your business agent from your personal agent. Don't connect it to systems containing customer data until the security model matures.

For enterprise: Not yet. The security model isn't mature enough for environments with compliance requirements. Wait for proper skill sandboxing, permission systems, and audit logging. Or build your own agent infrastructure with Claude Code where you control the security boundary.

What I Use Instead (For Sensitive Work)

For anything touching client data or production systems, I use Claude Code directly. The difference is control:

• I define exactly what tools the agent can access (via MCP configuration)
• I control the execution environment
• I can audit every tool call and file access
• There's no third-party skill repository in the trust chain

OpenClaw is convenient. Claude Code is controllable. For business-critical work, I'll take control over convenience every time.

The Future

OpenClaw's maintainers are aware of these issues. The project is evolving rapidly. Proper permission systems, skill vetting, and sandboxing are all on the roadmap (or being worked on by the community).

I'll update this guide as the security model matures. For now, use OpenClaw with your eyes open and your risk tolerance calibrated.

Questions about deploying AI agents safely in your business? Get in touch →