A couple of weeks ago I wrote a post comparing Base44 and OpenClaw — why I use Base44 and where OpenClaw makes sense for different types of operators.
After I published it I kept digging.
And the more I read, the more I felt like the security side of this story deserved its own post. Not a footnote. A proper look.
Because I’ll be honest: I was curious about OpenClaw. I considered trialling it. The appeal is real — open-source, self-hosted, fully autonomous. It does things that no other personal AI agent does quite as well.
But I won’t be trying it. Not after what I found.
This is what the research actually shows.
What OpenClaw actually is — and why security matters more here than usual
OpenClaw (previously called Clawdbot, then Moltbot after some trademark drama) is an open-source AI agent that went viral in early 2026, hitting 135,000 GitHub stars within weeks. That’s not a slow build. That’s an explosion.
And unlike most AI tools, OpenClaw doesn’t just answer questions. It does things.
It executes shell commands. It reads and writes files. It sends emails, manages your calendar, browses the web, and takes actions across your digital life — all autonomously, triggered via WhatsApp, Slack, iMessage, or Telegram.
That capability is exactly why it went viral.
It’s also exactly why the security risks are in a different category to most tools.
When an AI can act on your behalf — silently, autonomously, at scale — a misconfiguration or a compromised skill isn’t just an inconvenience. It’s a direct line into everything the agent has access to.
What actually happened: the documented incidents
I’m not speculating here. Reco’s security research — one of the more credible SaaS security firms out there — documented the timeline in detail. Here’s what happened in a matter of weeks.
January 27–29, 2026: the skills marketplace gets weaponised.
Attackers distributed 335 malicious skills through ClawHub, OpenClaw’s public skills registry. The skills looked legitimate — professional documentation, innocuous names like “solana-wallet-tracker.” Inside them: instructions to install keyloggers on Windows machines and Atomic Stealer malware on macOS.
Researchers eventually confirmed 341 malicious skills in total out of 2,857 available. That’s 12% of the entire registry. Compromised.
January 30, 2026: a quietly patched remote code execution vulnerability.
OpenClaw released version 2026.1.29, patching CVE-2026-25253 before public disclosure. The vulnerability allowed one-click remote code execution via a malicious link — exploiting the Control UI’s trust of URL parameters without validation. Attackers could hijack instances via cross-site WebSocket hijacking, including instances configured to listen only on localhost.
The attack chain takes milliseconds.
January 31, 2026: 21,639 instances exposed to the open internet.
Censys — a security scanning firm — identified over 21,000 publicly accessible OpenClaw instances. Up from approximately 1,000 just days earlier. Misconfigured instances were leaking API keys, OAuth tokens, and plaintext credentials.
Same day: the Moltbook breach.
Moltbook — a social network built for OpenClaw agents — was found to have an unsecured database. It exposed 35,000 email addresses and 1.5 million agent API tokens. The platform had 770,000 active agents at the time.
That’s not one bad week. That’s a cascade.
The real problem isn’t the software
Here’s the thing I keep coming back to.
OpenClaw’s documentation says it plainly: “There is no ‘perfectly secure’ setup.”
That’s honest. I respect it.
But it also means the security burden lands entirely on you. You are responsible for:
- Vetting every skill before you install it
- Ensuring your instance isn’t exposed to the internet
- Monitoring for credential leaks and keeping API keys rotated
- Staying on top of CVEs as they’re disclosed
- Understanding what your agent has access to and what it can do with it
Most small business owners are not doing any of that.
Not because they’re careless. Because they’re running a business. They don’t have time to be part-time security analysts on top of everything else.
And that’s the gap that makes this genuinely dangerous.
✓ OpenClaw — what it gets right
- Open-source — full code transparency
- Self-hosted — your server, your rules (in theory)
- Flexible model access (API keys or OAuth)
- Runs on your own machine or a VPS
- 135,000+ GitHub stars — huge community
✗ OpenClaw — documented security incidents
- 341 malicious skills found in registry (12% of all skills)
- One-click remote code execution via CVE-2026-25253
- 21,639 instances exposed to the open internet
- Moltbook breach: 35,000 emails + 1.5M agent API tokens exposed
- Keyloggers and Atomic Stealer malware distributed via skills
- Plaintext API keys and OAuth tokens leaked from misconfigured instances
- No automatic skill vetting — security is your problem
What this means for agentic AI more broadly
OpenClaw is the first high-profile example of what happens when agentic AI goes mainstream without security infrastructure to match.
Reco describes it as the first major AI agent security crisis of 2026. I think that’s right.
And it’s worth understanding why agentic AI is different to the AI tools most people are already using.
