Mixbit has audited dozens of self-installed OpenClaw instances. The same 7 security gaps show up almost every time. This is not a scare piece. Each gap comes with a specific check you can run right now and a fix you can apply yourself. If you have self-installed OpenClaw for business use, read this today.
OpenClaw runs with access to your email, calendar, CRM, documents, and messaging platforms. That makes it one of the most privileged applications on your server. A security gap in OpenClaw does not just expose the agent. It exposes everything OpenClaw connects to.
The numbers from independent security research tell the story:
These are not theoretical risks. They are documented incidents with CVE numbers and research papers behind them. Most of the 30,000 exposed instances are self-installs where the person who set it up did not know these gaps existed.
Before diving into the 7 gaps, run through this quick diagnostic. Count how many statements are true for your OpenClaw installation:
If 1 to 2 are true, you have fixable gaps. If 3 to 5 are true, your OpenClaw instance needs immediate attention. If 6 or more are true, your setup is exposed to the same vulnerabilities that hit 30,000+ other instances.
Most setup guides tell you to paste your Claude or OpenAI API key directly into OpenClaw's configuration file. That file sits on disk in plain text. Anyone who gains read access to your server (through another vulnerability, a compromised skill, or a misconfigured permission) gets your API keys. With those keys, they can run up thousands of dollars in charges or access any service those keys connect to.
This is the most common gap Mixbit finds in self-installs. It is also the easiest to fix.
A single compromised skill or exposed config backup gives an attacker your Claude/OpenAI API credentials. They can drain your account, access connected services, or use your keys for their own workloads while you pay the bill.
Open your OpenClaw config file and search for your API key string. If the actual key appears in the file (not a reference like $ANTHROPIC_API_KEY), you have this gap.
If you are running OpenClaw directly on the host OS without Docker, OpenClaw can access your entire file system. Every file, every directory, every other application on that server. A malicious skill that runs a shell command (and many do) can read /etc/shadow, install a backdoor, or exfiltrate data to an external server.
Microsoft's security blog specifically warns about this: without container isolation, OpenClaw's file system access is unrestricted. The framework was not designed with the assumption that every skill is trustworthy.
One compromised skill can read any file on your server, including credentials for other applications, database configs, SSH keys, and customer data. The blast radius of a single malicious skill on an un-containerized install is your entire server.
Run docker ps on your server. If OpenClaw does not appear in the container list, it is running on the host OS without isolation.
Tip: If Docker feels like too much, try Podman. It runs rootless containers by default. Even if an attacker escapes the container, they land as an unprivileged user. Same isolation, less setup.
OpenClaw's Gateway listens on port 18789. On most VPS providers, that port is open to the internet by default. The default OpenClaw configuration does not require authentication. That means anyone who scans your server's IP can connect to your OpenClaw instance, read your chat histories, and extract your API keys.
This is not hypothetical. Bitsight and Censys found over 30,000 OpenClaw instances with this exact configuration. Many were leaking API keys, OAuth tokens, and private conversations through the exposed gateway.
Your OpenClaw agent is publicly accessible. Anyone can send commands to it, read its memory, extract stored credentials, and access every tool OpenClaw connects to. Your business email, CRM data, and documents are one port scan away from exposure.
From a different computer (or your phone's data connection), try to connect to your server's IP on port 18789. If it responds, the port is open. You can also run sudo ufw status to see your firewall rules.
This gap has caused the most documented real-world damage. ClawHub is OpenClaw's community skill registry. Until recently, anyone with a week-old GitHub account could publish a skill with no code review, no signing requirement, and no automated analysis.
The consequences have been severe:
A skill that looks legitimate on the surface can run shell commands in the background. One skill installed without review could be sending your emails, documents, and API keys to an attacker-controlled server right now. You would not see it in OpenClaw's normal output.
Open every SKILL.md file in your skills directory. Search for exec, curl, wget, bash, and any command that contacts external servers. If a skill runs code you did not write and cannot understand, it is a risk.
Not Sure If Your Skills Are Safe?
Mixbit audits every installed skill, removes malicious ones, and configures OpenClaw with verified skills only. Security hardening and credential isolation included.
By default, OpenClaw has no outbound network restrictions. It can make HTTP requests to any domain. That means a compromised skill can do its job (the thing you installed it for) while also sending a copy of your data to an attacker-controlled server in the background. You would never see it in the logs because the skill is technically "working."
This is the most dangerous gap because it is completely invisible during normal use. The skill handles your emails. It also exfiltrates them. Both actions look the same from OpenClaw's perspective.
