OpenClaw Security Audit Failed? Run These Commands First

Security researchers just found 341 malicious skills on ClawHub stealing data from OpenClaw users. Before that, they found 1,800+ exposed installations. And CVE-2026-25253 allows one-click remote code execution via Cross-Site WebSocket Hijacking.

If you're running OpenClaw, you need to audit your installation. Now.

This guide goes beyond the checklist. If your audit output flagged trusted_proxies_missing, control_ui.insecure_auth, or gateway.nodes.deny_commands_ineffective, scroll down to the section that matches your warning. Each one has an exact fix.

Table of Contents

1. TL;DR: The 11-Step Checklist
2. Safe vs. Compromised: Quick Reference
3. Step 1: Run the Built-In Audit
4. Step 2: Verify Node.js Version
5. Step 3: Audit Installed Skills
6. Step 4: Check Network Exposure
7. Step 5: Disable mDNS Broadcasting
8. Step 6: Check Credential Storage Permissions
9. Step 7: Audit OAuth Tokens
10. Step 8: Fix Reverse Proxy Misconfigurations
11. Step 9: Harden Docker Deployment
12. Step 10: Enable Human-in-the-Loop
13. Step 11: Remediate and Rotate
14. If You Find Problems
15. FAQ

TL;DR: The 11-Step Security Checklist

1. Run openclaw security audit --deep
2. Verify Node.js version (22.12.0+)
3. Audit installed skills for ClawHavoc malware
4. Check network binding (localhost only)
5. Disable mDNS broadcasting
6. Review credential storage permissions
7. Audit OAuth tokens
8. Fix reverse proxy misconfigurations
9. Harden Docker deployment
10. Enable human-in-the-loop approvals
11. Rotate all credentials

$ openclaw security audit
$ openclaw security audit --deep
$ openclaw security audit --deep --fix

$ node --version
# Must be 18.x or higher. Older versions have known vulnerabilities.

$ ls ~/.openclaw/skills/
$ openclaw skills list --show-permissions

$ ls -la ~/.openclaw/credentials/
$ chmod 600 ~/.openclaw/credentials/*
# Files should show -rw------- not -rw-r--r--

$ netstat -an | grep 3000
# Should show 127.0.0.1:3000 not 0.0.0.0:3000

$ export OPENCLAW_DISABLE_BONJOUR=1
# Add to ~/.bashrc or ~/.zshrc to make permanent

$ openclaw auth list
$ openclaw auth revoke --all
# Revoke all tokens then re-authenticate only what you need

$ docker run --cap-drop ALL --read-only \
  --network none --user 1000:1000 openclaw

Safe vs. Compromised: Quick Reference

If any column matches "Compromised," stop and fix it before continuing.

Step 1: Run the Built-In Audit

openclaw security audit --deep

The --deep flag does more than the standard audit. It:

• Performs a live Gateway probe to detect exposed endpoints
• Checks browser control exposure (remote CDP endpoints, relay ports)
• Scans for permission issues and symlink attacks
• Validates plugin allowlists
• Flags legacy model configurations

Standard audit catches surface issues. Deep audit catches the misconfigurations attackers actually exploit.

What Does openclaw security audit --fix Actually Do?

The --fix flag tells OpenClaw to automatically remediate the issues it finds, where it safely can. It does not fix everything, some changes require manual review. Here is exactly what it touches and what it leaves alone.

