How secure is my self-hosted OpenClaw instance?

This free quiz scores your OpenClaw setup across 10 security dimensions — CVE patch status, gateway binding, authentication, secrets management, API rate limits, ClawHub skill hygiene, shell access, monitoring, and patch cadence. Your score gives a letter grade from A (Excellent) to F (Critical Risk).

What is CVE-2026-25253 (ClawJacked)?

A CVSS 8.8 vulnerability in OpenClaw where any malicious website could hijack your local AI agent via WebSocket — with no plugins or user interaction required. Exploit scanning began 35 minutes after public disclosure. Fixed in version 2026.2.25.

How many OpenClaw instances are publicly exposed?

Security research identified 42,665 publicly exposed OpenClaw instances in early 2026, with 93.4% exhibiting authentication bypass conditions. Automated exploit scanning began within hours of the first public disclosure on Hacker News.

How long does the security audit take?

The quiz has 10 questions and takes approximately 2 minutes to complete. You receive an instant letter grade (A through F), a breakdown of every security gap, exact fix commands for each issue, and a recommended GetClaw Hosting plan based on your score.

42,665 instances exposed · 93.4% auth bypass · CVSS 8.8

OpenClaw Security Audit
How safe is your setup?

10 questions. A letter grade. Exact fix commands for every gap. Takes 2 minutes — know where you stand before an attacker does.

Question 1 of 100% complete

What version of OpenClaw are you running?

Why OpenClaw security matters in 2026

OpenClaw went from 0 to 250,000 GitHub stars in three months. The security research community followed immediately. CVE-2026-25253 — dubbed "ClawJacked" — allowed any attacker-controlled webpage to silently hijack a developer's AI agent in a single step. Exploit scanning began 35 minutes after public disclosure. Three separate CVEs were disclosed in a single week in early 2026.

The defaults that ship with OpenClaw are designed for easy onboarding, not security. The gateway binds to all interfaces. Authentication is optional. ClawHub has no mandatory code review process. Every one of these is a documented attack vector with active exploits in the wild.

This quiz covers the 10 most critical gaps identified across security research on 42,665 exposed instances. For the full hardening walkthrough with exact commands, read the OpenClaw Security Checklist 2026 →

What this audit checks

CVE patch status — are you on the fixed version?
Gateway & Canvas Host binding — localhost or exposed to the internet?
Authentication — enabled with a strong password?
Secrets management — API keys out of config files and version control?
API rate limits — provider-level spending caps set?
ClawHub hygiene — skills audited before installation?
Shell tool access — restricted or disabled?
Monitoring & alerting — anomalies detectable before they become incidents?
Patch cadence — CVEs addressed within hours, not weeks?

Rather skip the checklist entirely? GetClaw Hosting managed hosting ships hardened by default — every item on this list is handled for you, automatically, without any configuration required. See plans →

OpenClaw Security Audit How safe is your setup?

Why OpenClaw security matters in 2026

What this audit checks

OpenClaw Security Audit
How safe is your setup?