ChatGPT answers questions. Notion AI summarises documents. Those tools are passive.
Agentic AI acts. It has permissions. It makes decisions. It runs code. And if something goes wrong — a malicious skill, a compromised credential, a misconfigured endpoint — it can cause real damage before any human notices.
This isn’t a reason to avoid agentic AI. It’s a reason to be deliberate about which one you use and how it’s managed.
Where Base44 sits in this picture
I want to be honest about Base44 too. It’s not perfect.
In July 2025, Wiz Research disclosed a critical authentication vulnerability — an attacker could have accessed private apps using only a non-secret app ID. It was serious. Simple to exploit. High potential impact.
But here’s what happened next.
Wiz disclosed it responsibly. Base44 and Wix fixed it in under 24 hours. Wix confirmed there was no exploitation in the wild. Wiz independently verified the fix.
That’s the difference between a vulnerability and a crisis. Every platform will have vulnerabilities. The question is how they’re managed when they surface.
Base44 is now SOC 2 Type II and ISO 27001 certified. Those certifications mean an independent auditor has reviewed how the platform protects your data — not just a self-assessment, an actual audit.
It’s a managed platform. Your agent runs in the cloud. There’s no exposed Control UI on your laptop. No skills marketplace where 12% of the content is malware. No instance to misconfigure and leave facing the open internet.
Less control. Less risk.
For most business owners, that’s the right trade.
✓ Base44 — security upsides
- SOC 2 Type II certified — independently audited
- ISO 27001 certified — international security standard
- Industry-standard encryption at rest and in transit
- SSO, IP allowlisting, workspace secrets (Enterprise)
- Managed platform — no server to patch, no endpoints to expose
- Wix-backed with a dedicated security team
- Critical vulnerability fixed in under 24 hours when disclosed
✗ Base44 — what to know
- Had a critical auth vulnerability (found and fixed July 2025)
- Shared infrastructure — your apps sit on the same platform as others
- Data stored in US by default (EU/UK on Elite+ plans)
- You are trusting a vendor with your data
- Less control than self-hosting
The honest take
I wanted to try OpenClaw. I genuinely did.
The autonomous capability is unlike anything else. The community is huge. The open-source model is philosophically appealing.
But the security record in the first weeks of its viral moment — 341 malicious skills, a one-click RCE, 21,000 exposed instances, a marketplace data breach — is not a teething issue. It’s a structural problem with putting an autonomous AI agent in the hands of people who aren’t equipped to secure it.
I’m not equipped to secure it. Most people reading this aren’t either.
And until agentic AI platforms build security in rather than bolting it on as an option, I’ll keep using tools where someone else is responsible for that layer.
That’s not laziness. That’s architecture.
Frequently Asked Questions
Is OpenClaw safe for small business owners to use?
Based on documented security incidents in 2026, OpenClaw carries significant risks for most small business owners. Reco’s security research found 341 malicious skills in the OpenClaw registry — roughly 12% of all available skills — including tools that installed keyloggers and malware. Unless you have technical expertise and dedicated IT support, managing these risks is not straightforward.
What is CVE-2026-25253?
CVE-2026-25253 is a critical remote code execution vulnerability in OpenClaw with a CVSS score of 8.8. It allowed attackers to hijack OpenClaw instances via a single malicious webpage using cross-site WebSocket hijacking. Security researchers confirmed the attack chain takes milliseconds to execute. OpenClaw patched it in January 2026.
Has Base44 ever had a security vulnerability?
Yes. In July 2025, Wiz Research disclosed a critical authentication flaw in Base44 that could have allowed unauthorised access to private apps using only a non-secret app ID. Base44 and Wix fixed the vulnerability within 24 hours of responsible disclosure, and Wix confirmed there was no evidence of exploitation in the wild.
What certifications does Base44 hold?
Base44 is SOC 2 Type II certified and ISO 27001 certified. SOC 2 Type II is an independently audited standard that reviews data protection practices over a sustained period — not just a snapshot. ISO 27001 is the international standard for information security management systems.
What is agentic AI security?
Agentic AI security refers to the specific risks that arise when AI agents can take autonomous actions — sending emails, executing code, accessing files, managing calendars. Unlike traditional AI that just answers questions, agentic AI can do things. That makes the security implications fundamentally different. If an agent is compromised or misconfigured, it can act on your behalf in ways you never intended.
Affiliate disclosure: This post contains affiliate links. If you sign up to Base44 via my link I earn a small commission at no extra cost to you. I only recommend tools I actually use.
Want help building AI into your business without the security headaches? Let’s talk →
