OpenClaw Unveils Five-Point Security Plan, But Won’t Promise a “Risk-Free AI Agent”
The AI assistant OpenClaw has not only been heavily hyped in recent months but has also faced sharp criticism over security issues. The software, developed by Austrian developer Peter Steinberger, is now maintained and further developed by a foundation backed by OpenAI. The project is now drawing consequences. In a new blog post, the team explains what measures it intends to take to make the software more secure. One promise, however, is not being made: there will be no “risk-free agents,” it states. Anyone who promises that is “selling something.”
What it’s about
OpenClaw, originally launched by Peter Steinberger as “Clawdbot,” quickly became a point of contention following its viral success in January 2026. The software runs directly on the user’s computer, where it can read files, execute commands, install plugins, and access the internet — with all the risks that entails.
The problems mounted: researchers found more than 150,000 vulnerable instances worldwide. Extensions appeared on the plugin marketplace ClawHub that secretly harvested passwords. Gartner classified OpenClaw as an “unacceptable cybersecurity risk.” Steinberger himself has since moved to OpenAI to work on AI agents. He recently admitted that he no longer has enough time for the project on his own (more on that here); most recently, the project experienced technical problems and declining user numbers.
OpenClaw now intends to address these 5 points in order to make the AI agent more secure:
1. File system protection
OpenClaw can access documents, code, and photos. A common problem: the software believes it is operating within a specific folder — but in reality it escapes that scope through tricks such as symlinks or absolute paths.
The new library fs-safe is intended to prevent this. It consolidates protection rules that previously had to be applied individually in many places. Write operations within the permitted scope work normally; attempts outside it are blocked.
The team is candid about this: it is not a proper sandbox. A plugin that is permitted to execute shell commands can still do anything shell commands allow. fs-safe only protects against a specific class of errors.
2. Controlled network access
AI agents constantly fetch URLs, often at the instruction of the model itself. This makes them vulnerable to attacks in which they retrieve internal servers that should actually be protected. A simple URL check before the request is not enough — between the check and the request, the target can change.
The solution is called Proxyline: it routes all of OpenClaw’s network traffic through a proxy that centrally decides what is permitted. Organizations that already operate such a proxy can run OpenClaw through it and see exactly which connections the software establishes.
Here too, the team acknowledges limitations: certain bypass routes remain possible. But instead of relying on every individual piece of code to check a URL, control now resides in a single central location.
3. More trust on ClawHub
The plugin marketplace ClawHub has recently come under particular criticism. VirusTotal had identified numerous plugins that spy on passwords. Going forward, plugins on ClawHub will be given clear ratings: clean, suspicious, held, quarantined, revoked, or malicious. Versions marked as malicious cannot be installed at all.
Plugins from other sources — such as GitHub — remain possible. The team puts it this way: they will not pretend that users do not own their own computers. Additional higher trust levels are also planned, such as official packages and verified providers.
4. Better confirmation dialogs
A well-known problem with agentic systems: they ask for confirmation so frequently that users eventually just click through or immediately activate “allow all” mode. This renders the security prompts meaningless.
OpenClaw therefore wants not more prompts, but better ones. Specifically, the software will now be smarter at analyzing commands: a hidden delete command inside a bash -c wrapper will be detected and highlighted in the display. Previously, an allowlist checker might have seen only the harmless bash and waved through the dangerous content.
For OpenAI users, there is additionally “Auto Review,” where a separate review agent handles manual approval.
5. Learning from mistakes
OpenClaw had numerous security vulnerabilities to close over the past months. To prevent the same types of errors from returning, the team relies on automated code checks using the tool OpenGrep. Currently, 148 rules are built in, each derived directly from a previous security report. Every code proposal is checked for whether similar patterns appear.
The team emphasizes that precision matters more than having as many rules as possible: a warning system that is too noisy will eventually be ignored.
Not all risks will be eliminated
The blog post essentially confirms what external observers have been criticizing for weeks: unclear boundaries in the file system, weak network control, a risky plugin supply chain, and confirmation dialogs that no longer serve any practical purpose. Noteworthy is the project’s candid language — with a clear distinction between what already works, what is currently being rolled out, and what is still being researched.
OpenClaw will remain “no less powerful,” the post concludes. The goal is to make the boundaries more visible and more defensible. It will not be risk-free.