Your business emails, CRM records, documents, and API keys could be leaving your server right now through a skill that appears to be functioning normally. Without outbound restrictions, there is no barrier between OpenClaw and any server on the internet.
Review your firewall's outbound rules. If there are no outbound restrictions (most default VPS setups have none), OpenClaw can reach any domain. Run ss -tunap to see active outbound connections from the OpenClaw process.
Tip: Log all outbound connections for a week before blocking anything. Use ss -tunap or tcpdump to see which domains OpenClaw actually contacts. Build your whitelist from real data so you do not accidentally block a domain your workflow depends on.
Most VPS setup guides start with "log in as root." If you followed that guide, OpenClaw is running as root. A process running as root can do anything: read any file, modify any config, install software, create users, delete logs. If a malicious skill executes a command while OpenClaw runs as root, the attacker does not just compromise OpenClaw. They own the entire server.
The difference between OpenClaw running as root and running as a dedicated user is the difference between losing one application and losing the entire machine. Root access means the attacker can persist across reboots, install backdoors, and cover their tracks by modifying logs.
Run ps aux | grep openclaw and look at the first column. If it says "root," you have this gap.
OpenClaw workflows fail silently. An expired API key, a changed endpoint, a rate limit, a crashed process. None of these throw an error you will see unless you are actively watching logs. Most people discover the problem when a client complains about a missed follow-up or a report that never arrived. By then, the workflow has been broken for days.
From a security perspective, silent failure is even worse. If a skill is exfiltrating data, you will not notice unless you monitor outbound traffic. If someone accessed your Gateway port, you will not know unless you watch connection logs. Attackers count on the fact that most self-installs have zero monitoring.
Broken workflows cost you time and client trust. Unmonitored security events cost you data. The combination means you could be losing both right now without knowing it.
Answer these 3 questions honestly:
If the answer to any of these is "no," your monitoring has gaps.
Tip: The minimum viable monitoring setup takes 30 minutes: (1) UptimeRobot pinging your server every 5 minutes, (2) a cron job that restarts OpenClaw if the process dies, (3) a daily outbound connection summary emailed to you. These 3 things catch 90% of silent failures and cost nothing.
If you have a self-installed OpenClaw instance running, you can check every gap in this article in 5 minutes. Open a terminal, run these commands, and note the results:
| # | Check | Command / Action | If the result is... | You have this gap |
|---|---|---|---|---|
| 1 | API keys in config | Search config file for your API key string | Key appears in plain text | Gap 1: Exposed credentials |
| 2 | Docker isolation | docker ps | OpenClaw not listed | Gap 2: No container isolation |
| 3 | Gateway port | sudo ufw status | Port 18789 is ALLOW | Gap 3: Public gateway |
| 4 | Skill audit | Search SKILL.md files for exec/curl/wget | Unknown commands found | Gap 4: Unaudited skills |
| 5 | Outbound restrictions | ss -tunap from OpenClaw process | Connections to unknown domains | Gap 5: No outbound limits |
| 6 | Root user | ps aux | grep openclaw | First column says "root" | Gap 6: Running as root |
| 7 | Monitoring | Answer: would you know if it stopped? | Answer is "no" | Gap 7: No monitoring |
Found Gaps You Cannot Fix Yourself?
Mixbit audits your existing OpenClaw install, fixes every security gap, and configures proper monitoring. One-time engagement, all 7 fixes included.
Every OpenClaw deployment through Mixbit includes all 7 fixes as standard, not add-ons:
If OpenClaw has access to your email, CRM, and documents, it needs the same security controls you would apply to any application with that level of privilege. These controls are not optional for business use.
If you are evaluating OpenClaw for the first time, read What is OpenClaw to understand the framework before worrying about security. If you want to try setting it up with these gaps in mind, follow the non-technical OpenClaw setup guide, which covers security hardening as part of the process. If you want the full cost picture before deciding between DIY and professional setup, read the OpenClaw setup cost breakdown.
Running OpenClaw Without Proper Security?
Mixbit audits self-installed OpenClaw instances and fixes every gap. Docker isolation, credential hardening, skill audit, firewall, monitoring. All included.
Jeel Patel is the Founder of Mixbit, where he helps businesses reclaim 10–15 hours a week lost to manual operations. Most teams struggle with email overload, CRM admin, reporting, and missed follow-ups. OpenClaw can automate this, but without the right workflows and secure setup, it breaks or creates risk. Jeel solves this by turning business processes into fully deployed OpenClaw agents that are built, secured, and running on your own infrastructure in days. His focus is simple: replace manual operations with systems that run 24/7.
