OpenClaw is a personal AI assistant. You hook it to a model (local, or via API), and hook it to the stuff you care about (your money, your communications, your life), and communicate with it via a chat channel of your choice (Signal, Telegram, WhatsApp, Discord, Slack, Teams, etc).

Finding/Securing OpenClaw

Supposedly tracking OpenClaw instances: https://declawed.io/

• I have my doubts about the accuracy of this data
• While they are tracking something, I’m not sure they’re characterizing it appropriately.

Threat modeling

1. prompt injection is a primary concern - the attack surface becomes everything you connect it to that is controlled by the outside world: browsing the internet, emails, messages - literally any messages or content consumed could contain malicious prompts.
   1. This has been tested with GitHub issues https://x.com/Eito_Miyamura/status/2016251788765385073?s=20
2. the other primary concern is the security of OpenClaw components and there have already been some issues here with the OpenClaw gateway. Some default settings caused it to be exposed to the public internet in some cases, which is bad, considering the gateway exposes all the API keys you have hooked into the lobster!
3. In addition to network access control concerns, openclaw seems to standardize storing credentials in plain text, under ~/.openclaw/credentials/*
4. As with any new software repo, attackers gonna attack - there has already been malware in ClawHub (the Twitter skill downloaded and ran an infostealer binary designed for macOS)

Details

1. default port for the gateway is 18789
2. The gateway handles the AI agent logic - message routing, tool execution, credential management
3. the Control UI is the web-based admin interface - this is where you manage API keys, view conversation histories, and operate the whole system
   1. “Clawdbot Control” was the HTML title for this component
   2. Presumably, it is now “OpenClaw Control”? ← yes, confirmed
   3. tends to be on TCP 8000, 8085, in the general 8000-9000 range
4. Most that I found on the Internet were either using basic auth through a web server, or they implemented gateway tokens (you see the UI, but it’s disconnected without an authorized token)
   1. trustedProxies checks the X-Forwarded-For headers to check your IP for a local connection

Securing OpenClaw: Tools

1. https://github.com/sun-security/openclaw-detector
   1. Built by Sun Security
   2. Scans Mac, linux, Windows for common artifacts
   3. running processes, environment variables, config files, services, ports, docker images, etc
   4. deploy it with MDM (Jamf, Kandji, JumpCloud, InTune, VMware) or EDR (Crowdstrike)
2. https://github.com/Arampc/OpenClaw-Hunter
   1. “Hunt, purge, and isolate OpenClaw AI agents across your fleet