Forem: Daniel Samer

Meta AI Safety Director's OpenClaw Agent Deletes Her Entire Inbox on Camera

Daniel Samer — Fri, 24 Apr 2026 09:30:00 +0000

Summer Yue, Meta's AI Safety Director, demonstrated her OpenClaw email management agent on stream. It worked perfectly in testing. Then on a real inbox with 200+ emails, the agent's safety instruction ("ask for confirmation before deleting") got silently dropped during context window compaction. The agent deleted everything.

9.6M views on X later, the OpenClaw community is rethinking how safety instructions work.

Key takeaways: hard approval gates, remote kill switches, and never trusting prompt-level instructions alone.

https://clawhosters.com/blog/posts/openclaw-agent-inbox-deletion-meta

Cisco Calls OpenClaw an Absolute Security Nightmare: What You Need to Know

Daniel Samer — Mon, 20 Apr 2026 07:12:22 +0000

Cisco's AI Threat and Security Research team released a critical security assessment of OpenClaw on January 28, characterizing it as "an absolute nightmare from a security perspective." Despite calling it a "dream for busy professionals," researchers Amy Chang, Vineeth Sai Narajala, and Idan Habler identified four primary attack surfaces that self-hosters need to take seriously.

The Four Threat Vectors

Shell command execution through agent prompts
File system access without proper sandboxing
API key leakage via prompt injection
Messaging app integrations (WhatsApp, iMessage) as attack vectors

The fundamental issue: OpenClaw's local deployment model assumes a trusted environment. When exposed to the internet without hardening, that trust model breaks.

Skill Scanner Results

Cisco built an open-source Skill Scanner and tested 31,000 ClawHub skills. 26% contained at least one vulnerability. A test skill called "What Would Elon Do?" silently exfiltrated user data, triggering 9 findings including 2 critical.

The Bigger Picture

This report dropped alongside multiple threats:

CVE-2026-25253: Critical one-click RCE (CVSS 8.8), patched in v2026.1.29
ClawHavoc Campaign: 341 malicious skills found in ClawHub deploying Atomic macOS Stealer
42,665 exposed instances discovered by researcher Maor Dayan, 93.4% with bypassed authentication

What to Do About It

If you're self-hosting OpenClaw:

Enable authentication (seriously, 93% of exposed instances didn't)
Isolate your network
Update regularly
Audit your installed skills

Or use a managed host that handles isolation, auth enforcement, and hourly patching for you.

Originally published on ClawHosters Blog

Jentic Mini: Free API Security Layer for OpenClaw Agents

Daniel Samer — Sun, 19 Apr 2026 07:13:57 +0000

Dublin-based Jentic released Jentic Mini on March 25, 2026. A free, open-source API execution layer that sits between OpenClaw agents and external APIs.

The problem it solves: when your OpenClaw agent calls Stripe, Slack, or Notion, those credentials typically live inside the agent context. Jentic Mini moves them into an encrypted vault on your infrastructure.

How It Works

Jentic Mini runs as a single Docker container (FastAPI + SQLite). No cloud dependency. The catalog covers about 1,044 OpenAPI specs and roughly 380 Arazzo workflow sources, totaling 10,000+ API endpoints.

Key features:

Encrypted credential vault on your own infrastructure
Toolkit-scoped permissions so agents only access the APIs they need
Kill switch to instantly revoke all API access
Apache 2.0 license, no usage restrictions

Setup

Deploy alongside any OpenClaw instance via Docker Compose. Works with both self-hosted and managed providers like ClawHosters. Minimal configuration overhead.

Jentic secured $4.5M in pre-seed funding and became the first Irish company admitted to the AWS GenAI Accelerator program.

Full article on ClawHosters

Trend Micro Launches TrendAI Governance Gateway for OpenClaw Agents

Daniel Samer — Sun, 19 Apr 2026 07:13:37 +0000

Trend Micro announced the TrendAI Agentic Governance Gateway at RSAC 2026, a platform designed to give enterprises visibility and control over autonomous AI agent operations.

