Security & Trust

Trust Is Not Optional
in Community Infrastructure

Community AI means more people have access to powerful systems. That makes security more important, not less. This page covers what went wrong in the past, what you must do before opening access, and the ongoing hygiene that keeps a community setup trustworthy.

§ What Went Wrong

The CVE History You Need to Know

The January–February 2026 OpenClaw security crisis was real. Understanding it is how you make sure it doesn't happen to your community.

CVE-2026-25253

Patched: v2026.1.29 · CRITICAL

Gateway exposure on 0.0.0.0 (all interfaces) instead of Tailscale-only IP allowed unauthenticated access to the OpenClaw gateway from the local network. Attackers on the same LAN could send arbitrary commands to your AI agent without authentication.

Fix: Bind gateway to Tailscale IP only. Rotate all API keys and OAuth tokens if your gateway was public before this patch. Run openclaw doctor --fix.

Windows SMB Credential Leak

Patched: v2026.3.22 · HIGH

Windows gateway hosts on older versions could leak SMB credentials via a crafted tool call. Windows users who ran gateways before this patch should rotate all Windows credentials accessible from the gateway host, not just OpenClaw tokens.

Fix: Update immediately. Rotate credentials. Audit tool call logs for unexpected SMB activity in the weeks before patching.

ClawHavoc Campaign

Ongoing · 1,400+ malicious skills

A coordinated campaign of malicious skills on ClawHub that passed VirusTotal scans by using delayed execution and prompt injection. Once installed, skills could exfiltrate context, read files, and relay information to external servers.

Fix: Verified sources only. Never install from unverified publishers. Watch new skills for 3 days before trusting them. Check OpenClaw security advisories regularly.

Prompt Injection via Web Content

Ongoing · Design challenge

When an agent with web search reads a malicious page, that page can contain instructions that the agent may follow — treating external content as trusted commands. This is a fundamental LLM challenge, not just an OpenClaw one.

Mitigate: Never grant web-search agents destructive permissions. Require approval for any action taken after web content retrieval. Audit logs regularly.

§ The Checklist

Before You Open Access to Anyone

Work through this checklist after initial setup and after every major update. Your progress saves in the browser. Critical items must be done before sharing gateway access with your community.

Gateway Security

Critical — do before sharing access with anyone

  • Gateway bound to Tailscale IP only — NOT 0.0.0.0 If your gateway is on 0.0.0.0, you are exposed to your entire local network. CVE-2026-25253 exploited exactly this.
    CRITICAL
  • Auth tokens generated per user openssl rand -hex 32 for each member. Never share tokens between people.
    CRITICAL
  • openclaw doctor shows no critical warnings Run after every version update and before opening access to new members.
    HIGH
  • Skills locked to verified sources only "allowSources": ["clawhub:verified"] in config. Unverified skills can inject malicious prompts.
    CRITICAL
  • Group approval required for all new skill installs One person's curiosity shouldn't install something for everyone. Review for 3 days.
    HIGH

Per-User Safety

Each person who has access to the gateway

  • Action approvals enabled for destructive operations delete, move, shell exec — require explicit confirmation. Set in settings.json permissionMode.
    HIGH
  • SOUL.md written with explicit never-do boundaries The "NEVER" section prevents your agent from doing things you didn't intend. Non-negotiable.
    HIGH
  • Workspace isolation configured No cross-user memory bleed. Each person's agent operates in isolation by default.
    HIGH
  • Rate limits set per user Prevent runaway tasks from consuming all node resources or making unexpected API calls.
    MED

Network Security

The mesh that connects everything

  • Pi-hole running — no DNS to Google or Cloudflare Every DNS query tells someone what you're accessing. Pi-hole + Unbound resolves directly.
    MED
  • Tailscale ACLs restrict service access by node Not every node should reach every service. Write ACLs that match your trust model.
    HIGH
  • No services exposed on public IPs Tailscale only. Ever. If you can reach it without Tailscale, so can someone else.
    CRITICAL
  • Ollama API port 11434 not accessible outside mesh Ollama has no authentication by default. Expose it only on your Tailscale interface.
    CRITICAL

Ongoing Hygiene

Weekly habits for whoever runs the gateway

  • openclaw doctor run weekly Catches config drift, version mismatches, and warning conditions before they become incidents.
    MED
  • Version updates applied within 1 week of release Security patches are in changelog. Don't let versions drift more than 2 behind.
    HIGH
  • Logs reviewed at ~/.openclaw/logs/ if behaviour seems off Agent behaviour that feels wrong is usually visible in logs before it becomes a problem.
    MED
  • New skills watched for 3 days before trusting ClawHavoc showed that even VirusTotal-clean skills can carry delayed payload. Watch before trusting.
    HIGH
§ The Trust Model

Why This Makes Community AI Safer Than Corporate AI

Done right, community-operated AI infrastructure is more trustworthy than corporate alternatives — not less. Here's why.

🏠 Your Threat Surface Is Smaller

A corporate AI service is a high-value target with millions of users' data. Your community node holds data for 5–50 people and is invisible from the public internet. Smaller target = smaller attack surface = lower risk of mass breach.

👁️ You Can Audit Everything

Every action your community AI takes is logged at ~/.openclaw/logs/. Every config decision is visible and auditable. Every model is inspectable. With corporate AI, you have no visibility into what happens to your data after you send it.

🗳️ You Govern the Rules

Your community decides what the AI can access, what it can do, and what it cannot. Those rules are encoded in config you control. Corporate AI services can change their rules, capabilities, and policies at any time, with no community input.

🔒 No Central Database to Breach

There's no database of 25 million users' data to leak — like LastPass in 2022. Your community's data is distributed across nodes in members' homes. Breaching one node doesn't compromise the whole community.

⚡ Updates Are Your Decision

When a CVE is patched, you decide when to update and can verify the patch before applying. With corporate AI, you have no visibility into what changed in an update or whether it introduced new data collection. Your infrastructure, your decisions.

🤝 Community Accountability

In a cooperative, the people running the infrastructure are accountable to the people using it — because they're the same people. That accountability structure produces better security decisions than one where operators answer to shareholders, not users.

Ready to Proceed?

Complete the checklist. Open the gateway only after doctor shows clean. Then your community has infrastructure that's more trustworthy than anything you were renting.

Back to Getting Started What is OpenClaw?