How secure is OpenClaw?

What OpenClaw (first Clawdbot, then Moltbot and now OpenClaw) is, in plain terms

OpenClaw is positioned as an open-source personal AI assistant or agent that you run on your own devices. In practice that means you’re operating a small “agent system” that can be reached through messaging channels, and that can use integrations and tools to do real work on your behalf.

This is the promise and the risk in one sentence: it’s not just generating text, it’s a piece of software that can hold secrets (tokens, API keys, credentials) and can execute actions on your behalf.

The threat model: “local by default” is not the same as “safe by default”

Self-hosting changes who you’re trusting, not whether you’re trusting.

With OpenClaw, you avoid handing everything to a SaaS vendor, but you take on a different set of operational responsibilities: securing a web interface, handling updates, rotating keys, and making sure the machine running the agent is hardened. When something in that chain is misconfigured, the blast radius can be immediate because agents tend to sit close to the “keys to the kingdom.”

This is also why agent security incidents feel scarier than typical app vulnerabilities. If a note app leaks, it’s bad. If an agent leaks, it can be bad and active.

Prompt injection: the risk that feels like phishing, but behaves like software

Here’s a concrete example that shows why this class of risk is different.

Imagine you set up an automation so that whenever an email is categorized as “client”, Nodus drafts a response for you. An attacker can impersonate a client and include instructions in the email body to exfiltrate confidential Notion data and send it as a reply without confirmation.

The defense is not one magic model prompt. It’s product and system design.

You mitigate this by putting confirmation gates in front of outbound actions, especially anything that sends messages, publishes content, or shares files. You mitigate it by using dedicated least-privilege accounts for agents so that even a compromised workflow cannot see everything. You mitigate it by avoiding automations that directly execute on untrusted external content, or by constraining inputs so the agent only sees the minimal fields it needs. You mitigate it with tool allowlists, strict data scoping, and output filtering or redaction so that sensitive content can’t accidentally be copied into an outbound channel.

OpenClaw’s own security posture (and the fine print most people miss)

OpenClaw’s security documentation makes two important points that are easy to gloss over.

First, the web interface is intended for local use and is not hardened for public exposure. That’s not unusual for early-stage self-hosted tooling, but it does mean that “it has a web UI” is not an invitation to put it on a public IP.

Second, prompt injection is treated as out of scope. That’s also not shocking given how hard the problem is, but it has a practical implication: the burden is on you to build guardrails around untrusted inputs and around what the agent is allowed to do.

Comparing OpenClaw to Notis: two different default risk profiles

OpenClaw’s pitch is local control and open-source flexibility. The trade is that you inherit the security posture of your own setup, including what you expose, how you update, and how you manage secrets.

Notis, by contrast, is designed to avoid being directly exposed to the outside world by default, and it’s built so that code and agents cannot access other users’ data; it only acts for the user who granted access. That doesn’t eliminate risk, but it changes the shape of it.

On the privacy and governance side, our posture is intentionally explicit because ambiguity is where trust dies. “We do our best to comply with GDPR standards and only work with providers that comply with GDPR and, in particular, with EU data residency requirements.” “We do not access your data without prior consent and have strict access control to our production environment.” “Tokens are stored encrypted and can be revoked at any time.” “No, your personal data is not used to train large language models (LLMs).” “When we receive a deletion request, we will remove your personal data from our active systems within 30 days (most often in a couple of hours).” “Data may persist in encrypted backups for up to 90 days…” and “Strict access controls… Only Flo, the founder and creator of Notis has access…”.

Notis also aims for end-to-end encryption and what we internally call “world-level security,” but the uncomfortable truth is that the moment you let any agent ingest untrusted external content, the prompt injection problem shows up again. The main exception case for Notis is automations triggered by webhook or integrations, because those can ingest untrusted input. If you’re building those workflows, you need the same discipline you would apply to a public-facing API.

So, how secure is OpenClaw really?

Secure enough for the right person with the right habits, and insecure enough for the wrong defaults to hurt.

If you’re the type of builder who keeps admin panels local, updates fast, verifies extensions, scopes credentials tightly, and assumes anything coming from the internet is hostile until proven otherwise, OpenClaw can be a powerful approach.

If you're going to run it with a public control panel, long-lived tokens, broad permissions, and automations that execute on untrusted text, then the January 2026 wave of reports is your warning label. Agents don't fail gracefully; they fail at the exact place you store your trust.

If you're not confident in your ability to manage all of this yourself, you're probably better off using an agent like Notis, where most of the security work has already been done for you and where it's much harder to accidentally put yourself in a very uncomfortable situation.