Securing Your OpenClaw Setup: 7 Checks and How to Automate Scanning with Aguara

OpenClaw is one of the most ambitious open-source AI agent projects out there. 239K+ GitHub stars and growing fast. Works across WhatsApp, Telegram, Discord, Slack, and more. It can read your files, run shell commands, manage your calendar, and spawn sub-agents — all from a chat message.

That is powerful. It is also a security responsibility if you do not set it up carefully.

That said, the skill ecosystem still has documented issues, and defense-in-depth means you should not rely on any single layer. If you are running OpenClaw — or planning to — here is what you should do on top of the built-in protections.

The risks are real and documented

Before jumping into recommendations, here is why this matters. These are not hypotheticals — they are findings from independent security teams:

CVE-2026-25253 (CVSS 8.8) — A 1-click RCE via the Control UI WebSocket. Internet scans found 42,665 exposed instances, 5,194 actively vulnerable. An attacker steals your auth token through a crafted link and gets full control of your agent.

ClawHub supply chain (Snyk) — Out of 3,984 skills analyzed from ClawHub, 36.82% contained security flaws. 76 confirmed malicious payloads. 8 were still publicly available at time of report.

ClawHub at scale (Cisco) — 31,000 skills analyzed. 26% contained vulnerabilities: insecure API key handling, arbitrary file read/write, command injection.

Prompt injection (CrowdStrike) — A crafted Discord message injected instructions into an OpenClaw agent, causing it to leak private moderator discussions from other channels.

Default auth bypass — ~1,000 publicly accessible instances found running without any authentication. The default config trusts localhost, but many deployments expose the control interface via reverse proxies without adding auth.

Six independent teams. Same conclusion: the default security posture at the time was not production-ready. OpenClaw has since patched many of these issues — but the skill ecosystem remains a shared responsibility between the platform and its users.

7 things you should do right now

1. Do not expose the Control UI to the internet

OpenClaw's Control UI is a WebSocket-based admin interface. By default it trusts localhost connections. If you are running behind a reverse proxy (nginx, Caddy, Cloudflare Tunnel), make sure:

• Authentication is required before reaching the WebSocket
• The interface is not accessible on a public IP or subdomain
• You are using the latest version with the CVE-2026-25253 patch

If you do not need the Control UI remotely, do not expose it.

2. Audit every skill before installing it

ClawHub is a community registry with no formal review process. Installing a skill is equivalent to running untrusted code on your machine. Before installing any skill:

• Read the SKILL.md file — Look for shell, exec, subprocess, eval, curl, fetch, or any instruction that tells the agent to send data somewhere
• Check for credential access — Patterns like process.env, os.environ, or any reference to API keys, tokens, or secrets
• Look for encoded content — Base64 strings, hex-encoded commands, or Unicode tricks (RTL override characters, homoglyphs)
• Check network calls — Any fetch(), webhook URL, or DNS query the skill makes. Legitimate skills rarely need to phone home

Or automate it. This is where Aguara comes in — more on that below.

3. Pin your MCP server versions

If your OpenClaw config uses npx -y to launch MCP servers, you are auto-downloading and executing whatever the latest version is, with no checksum verification and no user review. This is a supply chain risk.

Instead of:

{
  "mcpServers": {
    "some-server": {
      "command": "npx",
      "args": ["-y", "some-mcp-server"]
    }
  }
}

Pin to a specific version:

{
  "mcpServers": {
    "some-server": {
      "command": "npx",
      "args": ["-y", "some-mcp-server@1.2.3"]
    }
  }
}

Better yet, install globally with a lockfile and avoid npx -y entirely.

4. Enable sandboxing

OpenClaw has sandboxing options. Use them. At minimum:

• Restrict file system access to specific directories
• Limit shell command execution
• Run inside a Docker container if possible

A sandbox will not catch everything — a sandboxed agent running a malicious skill is still compromised — but it limits blast radius.