What It Does

The governance platform monitors four areas:

Real-time observation of agent interactions across systems
Context and intent analysis to identify risky actions
Policy enforcement that blocks operations before execution
Human oversight insertion at critical decision points

A standout feature is pre-deployment simulation. Teams can test governance policies in non-production environments before going live.

The solution integrates with Trend Micro's Vision One platform. CEO Eva Chen framed it directly: "As AI systems become more autonomous, security must evolve from protection to governance."

Where It Fits

The OpenClaw security ecosystem now has multiple layers. Cisco DefenseClaw handles scanning and sandboxing. Gen's Agent Trust Hub addresses consumer trust verification. NVIDIA NemoClaw provides infrastructure guardrails. Trend Micro adds governance and policy enforcement on top.

The agentic AI market is projected to reach $139 billion by 2034, growing at 40.5% annually.

Practical Impact

Managed hosting providers like ClawHosters handle infrastructure-level security separately. TrendAI targets the governance layer above that, particularly for enterprises running dozens of agents with real business authority (purchase approvals, database modifications, etc.).

Full article on ClawHosters

OpenClaw v2026.3.28: xAI Grok Gets Web Search, MiniMax Brings Image Generation

Daniel Samer — Sun, 19 Apr 2026 07:13:21 +0000

OpenClaw v2026.3.28 shipped with three notable changes.

xAI Grok Web Search

The bundled xAI provider moved to the Responses API, which enables native x_search support. Your OpenClaw agent can now browse the web through Grok's own search infrastructure. Existing xAI configs get automatic plugin activation. New installs can set it up via openclaw configure --section web.

The Web Search Key Audit also expanded to recognize credentials for Gemini, Grok/xAI, Kimi, Moonshot, and OpenRouter.

MiniMax Image Generation

MiniMax joined as a second image generation provider alongside DALL-E, using their image-01 model. Supports text-to-image and image-to-image editing with aspect ratio controls. Setup takes about two minutes via openclaw configure --section image.

Config Doctor Gets Stricter

Legacy configuration migrations older than two months now fail validation instead of silently rewriting old config keys. Self-hosted users need to run openclaw doctor --fix before upgrading. Managed instances (like ClawHosters) handle this automatically.

Also in this release: Qwen deprecated its qwen-portal-auth OAuth path and migrated to Model Studio, and the legacy Chrome extension relay for Browser Chrome MCP was removed.

Read the full breakdown on ClawHosters

300+ Trojanized GitHub Packages Target OpenClaw Docker Users

Daniel Samer — Sat, 18 Apr 2026 07:11:28 +0000

Over 300 malicious GitHub packages masquerading as OpenClaw Docker deployment tools were discovered distributing a LuaJIT-based Trojan. The malware steals credentials, captures screenshots, and sends everything to command-and-control servers in Frankfurt.

Netskope Threat Labs found the campaign in March 2026. The packages looked legitimate with spoofed names, READMEs, and star counts. They specifically targeted people searching for OpenClaw Docker setup guides.

What the malware does

Captures stored credentials from browsers and password managers
Takes periodic screenshots of victim machines
Exfiltrates API keys and tokens from environment variables
Maintains persistence through cron jobs and systemd services

How to protect yourself

Only install packages from the official OpenClaw repository
Verify package authors before running install commands
Pin your Docker image digests instead of using ":latest"
Audit your existing packages for anything you don't recognize

If you're not confident in your Docker security setup, managed hosting eliminates the supply chain risk entirely. Services like ClawHosters handle the infrastructure so you don't have to vet every dependency yourself.

Full breakdown with IOCs and detection rules: Read the full article

OpenClaw Docker Hardening: 6 Steps to Lock Down Your AI Agent Container

Daniel Samer — Fri, 17 Apr 2026 12:00:00 +0000

SecurityScorecard recently identified 40,214 exposed OpenClaw instances in the wild. 63% of them are vulnerable, and 12,812 can be exploited via remote code execution. CVE-2026-25253 (CVSS 8.8) lets an attacker extract API keys in 30 seconds through WebSocket manipulation.