What --fix remediates automatically

• Credential file permissions: resets ~/.openclaw/credentials/* to chmod 600 if they are too permissive
• Plugin allowlist enforcement: disables plugins not on the approved allowlist (plugins.allow)
• mDNS broadcasting: sets OPENCLAW_DISABLE_BONJOUR=1 if mDNS is detected as active
• Insecure auth flag: removes control_ui.insecure_auth from config if present
• Legacy model configs: strips deprecated model configuration entries that expose attack surface

What --fix does NOT touch

• OAuth tokens: never auto-revokes. You must run openclaw auth revoke --all manually
• Node.js version: cannot upgrade your runtime. You fix this yourself
• Network binding: does not change whether OpenClaw binds to 0.0.0.0 vs 127.0.0.1
• trusted_proxies_missing: requires manual gateway.yaml edit. See Step 8 below
• Docker configuration: never modifies your container setup

The right command sequence

# Step 1: See everything that needs fixing
openclaw security audit --deep

# Step 2: Let OpenClaw fix what it safely can
openclaw security audit --deep --fix

# Step 3: Review the output: anything still flagged needs manual attention
# Follow the steps below for each remaining warning

Running --fix without --deep first is a mistake. The deep scan surfaces issues the standard audit misses. Always run deep first, then fix.

What the Warning Codes Mean

If your audit output includes any of the following, here is exactly what they mean and how to fix them:

trusted_proxies_missing ? Your gateway.yaml has no trustedProxies configured. Without this, OpenClaw treats all reverse-proxied traffic as coming from localhost, which means any internet user can bypass authentication if you are running behind Nginx or another proxy. Fix: add your proxy subnet to the config (see Step 8 below).

control_ui.insecure_auth ? dangerouslyDisableDeviceAuth is set to true in your config. This completely disables device authentication on the control UI, allowing unauthenticated requests to control your installation. Fix: set dangerouslyDisableDeviceAuth: false immediately. There is no safe reason to leave this on.

gateway.nodes.deny_commands_ineffective ? Your denyCommands list is configured but not being enforced due to a misconfiguration in the node trust policy. Commands you think are blocked can still execute. Fix: verify your node policy section in gateway.yaml and ensure requireApproval: true is set for bash and filesystem tools (see Step 10).

If the audit returns other warnings, fix them before proceeding.

Step 2: Verify Node.js Version

OpenClaw requires Node.js 22.12.0 or later. Older versions have critical vulnerabilities:

• CVE-2025-59466: async_hooks stack overflow that bypasses error handlers. This vulnerability can crash the server even with try/catch blocks in place, causing unrecoverable DoS.
• CVE-2026-21636: Permission model bypass that allows attackers to escape Node.js sandboxing.

node --version
# Must be v22.12.0 or later

If you are running an older version, update immediately. The permission model bypass is actively exploited.

Step 3: Audit Installed Skills

Koi Security found 341 malicious skills on ClawHub. This campaign, dubbed ClawHavoc, specifically targets macOS and Windows users with the Atomic Stealer (AMOS) malware. The skills masquerade as legitimate tools but install info-stealers that grab API keys, wallet credentials, SSH keys, and browser passwords.

Check your installed skills:

ls ~/.openclaw/skills/

Hall of Shame: Known Malicious Skills

Red flags:

• Skills asking you to run "prerequisite" installation scripts (especially from glot.io)
• Skills with names similar to popular tools
• Skills you don't remember installing
• Any skill from a publisher less than 1 week old

If suspicious: Remove immediately and rotate any credentials it may have accessed.

Step 4: Check Network Exposure

OpenClaw should never be exposed to the public internet. Ever.

# Check what's listening
netstat -tlnp | grep openclaw

If exposed, fix immediately:

# gateway.yaml
gateway:
  host: "127.0.0.1"  # Never 0.0.0.0

Step 5: Disable mDNS Broadcasting

By default, OpenClaw broadcasts your install path, SSH availability, and hostname to everyone on your local network.

What gets broadcast:

• cliPath: Full filesystem path (reveals username and install location)
• sshPort: SSH availability
• displayName: Your hostname

This is reconnaissance gold for attackers.

Disable it:

# gateway.yaml
mdns:
  enabled: false

Or set the environment variable:

export OPENCLAW_DISABLE_BONJOUR=1

Step 6: Check Credential Storage Permissions

OpenClaw stores credentials in ~/.openclaw/credentials/ unencrypted by default.

