THREAT REFERENCE
OPENCLAW ATTACK VECTORS AND REMEDIATION
Detailed reference for the six primary attack vectors targeting OpenClaw deployments. Each entry covers what the threat is, how to detect it, and how to fix it.
CVE-2026-25253 (CSWSH)
WHAT IT IS
Cross-Site WebSocket Hijacking (CSWSH) vulnerability in OpenClaw versions prior to the patched release. A malicious web page can craft a gatewayUrl query parameter that redirects the OpenClaw WebSocket connection to an attacker-controlled server. This exfiltrates gateway tokens, granting the attacker full shell access to the victim machine. The attack requires only a single click on a crafted link -- no further interaction needed.
HOW TO CHECK
- >Check your OpenClaw version. Any version released before the CVE patch is affected.
- >Shield automatically checks your version against the CVE database and alerts if you are running an affected build.
- >Manually inspect your gateway configuration for unrestricted gatewayUrl parameter acceptance.
HOW TO FIX
- >Update OpenClaw to the latest version immediately. The patched release validates the gatewayUrl parameter and rejects external origins.
- >Rotate all gateway tokens after updating. Assume any token issued before the patch may have been compromised.
- >Restrict gateway access to localhost (127.0.0.1) to limit the blast radius of any future WebSocket-based attacks.
GATEWAY EXPOSURE
WHAT IT IS
OpenClaw defaults to binding its gateway on 0.0.0.0:18789 with no authentication. This means any machine that can reach the host on that port gets full access to OpenClaw functionality, including filesystem operations, shell execution, and LLM interactions. Internet-facing deployments with this default configuration are fully exposed.
HOW TO CHECK IF EXPOSED
- >Check your OpenClaw config for the gateway bind address. If it is set to 0.0.0.0 or omitted (defaults to 0.0.0.0), you are exposed.
- >From another machine on your network, try connecting to your-host:18789. If it responds, the gateway is accessible from the network.
- >Shield Gateway Monitor checks this automatically and alerts immediately if the gateway is reachable from outside localhost.
HOW TO BIND TO LOCALHOST
- >Set the gateway bind address to 127.0.0.1 in your OpenClaw configuration. This restricts access to the local machine only.
- >If you need remote access, use an SSH tunnel or VPN instead of exposing the gateway directly.
- >Configure a firewall rule to block external access to port 18789 as an additional safety layer.
CLAWHAVOC SUPPLY CHAIN
WHAT IT IS
The ClawHub ecosystem hosts community-contributed skills that extend OpenClaw functionality. Some skills have been found to contain prompt injection vectors, and malicious skills have been observed distributing Atomic Stealer -- a macOS credential-stealing malware. This is a classic supply chain attack: you install a skill that looks useful, but it contains hidden malicious behavior.
HOW TO AUDIT SKILLS
- >Review the source code of every skill before installing. Look for obfuscated code, external network calls, file system access outside the expected scope, and encoded strings.
- >Check the skill author reputation and download count. Low-download skills from new accounts are higher risk.
- >Shield performs automatic hash matching against a database of known malicious skills. Any match triggers an immediate alert.
WHAT TO LOOK FOR
- >Base64-encoded or hex-encoded strings that decode to shell commands or network URLs
- >Network calls to domains outside the skill stated purpose (data exfiltration indicators)
- >File system access to credential stores, SSH keys, browser profiles, or system keychains
- >Prompt injection patterns: role override attempts, system prompt extraction, instruction override
MEMORY POISONING
WHAT IT IS
OpenClaw uses SOUL.md and MEMORY.md files to persist instructions and context across sessions. These files are loaded into the system prompt on every session start. Tampering with these files enables time-shifted prompt injection -- an attacker modifies the file once, and the malicious instructions execute automatically on every subsequent session, surviving restarts.
HOW SOUL.MD AND MEMORY.MD WORK
- >SOUL.md defines the core personality and behavior rules for the agent. It is loaded as part of the system prompt.
- >MEMORY.md stores persistent context that the agent accumulates over time. It is appended to the system prompt on session start.
- >Both files are plaintext and writable by any process with file system access to the OpenClaw data directory.
HOW TO DETECT TAMPERING
- >Shield monitors both files using cryptographic hash comparison. Any unauthorized change triggers an immediate alert.
- >Manually review these files periodically. Look for instructions you did not write, especially those that request data exfiltration, disable security features, or override system behavior.
- >Use version control (git) on your OpenClaw data directory to track all changes to these files.
MCP SERVER ABUSE
WHAT IT IS
Model Context Protocol (MCP) servers extend OpenClaw with additional capabilities: filesystem access, shell execution, API integrations, database queries, and more. A malicious or compromised MCP server can silently exfiltrate data, execute arbitrary commands, or modify files without the user knowledge.
HOW TO AUDIT MCP SERVERS
- >Run the MCP Scanner to audit all configured MCP servers: npx @agentdefenders/mcp-scan
- >Review the permissions each MCP server requests. A weather API server should not need filesystem write access or shell execution.
- >Check the transport type. Servers using SSE (Server-Sent Events) over HTTP may lack encryption. Prefer stdio-based servers for local operations.
- >Check for tool-name collisions. Two MCP servers registering the same tool name can lead to unintended behavior or hijacking.
SANDBOXING
- >Run untrusted MCP servers in Docker containers with limited filesystem and network access.
- >Use network policies to restrict outbound connections from MCP server containers to only the APIs they need.
- >Mount only the specific directories each MCP server needs, read-only when possible.
- >Monitor MCP server network traffic for unexpected outbound connections (Shield Team tier includes egress monitoring).
TOKEN EXFILTRATION
WHAT IT IS
OpenClaw stores gateway tokens in plaintext on disk. These tokens grant full remote control of the OpenClaw instance, including filesystem access, shell execution, and LLM interactions. When combined with the CSWSH vulnerability (CVE-2026-25253), an attacker can exfiltrate these tokens with a single click, gaining complete access to the victim machine.
HOW TOKENS WORK
- >Gateway tokens are generated on first run and stored in the OpenClaw data directory as plaintext files.
- >Any process with read access to the data directory can read these tokens. There is no encryption at rest.
- >Tokens do not expire automatically. A stolen token remains valid until manually rotated.
HOW TO ROTATE
- >Rotate tokens regularly, especially after any suspected compromise. Delete the existing token files and restart OpenClaw to generate new tokens.
- >Restrict file permissions on the token storage directory. Only the OpenClaw process user should have read access.
- >Shield Credentials Monitor watches token files for unauthorized read access and alerts immediately when a non-OpenClaw process accesses them.
- >Combine token rotation with gateway binding to localhost for defense in depth -- even a stolen token is useless if the gateway is not network-accessible.
Install OpenClaw Shield to monitor for all six threat vectors automatically.