58% of OpenClaw containers still run as root with default capabilities.

I put together a practical hardening guide that covers 6 areas:

Running containers as non-root with dropped capabilities
Read-only filesystem with targeted tmpfs mounts
Image pinning to SHA256 digests (not latest)
Network isolation with internal bridge networks
Tool and workspace restrictions (blocking system.run, denying sensitive paths)
CPU and memory resource limits

Each section includes the actual Docker Compose config you need. No theory, just copy-paste hardening.

Read the full guide on ClawHosters

CrowdStrike Calls OpenClaw 'AI Super Agent', Publishes 156 Security Advisories

Daniel Samer — Fri, 03 Apr 2026 07:02:25 +0000

CrowdStrike's CTO Elia Zaitsev just published what might be the most thorough security breakdown of OpenClaw to date. They're not treating it as a chatbot. They're treating it as an autonomous system with real access to real infrastructure.

The Numbers

156 total security advisories. 28 with CVE IDs assigned, 128 still awaiting assignment.

Severity breakdown: 4 Critical, 52 High, 88 Medium, 12 Low. That's 56 advisories rated High or Critical.

Four Attack Vectors

CrowdStrike identified:

Direct prompt injection where attackers feed malicious instructions to the agent
Indirect prompt injection through contaminated data sources
Agentic tool chain attacks exploiting how OpenClaw connects to external systems
AI tool poisoning targeting plugins and skills

As Zaitsev put it: "AI agents don't just generate answers, they can take action; operating with speed, autonomy, and privileged access to email, calendars, sensitive data, credentials, and third-party systems."

The Scale Problem

Censys found 21,639 publicly accessible OpenClaw instances. Most probably running without dedicated security monitoring or regular patching.

CrowdStrike also demoed their Falcon AIDR blocking a live Discord exfiltration attack targeting an OpenClaw instance. These aren't theoretical risks.

What This Means

If you're running OpenClaw on a VPS you set up months ago, 56 High/Critical advisories should make you uncomfortable. Self-hosted AI without professional security management is becoming a liability.

Full breakdown

Managed hosting like ClawHosters applies auto-patching, credential isolation, and monitoring as standard. The kinds of protections CrowdStrike recommends, applied automatically.

OpenClaw RAG Knowledge Base: Turn Your AI Agent Into a Document Search Engine

Daniel Samer — Fri, 03 Apr 2026 07:02:25 +0000

Most AI agents are smart but uninformed. They know the internet. They don't know your company's return policy, your internal API docs, or what your team decided in last Tuesday's meeting.

OpenClaw ships with a built-in knowledge skill that fixes this. Feed it files, and it answers questions by pulling relevant chunks and citing where it found them.

How It Works

Drop documents into a knowledge/ folder in your workspace. Supported formats: .md, .txt, .pdf, .csv, .json. The agent indexes them locally. No external vector database. No embeddings API key to configure.

Then ask questions:

You: What's the SLA for critical bugs?
Agent: Per your support-tiers.md (lines 45-52), critical bugs have a 4-hour response SLA on the Enterprise plan and 24-hour resolution target.

The citeSources: true flag makes the agent reference exact file and location. For internal knowledge bases, citations are what make people trust the output.

What to Feed It

Good candidates: product docs, API references, FAQ lists, meeting notes with decisions, Obsidian/Notion exports, HR policies, pricing sheets.

Bad candidates: raw chat logs, uncleaned video transcripts, massive database dumps.

Practical tip: break large documents into topic-focused files. 40 Markdown files beat one 200-page PDF every time.