Check permissions:

ls -l ~/.openclaw/credentials/

If you see that last r (world-readable), any user on your system can read your credentials.

Fix permissions:

chmod 600 ~/.openclaw/credentials/*
chmod 700 ~/.openclaw/credentials/

Better solution: Move credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) or encrypt the directory.

Step 7: Audit OAuth Tokens

Check which services OpenClaw has access to:

• Google (Gmail, Calendar, Drive)
• Slack
• Discord
• WhatsApp
• Telegram
• Any other connected services

For each service:

1. Go to the service's security settings
2. Review connected applications
3. Revoke tokens you don't recognize or no longer need

Even after removing OpenClaw, OAuth tokens remain active until explicitly revoked.

After revoking OAuth tokens, generate new credentials for every affected service. Use a 16-character password generator that runs client-side ? do not use any cloud-based generator when rotating compromised credentials.

Step 8: Fix Reverse Proxy Misconfigurations

This mistake is common and catastrophic.

OpenClaw auto-approves connections from localhost. If you put Nginx or another reverse proxy in front of it, the gateway sees all requests as coming from localhost.

The problem:

Internet → Nginx → OpenClaw Gateway
                   ↓
            Sees: 127.0.0.1
            Thinks: Trusted local user
            Reality: Anyone on the internet

This is exactly what the trusted_proxies_missing audit warning flags. If you saw that in your output, here is the fix:

# gateway.yaml
gateway:
  trustedProxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
  controlUi:
    dangerouslyDisableDeviceAuth: false  # Never set true

If you must expose OpenClaw externally, use Tailscale or WireGuard. Never expose it directly.

Security Tip: Always close your OpenClaw browser tab when not in use. CVE-2026-25253 is a Cross-Site WebSocket Hijacking (CSWSH) flaw that allows malicious websites to steal your OpenClaw auth token if the UI is open in another tab. This enables the "1-Click RCE" attacks referenced in recent security advisories.

Step 9: Harden Docker Deployment

If running in Docker, use these security flags:

docker run \
  --cap-drop ALL \
  --security-opt no-new-privileges \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid,size=100m \
  --network none \
  --memory 2g \
  --cpus 2 \
  --pids-limit 100 \
  --user 1000:1000 \
  -v /path/to/workspace:/workspace:ro \
  openclaw-image

Never run OpenClaw containers as root.

Step 10: Enable Human-in-the-Loop

For sensitive actions, require manual approval. This also resolves the gateway.nodes.deny_commands_ineffective warning if your node trust policy was misconfigured:

# Require approval for dangerous operations
tools:
  bash:
    requireApproval: true
  filesystem:
    requireApproval: true

This prevents the AI from executing destructive commands without your explicit consent.

Step 11: Remediate and Rotate

After completing the audit, rotate every credential OpenClaw had access to.

This isn't optional. If any misconfiguration existed, assume those credentials are compromised.

What to rotate:

• Passwords for connected accounts
• API keys
• OAuth tokens
• SSH keys (if exposed)
• Any secrets stored in the credentials directory

Doing this manually across dozens of accounts is a nightmare. A password manager generates unique credentials for every service and tracks what needs rotation.

If You Find Problems

1. Stop the Gateway until you understand what happened
2. Rotate all credentials the bot had access to
3. Revoke OAuth tokens for connected services
4. Remove suspicious skills and scan for malware
5. Check for unauthorized activity in your connected accounts
6. Consider uninstalling if you can't commit to ongoing hardening

The Bottom Line

OpenClaw is powerful. That power makes it a target.

Run openclaw security audit --deep today. Check your installed skills against the Hall of Shame. Lock down network exposure. And rotate everything.

Security is not optional with this tool.

