#security

A new security issue has surfaced in the OpenClaw repository that every agent operator should understand: prompt injection via fake system message blocks in message channels like Discord, Telegram

Johann Sathianathen, an ex-Cisco security engineer, just published a comprehensive security guide that every OpenClaw user should bookmark. The guide breaks down 13 essential steps to secure your AI a

A critical SQL injection vulnerability has been reported in OpenClaw's database metrics endpoint. If you're running a version with this endpoint exposed, you'll want to patch immediately or restrict a

A newly reported issue highlights a security risk that every OpenClaw user should be aware of: configuration backup files may contain your plaintext API keys and tokens. The Problem When you modi

When your OpenClaw agent hits a command that requires approval (anything matching your exec security rules), you need to see it and respond quickly. If you're not watching WebChat 24/7, those approval

A concerning security issue has surfaced in OpenClaw: when using keyRef to securely reference API keys from environment variables or secret stores, the gateway may rewrite your config with the actua

A concerning security issue has surfaced in OpenClaw that every self-hosted operator should know about. When your openclaw.json configuration file contains invalid or unrecognized keys, the system s

We just published our first skill to ClawHub and immediately got flagged as Suspicious (medium confidence). Here's how we fixed it in 4 quick releases. The Initial Problem After publishing v1

Your OpenClaw agent keeps detailed logs of every conversation in JSONL transcript files. These files contain your messages, tool outputs, and potentially sensitive information like API responses, pers

If you're building moderation workflows with your OpenClaw agent—auto-banning spammers, flagging problematic messages, or routing reports to human reviewers—version 2026.2.17 just made your life signi

Your AI agent reads emails, web pages, and documents constantly. But what happens when an attacker hides malicious instructions in that content? Without protection, your agent might follow commands li

OpenClaw's $include directive is a powerful feature that lets you split your config into modular files—keeping secrets separate, sharing common settings across agents, or organizing complex multi-ch

If you've been running OpenClaw for a while, you've probably noticed your sessions directory growing steadily. Every conversation creates transcript files, media attachments accumulate, and before you

A community member is building an interesting security-focused tool for the OpenClaw ecosystem. Here's what we know so far. What is ClawTower? ClawTower (formerly ClawAV) is a security monito

OpenClaw 2026.2.17 includes a critical security fix that all users should be aware of: OC-09, a credential-theft vulnerability via environment-variable injection in the exec tool. What Was the

OpenClaw 2026.2.17 introduces a powerful security feature that many operators have been waiting for: URL allowlists for websearch and webfetch tools. This lets you control exactly which doma

If you're running an AI agent that interacts with services requiring authentication, you face a dilemma: how do you give your agent access to credentials without exposing them in chat logs, code, or c

A common question in the Discord community: "Why can't my agent execute crypto trades or move my funds?" If you've connected a wallet or tried to build a trading bot with OpenClaw, you may have encou

Have you ever worried about your agent's configuration drifting without your knowledge? Or wondered if a skill you installed might have security vulnerabilities? ClawSec, developed by Prompt Security

A common point of confusion when setting up OpenClaw for Discord DMs: you add friends or coworkers to allowFrom, expecting them to be able to chat with your bot, and suddenly your agent treats them