Evaluate OpenClaw on Your Laptop Without Compromising Security

OpenClaw, an open-source AI agent, has rapidly spread from 1,000 to over 21,000 public deployments in one week, as monitored by Censys. This growth raises security concerns, as many users have installed the agent on corporate machines, allowing full system access. This article proposes ways to test it without exposing your infrastructure to risks.

Discovered Vulnerabilities

OpenClaw has some significant vulnerabilities. The CVE-2026-25253, a remote code execution flaw, allows attackers to steal authentication tokens via a single malicious link. Another vulnerability, CVE-2026-25157, enables arbitrary command execution on macOS via the SSH manager.

Furthermore, a study of 3,984 skills on ClawHub revealed that about 7.1% have critical flaws that expose sensitive credentials in plain text. A report from Bitdefender found that approximately 17% of analyzed skills exhibited malicious behavior.

Local Testing Risks

OpenClaw operates with full user privileges, including access to the shell and OAuth credentials for connected services. A compromised agent can instantly inherit all these permissions. Simon Willison, who coined the term "prompt injection," discusses the risks of combining access to private data, exposure to untrusted content, and external communication in a single process.

A prompt injection on a summarized webpage or email can trigger data exfiltration that resembles normal activity. Research has shown that attackers can exploit this vulnerability to steal environment variables and credentials through messaging platforms.

Ephemeral Container Functions

Cloudflare has launched Moltworker as an open-source implementation that separates the agent’s logic from the execution environment. OpenClaw runs in an isolated micro-VM that terminates after the task ends, avoiding exposure in local environments. Using Zero Trust ensures that every interaction with the administrative interface is authenticated.

This containment approach ensures that a hijacked agent remains confined in a temporary container, without access to the local network or files, eliminating the attack surface.

Four Steps for a Secure Evaluation

To set up a secure evaluation instance, follow these steps:

1. Set Up Storage and Billing

Create a Cloudflare account with a Workers Pay plan and an R2 subscription. For a purely security evaluation, you may opt for ephemeral functionality, with no data persistence.

2. Generate Tokens and Deploy

Clone the Moltworker repository and install the dependencies. Set up three secrets: your API key from Anthropic, a randomly generated gateway token, and an optional configuration provider for Cloudflare AI Gateway. Run npm run deploy to start the instance.

3. Enable Zero Trust Authentication

Configure Cloudflare Access to protect the administrative interface. This eliminates the exposure that led to known security failures in other OpenClaw deployments.

4. Connect a Test Messaging Channel

Use a temporary Telegram account to interact with the agent, ensuring that all communications occur in a controlled and secure environment.

30-Day Stress Test Before Expanding Access

Avoid connecting the account to any real assets in the first 30 days. Use disposable identities to assess the agent's interaction without exposing sensitive corporate data.

The sandbox allows testing against adversaries that would not be safe on production hardware, helping understand how the agent handles information without accessing critical data.

Future Implications

Implementing this evaluation approach now, before new AI tools go viral, could mean the difference between increasing productivity or facing a data breach. The security model for autonomous AI you develop in the coming days will be crucial for protecting your assets in the future.