Post-Audit Hardening

• Rotate your WiFi password if OpenClaw was on your local network
• Verify your new passwords meet 2026 entropy standards
• Consider switching to a dedicated password manager ? see our Best Password Managers 2026: Security-First Comparison
• Review passwordless authentication options to reduce your credential attack surface
• See which services support passkeys in 2026 ? switching key accounts eliminates password theft as a risk

Related Articles

• Delete OpenClaw: Complete Guide (2026)
• OpenClaw Security Risks: What You Need to Know
• Best OpenClaw Alternatives in 2026
• 1Password vs Bitwarden 2026 Comparison

Frequently Asked Questions

What does openclaw security audit --deep do?

The --deep flag performs a comprehensive scan beyond the standard audit. It runs a live Gateway probe to detect exposed endpoints, checks browser control exposure (remote CDP endpoints and relay ports), scans for permission issues and symlink attacks, validates plugin allowlists, and flags legacy model configurations that may be insecure.

How do I fix the trusted_proxies_missing warning?

The trusted_proxies_missing warning means your gateway.yaml has no trustedProxies configured. Without it, OpenClaw treats all reverse-proxied traffic as localhost, which lets internet users bypass authentication if you're behind Nginx or another proxy. Add your proxy subnet to gateway.yaml under gateway.trustedProxies. See Step 8 for the exact config block.

What does control_ui.insecure_auth mean?

control_ui.insecure_auth means dangerouslyDisableDeviceAuth is set to true in your config. This disables device authentication on the control UI entirely, so any unauthenticated request can control your OpenClaw installation. Set dangerouslyDisableDeviceAuth: false immediately. There is no legitimate reason to leave this enabled in production.

What does gateway.nodes.deny_commands_ineffective mean?

gateway.nodes.deny_commands_ineffective appears when your denyCommands list is configured but not enforced due to a misconfiguration in the node trust policy. Commands you believe are blocked can still execute. To fix it, check your node policy section in gateway.yaml and set requireApproval: true for bash and filesystem tools.

How do I know if a ClawHub skill is malicious?

Red flags include: skills asking you to run "prerequisite" installation scripts (especially ones hosted on glot.io or similar), skills with names similar to popular tools (typosquats like "clawhubb" instead of "clawhub"), skills from publishers with accounts less than one week old, and skills you don't remember installing. The ClawHavoc campaign identified by Koi Security targets cryptocurrency, YouTube, and Google Workspace users with Atomic Stealer malware.

Should I uninstall OpenClaw?

If you can't commit to proper security hardening and ongoing audits, yes. OpenClaw requires technical expertise to run safely. For most users, the risks outweigh the benefits. See our complete uninstall guide.

What CVEs affect OpenClaw?

Three critical CVEs affect OpenClaw installations:

• CVE-2025-59466: async_hooks stack overflow causing unrecoverable DoS (crashes even with try/catch)
• CVE-2026-21636: Permission model bypass allowing sandbox escape
• CVE-2026-25253: Cross-Site WebSocket Hijacking enabling one-click RCE

Node.js 22.12.0 or later is required to mitigate the first two vulnerabilities. For CVE-2026-25253, always close your OpenClaw browser tab when not in use.

Are my credentials safe after uninstalling OpenClaw?

No. OAuth tokens remain active until explicitly revoked. Even after uninstalling, you must go to each connected service (Google, Slack, Discord, WhatsApp, etc.) and revoke OpenClaw's access tokens manually.

Related Reading

• Vibe Coding Security: 7 Flaws Your AI Forgot to Fix ? A checklist for securing AI-generated code before launch
• MCP Security: 53% of Servers Store Your Keys in Plaintext ? How to audit and harden your MCP environment

Sources

• Koi Security: ClawHavoc Campaign Analysis
• The Hacker News: 341 Malicious ClawHub Skills
• JFrog Security: Giving OpenClaw The Keys to Your Kingdom
• OpenClaw Official Security Documentation
• SecurityWeek: CVE-2026-25253 Analysis

T.O. Mercer | SafePasswordGenerator.net