Module 1: What You Just Gave AI Access To

Bottom Line

OpenClaw is not a chatbot. It is a privileged local service with shell access, browser control, messaging platform tokens, and persistent memory. Deploying it without understanding the permission model is equivalent to giving a contractor the keys to every building in your organization and telling them to figure out what needs doing.

What it does: Executes arbitrary shell commands on the host machine. Supports synchronous and background execution with configurable timeouts. Can run processes, poll their output, write to their stdin, and kill them.

What this means: Any command you can run in a terminal, OpenClaw can run. rm -rf /, curl to exfiltrate data, ssh to pivot to other machines, docker to spin up containers. The exec tool is the single most dangerous capability. It transforms a language model from an advisor into an operator.

What it does: Reads, creates, modifies, and patches files anywhere the gateway process has filesystem permissions.

What this means: OpenClaw can read your SSH keys (~/.ssh/), your AWS credentials (~/.aws/), your Kubernetes configs (~/.kube/), your environment files, your application source code, and anything else on disk. It can also write to those locations — modifying configuration files, injecting code, or creating new files.

What it does: Searches the web via Brave Search API and fetches/extracts content from URLs.

What this means: OpenClaw can access any publicly available URL and parse its content. This is also a prompt injection vector: if the agent fetches a web page containing malicious instructions, the language model may follow those instructions as if they came from the user.

What it does: Launches and controls a dedicated Chrome/Chromium instance. Can open tabs, navigate to URLs, take screenshots, click elements, type text, fill forms, upload files, read console output, and generate PDFs.

What this means: OpenClaw can log into web applications using stored sessions, interact with authenticated dashboards, fill out forms, make purchases, and navigate any web interface. It can also screenshot what it sees and send those images through messaging channels.

What it does: Sends messages, polls, reactions, edits, and deletions across WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, and Microsoft Teams. Supports threads, pins, member management, role assignment, kicks, and bans.

What this means: OpenClaw can impersonate you on every connected messaging platform. It can send messages to your colleagues, your clients, your family. It can delete message history. It can create polls, manage Discord roles, and kick users from channels. If compromised, an attacker communicates as you.

What it does: Creates and manages scheduled tasks (cron jobs) that run on a recurring basis. Can restart the gateway process itself and modify its own configuration.

What this means: OpenClaw can schedule actions that execute without your knowledge or presence. A compromised instance could schedule data exfiltration at 3 AM, modify its own configuration to disable security controls, or restart itself with elevated permissions.

What it does: Lists all active sessions, reads full conversation transcripts, sends messages to other sessions, and spawns sub-agent processes.

What this means: In a multi-user or multi-agent deployment, session access allows reading other users' conversations, sending messages that appear to come from the system, and spawning new agent processes with their own capabilities.

What it does: Searches and retrieves from OpenClaw's persistent memory — information retained across conversations and sessions.

What this means: Everything you've told OpenClaw is searchable. Passwords shared in casual conversation, personal details, business strategies, financial information. If the instance is compromised, the attacker gets your complete interaction history.

What it does: Discovers paired devices (macOS, iOS, Android), sends notifications, executes commands on remote devices, captures camera and screen content, and retrieves GPS location.

What this means: If you've paired your phone or laptop as a node, OpenClaw can take photos with your camera, record your screen, track your physical location, and execute commands on your device. This is full device control.

Entry Point 1: The Gateway (Port 18789)

The gateway is the WebSocket control plane. If exposed to the internet — and Bitsight found over 30,000 instances that were — it's the primary attack vector.

Authentication: OpenClaw requires a token or password for non-local connections, but enforces no complexity requirements. A single character is accepted as valid. Brute force is trivial.

Entry Point 2: Messaging Platform Tokens

Each connected messaging platform requires authentication tokens stored in OpenClaw's configuration. WhatsApp uses Baileys (a reverse-engineered Web client). Telegram uses bot tokens. Slack and Discord use OAuth or bot tokens.

Risk: These tokens are stored in the openclaw.json configuration file or environment variables on the gateway host. If the host is compromised, all tokens are compromised. Bitsight researchers demonstrated that simply asking OpenClaw to read its own configuration file and search for API keys successfully extracted credentials.

Entry Point 3: Prompt Injection via Incoming Content

Even if only you can message the bot, prompt injection can still happen via any untrusted content the bot reads — web search results, browser pages, emails, documents, attachments, pasted logs, or code.

Entry Point 4: Community Skills (Supply Chain)

OpenClaw's functionality is extended through skills — community-contributed plugins available via ClawHub. In February 2026, over 400 malicious skills were discovered out of nearly 4,000 total on the marketplace. A single supply chain attack was responsible for the initial wave of 335 infections, with additional malicious skills identified through subsequent security audits.

Risk: Skills are code. They execute with the same permissions as the OpenClaw process. A malicious skill can steal credentials, exfiltrate data, establish persistence, and download additional payloads.

Supply chain pattern: Security analysis by Bitdefender found that malicious skills are frequently cloned and republished under slight name variations, with payloads staged through paste services like glot.io and public GitHub repositories. This makes visual inspection of skill names insufficient — code review of the actual skill source is required.

OpenClaw has since integrated VirusTotal scanning for ClawHub skills, but this is reactive — new malicious skills may exist before detection.

For teams building custom skills or auditing community contributions before deployment, automated code security scanning can identify vulnerabilities, hardcoded credentials, and injection risks that manual review misses at scale. VettIQ is purpose-built for this workflow.

Entry Point 5: DM Policy Misconfiguration

By default, OpenClaw routes all direct messages into a shared main session. If multiple people can DM the bot (open DMs on Discord, a multi-person Slack workspace), all conversations share context.

Risk: Cross-user context leakage. A colleague's casual question about OpenClaw could return information from your private conversations, including credentials, business data, or personal details.

You should consider OpenClaw if:

• You are a technical user who understands network security, authentication, and the principle of least privilege
• You have a dedicated machine (not your primary workstation) for the gateway
• You use Tailscale or another VPN for remote access (not direct internet exposure)
• You are willing to audit community skills before installation
• You understand prompt injection risks and can configure tool restrictions appropriately
• You treat the gateway token like a root password

You should not run OpenClaw if:

• You followed a YouTube tutorial and are deploying to a $5 VPS for the first time
• You plan to bind the gateway to the public internet
• You would connect it to corporate services without your security team's knowledge
• You don't understand what tools.allow / tools.deny does
• You want a “set it and forget it” AI assistant
• You plan to give it access to financial accounts, medical records, or other high-sensitivity data without sandboxing