Config

{
  "skills": {
    "knowledge": {
      "enabled": true,
      "workspacePath": "./knowledge",
      "chunkSize": 512,
      "chunkOverlap": 64,
      "citeSources": true
    }
  }
}

Full tutorial with examples

If you want this running in 2 minutes without managing infrastructure, ClawHosters handles the indexing, backups, and updates automatically.

7 Critical CVEs Hit OpenClaw's Nextcloud Talk Plugin

Daniel Samer — Thu, 02 Apr 2026 08:07:01 +0000

Seven critical vulnerabilities. All published on the same day. All scoring above 9.0 on the CVSS scale. Belgium's national cybersecurity authority told organizations to patch immediately.

The Headline Bug

CVE-2026-28474 (CVSS 9.8): OpenClaw lets you restrict which users can talk to your AI agent through an allowlist. But the Nextcloud Talk plugin was checking the user's display name instead of their actual user ID. An attacker changes their Nextcloud display name to match someone on the allowlist. Done. They're in.

No authentication bypass needed. No special privileges. No user interaction.

The Full CVE List

CVE	CVSS 4.0	Component	Fixed In
CVE-2026-28474	9.3	Talk Plugin	2026.2.6
CVE-2026-28466	9.4	Gateway	2026.2.14
CVE-2026-28391	9.2	Talk Plugin	2026.2.6
CVE-2026-28446	9.2	Talk Plugin	2026.2.6
CVE-2026-28470	9.2	Talk Plugin	2026.2.6
CVE-2026-28472	9.2	Gateway	2026.2.6

Two Patch Targets

Most CVEs target the Nextcloud Talk plugin (fixed in 2026.2.6). But CVE-2026-28466 hits the core OpenClaw gateway and needs a separate upgrade to 2026.2.14. Patching only the plugin leaves you exposed.

42,000+ publicly exposed OpenClaw instances found through Shodan and Censys scans. If you self-host with Nextcloud Talk enabled, update both components now.

Full breakdown

ClawHosters managed instances are not affected. We don't use the Nextcloud Talk plugin, and auto-patching keeps every instance on the latest secure version.

OpenClaw Permissions: Lock Down Your AI Agent in 60 Seconds

Daniel Samer — Thu, 02 Apr 2026 08:06:46 +0000

135,000 OpenClaw instances are exposed across 82 countries right now. 12,812 of those are exploitable via remote code execution.

Your OpenClaw instance ships with almost zero security turned on. The gateway binds to loopback, which is good. But the tool access model? Wide open. Your agent can run any shell command, read any file your OS user can reach, and accept messages from anyone who finds your Telegram bot.

The fix takes about 60 seconds. OpenClaw has three permission layers:

Who can message your bot (dmPolicy + allowlist with numeric Telegram IDs)
Which tools the agent has (tool profiles + deny lists)
Shell command execution (exec.security set to deny)

One JSON file. Three settings. Done.

Full walkthrough with the complete hardened config:

👉 Read the full guide

If you want these security defaults baked in from day one, ClawHosters ships with container isolation, firewall rules, and auto-updates out of the box.

Shenzhen Launches Lobster Ten Policies: First Government to Subsidize OpenClaw With Millions

Daniel Samer — Wed, 01 Apr 2026 07:04:58 +0000

A local government in Shenzhen just did something no government has done before. On March 7, 2026, the Longgang District released ten policies with public funding going directly to developers building on OpenClaw.

The numbers:

Up to 2 million yuan ($290K) for contributing core code to OpenClaw
40% reimbursement on deployment costs, capped at 2 million yuan per company per year
30% subsidy on API fees, up to 1 million yuan annually
Seed-stage startups can receive equity investment up to 10 million yuan ($1.46M)

The concept driving this: One-Person Companies (OPC). One founder, no employees, running an entire business on OpenClaw agents.

Meanwhile, Beijing banned OpenClaw from government computers the same week. China is simultaneously treating it as a national security risk and a strategic development priority.

Nearly 1,000 people queued at Tencent HQ just for free OpenClaw installation help.

👉 Full story: Shenzhen Lobster Ten Policies