Community AI means more people have access to powerful systems. That makes security more important, not less. This page covers what went wrong in the past, what you must do before opening access, and the ongoing hygiene that keeps a community setup trustworthy.
The January–February 2026 OpenClaw security crisis was real. Understanding it is how you make sure it doesn't happen to your community.
Gateway exposure on 0.0.0.0 (all interfaces) instead of Tailscale-only IP allowed unauthenticated access to the OpenClaw gateway from the local network. Attackers on the same LAN could send arbitrary commands to your AI agent without authentication.
Fix: Bind gateway to Tailscale IP only. Rotate all API keys and OAuth tokens if your gateway was public before this patch. Run openclaw doctor --fix.
Windows gateway hosts on older versions could leak SMB credentials via a crafted tool call. Windows users who ran gateways before this patch should rotate all Windows credentials accessible from the gateway host, not just OpenClaw tokens.
Fix: Update immediately. Rotate credentials. Audit tool call logs for unexpected SMB activity in the weeks before patching.
A coordinated campaign of malicious skills on ClawHub that passed VirusTotal scans by using delayed execution and prompt injection. Once installed, skills could exfiltrate context, read files, and relay information to external servers.
Fix: Verified sources only. Never install from unverified publishers. Watch new skills for 3 days before trusting them. Check OpenClaw security advisories regularly.
When an agent with web search reads a malicious page, that page can contain instructions that the agent may follow — treating external content as trusted commands. This is a fundamental LLM challenge, not just an OpenClaw one.
Mitigate: Never grant web-search agents destructive permissions. Require approval for any action taken after web content retrieval. Audit logs regularly.
Work through this checklist after initial setup and after every major update. Your progress saves in the browser. Critical items must be done before sharing gateway access with your community.
Critical — do before sharing access with anyone
Each person who has access to the gateway
The mesh that connects everything
Weekly habits for whoever runs the gateway
Done right, community-operated AI infrastructure is more trustworthy than corporate alternatives — not less. Here's why.
A corporate AI service is a high-value target with millions of users' data. Your community node holds data for 5–50 people and is invisible from the public internet. Smaller target = smaller attack surface = lower risk of mass breach.
Every action your community AI takes is logged at ~/.openclaw/logs/. Every config decision is visible and auditable. Every model is inspectable. With corporate AI, you have no visibility into what happens to your data after you send it.
Your community decides what the AI can access, what it can do, and what it cannot. Those rules are encoded in config you control. Corporate AI services can change their rules, capabilities, and policies at any time, with no community input.
There's no database of 25 million users' data to leak — like LastPass in 2022. Your community's data is distributed across nodes in members' homes. Breaching one node doesn't compromise the whole community.
When a CVE is patched, you decide when to update and can verify the patch before applying. With corporate AI, you have no visibility into what changed in an update or whether it introduced new data collection. Your infrastructure, your decisions.
In a cooperative, the people running the infrastructure are accountable to the people using it — because they're the same people. That accountability structure produces better security decisions than one where operators answer to shareholders, not users.
Complete the checklist. Open the gateway only after doctor shows clean. Then your community has infrastructure that's more trustworthy than anything you were renting.
Back to Getting Started What is OpenClaw?