5. Do not give the agent credentials it does not need

If your agent only needs to read a calendar, do not give it write access to your entire Google account. If it is managing Slack messages, do not hand it an admin token.

• Use scoped API keys with minimum required permissions
• Inject credentials at runtime, not in config files
• Rotate credentials regularly
• Never hardcode secrets in skill files or MCP server args

6. Monitor what your agent is doing

OpenClaw does not provide a built-in audit trail. You need to add one:

• Log all outbound network requests
• Track which skills are invoked and when
• Monitor file system changes
• Set up alerts for unexpected behavior (new network destinations, credential access patterns)

If you are running in Docker, a network proxy that intercepts and logs all agent traffic is the most reliable approach.

7. Keep it updated and run openclaw doctor

The OpenClaw team has shipped major security fixes in rapid succession: v2026.2.12 patched 40+ vulnerabilities (SSRF hardening, auth for browser control, exec allowlists, LD_PRELOAD/DYLD blocking), and v2026.2.23 added HSTS headers, config credential redaction, and reasoning leakage mitigations. Running an outdated version means running with known, exploitable vulnerabilities.

Run openclaw doctor --fix after every update. It detects risky configurations — unauthenticated gateways, missing TLS, insecure DM policies — and can auto-fix many of them. Subscribe to GitHub releases and update regularly.

Adding Aguara to your OpenClaw workflow

Aguara is an open-source static security scanner built specifically for AI agent skills and MCP server configurations. 148+ detection rules across 13 threat categories. Single Go binary, runs locally, no cloud dependency.

Install

go install github.com/aguarascan/aguara@latest

Or via curl:

curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash

Scan a skill before installing it

Downloaded a skill from ClawHub? Scan it before adding it to your OpenClaw instance:

aguara scan ./path/to/skill/

Aguara checks for prompt injection, credential exfiltration, command execution, data exfiltration, supply chain patterns, and more. You get a clear output showing any findings with severity levels.

Auto-scan all your MCP configurations

If you have Claude Desktop, Cursor, or other MCP clients alongside OpenClaw, scan everything at once:

aguara scan --auto

This auto-discovers configurations from 17 MCP clients and scans them all. It catches things like hardcoded secrets in server args, unpinned npx versions, Docker containers running with --privileged, and shell metacharacters in arguments.

Scan a specific config file

aguara scan ./openclaw-config.json

Gate deployments in CI/CD

If you are deploying OpenClaw in a team environment, add Aguara to your pipeline:

# .github/workflows/aguara-scan.yml
- name: Scan skills
  run: |
    aguara scan ./skills/ --format sarif --output results.sarif --fail-on high

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

This blocks any deployment that contains high-severity findings and surfaces results in GitHub's Security tab.

Use Aguara as an MCP tool

Want your AI agent to scan its own skills? Install Aguara MCP Server:

go install github.com/garagon/aguara-mcp@latest
claude mcp add aguara -- aguara-mcp

Now your agent has access to four security tools:

• scan_content — Scan any skill or config
• check_mcp_config — Audit MCP client configuration
• list_rules — Browse all 148+ detection rules
• explain_rule — Understand what a specific rule catches

Check what is known about a skill

Aguara Watch continuously scans 40,000+ skills across 7 registries (including ClawHub). Before installing a skill, check its security grade. Every skill gets an A-F rating based on automated analysis running 4x daily.

The bottom line

OpenClaw is a tool worth using, and the team is clearly investing in security. The pace of fixes in February 2026 alone — mandatory TLS, SSRF trusted-network mode, 40+ vulnerability patches, openclaw doctor — shows a project that takes these issues seriously.

But security is layers, not a single fix. The platform can harden itself; it cannot guarantee that every community skill in ClawHub is safe. That is where your responsibility starts: audit skills before installing them, scope credentials, monitor traffic, and use static analysis tooling like Aguara to catch what manual review misses.

None of this requires enterprise tooling or a security team. It just requires treating your AI agent with the same caution you would give any other piece of software that has access to your files, your credentials, and your communication channels.