Is OpenClaw Safe? The Honest 2026 Risk Assessment

OpenClaw crossed 347,000 GitHub stars in April 2026, making it the most-starred software repository on GitHub — surpassing React's 10-year record in 60 days. With that adoption came scrutiny: three critical CVEs, one supply-chain attack with 1,184 malicious packages, and an active phishing campaign targeting wallet credentials.

This guide answers the question every trader asks before connecting their broker API to an AI agent: is OpenClaw safe enough to run with real money? The short answer is "yes, with discipline." The long answer requires understanding what was broken, what's been fixed, and what stays your responsibility.

TL;DR — The 30-second answer

• OpenClaw itself is reasonably safe on version v2026.4.12 or later. The two critical CVEs from Q1 2026 are patched.
• The skill ecosystem is the highest-risk surface. ClawHub had 1,184 malicious skills before VirusTotal scanning was added. Audit every SKILL.md manually.
• The framework's permissions model assumes you trust the user (you). Skills run with your OS permissions, including network and filesystem access.
• For trading specifically: separate wallet, isolated VPS, hard kill-switch, no withdrawal permissions on broker API keys.

The 2026 incident timeline

CVE-2026-25253 — The 1-click RCE (January 30, 2026)

Discovered by Mav Levin, founding security researcher at depthfirst, this was a cross-site WebSocket hijacking flaw (CWE-669, CVSS 8.8). A user who clicked a malicious link could have their local gateway token exfiltrated to an attacker, who could then connect to the gateway on localhost:18789, modify sandbox and tool policies, and invoke privileged actions — effectively a one-click remote code execution.

According to Conscia's 2026 OpenClaw advisory, security researcher Maor Dayan documented 42,665 exposed instances globally during disclosure, with 5,194 verified vulnerable and 93.4% running with authentication-bypass conditions. The vulnerability was patched in v2026.1.29, released the same day disclosure went public.

ClawHavoc — 1,184 malicious skills (February 2026)

Beginning February 1, 2026, security firms Koi Security and Snyk (ToxicSkills study) identified a coordinated supply-chain attack on the ClawHub skill marketplace. 1,184 malicious skills were uploaded, with a single threat actor responsible for 677 of them. The most-downloaded malicious package, deeps-agnw6h, accumulated 14,285 confirmed installs.

Payloads varied by OS:

• macOS: Atomic macOS Stealer (AMOS) variants — exfiltrated browser passwords, Telegram session files, SSH keys, and crypto wallet files.
• Linux/Windows: Reverse shells calling out to C2 IP 91.92.242.30, with persistence via cron entries.
• A "Polymarket trading tool" specifically: ran a hidden reverse shell while visible commands appeared to set up the bot.

ClawHub now scans every upload through VirusTotal and shrank to 13,700 verified skills post-cleanup. But the lesson stands: marketplaces are install vectors, not safety guarantees.

CVE-2026-32922 — Privilege escalation (March 13, 2026)

A second critical vulnerability (CVSS 9.9) allowed a low-privilege OpenClaw process to escalate to root through a sandbox bypass in the tool-policy enforcement layer. Patched in v2026.3.11, then improved again in v2026.4.12 per the ARMO advisory. If you use OpenClaw on a multi-user system or share a VPS with anything sensitive, this one matters more than CVE-2026-25253.

The CLAW token scam — why OpenClaw will never have a token

On March 18, 2026, attackers cloned the openclaw.ai site as token-claw[.]xyz and promoted a $5,000 "CLAW airdrop" through phishing emails to GitHub contributors. The cloned site asked users to connect MetaMask/WalletConnect/Trust Wallet — and drained them.

Peter Steinberger, OpenClaw's creator, responded publicly on X: he stated he would never launch a coin, and that any project listing him as a coin owner is a scam. The project is open-source and non-commercial; commercial wrappers built on top of OpenClaw are not endorsed.

The 12-point hardening checklist for live trading

If you've decided OpenClaw is worth the risk for your trading workflow, here's the minimum bar before connecting it to real capital. Every item maps to either a documented incident or a known failure mode. Detailed walkthrough in our hardening guide.

1. Update to v2026.4.12 or later (patches all 2026 critical CVEs).
2. Run on isolated VPS, never on your daily-driver laptop.
3. Separate hot wallet from cold storage; hot wallet capped to position size.
4. Audit every SKILL.md manually; run VirusTotal on payloads.
5. Bind gateway to localhost only; never expose port 18789.
6. Disable withdrawal permissions on broker API keys; whitelist IPs.
7. Paper trade 2–4 weeks before any live capital.
8. Hard kill-switch at 5% daily loss, coded not LLM-decided.
9. Position size 1–2% per trade, hard-capped in code.
10. Daily log review by hand; never trust silent operations.
11. Telegram alerts on every trade plus heartbeat "still alive" ping.
12. Weekly CVE check; update within 24 hours of critical advisories.

Should you trade with OpenClaw at all?

An honest framework comparison: OpenClaw competes with Freqtrade, Jesse, Hummingbot, and direct broker SDKs. None are perfectly safe, all have had vulnerabilities, and none generate alpha on their own. OpenClaw's advantage is natural-language strategy authoring through SKILL.md files plus multi-channel orchestration. Its disadvantage is the permissions model and the marketplace risk.

If you're a beginner with under $1,000: don't deploy live capital yet. Paper trade for four weeks. Read every SKILL.md before installing.

If you have $5K–$50K and trading experience: OpenClaw is reasonable as an orchestration layer with the 12-point checklist strictly enforced. Single venue, single strategy, 1% position sizing, daily loss limit.

If you're a professional or quant: OpenClaw is your alerting and research layer, not your execution engine. Use Hummingbot/Freqtrade for fills; use OpenClaw to issue commands and surface alerts.

Frequently asked questions

What to read next

• CVE-2026-25253 Explained: The 1-Click OpenClaw RCE
• ClawHavoc: 1,184 Malicious Skills, AMOS Stealer, How to Audit Yours
• The 12-Point OpenClaw Hardening Checklist (Detailed Guide)
• How to Spot a Malicious SKILL.md in 60 Seconds
• OpenClaw + Polymarket: The Complete Bot Guide