OpenClaw·NanoClaw·ZeroClaw Practical Security Guide After CVE-2026-25253 — How to Securely Operate AI Agents with Credential Isolation and Least Privilege Skill Design
In February 2026, a security research team released shocking figures. Over 135,000 OpenClaw instances were exposed to public IPs, and 63% of them were vulnerable to Remote Code Execution (RCE) with just a single visit to a malicious webpage. The cause of CVE-2026-25253 (CVSS 8.8) was a lack of WebSocket origin validation. If an attacker embeds WebSocket connection code into a malicious webpage, the victim's browser establishes an unauthenticated connection to a locally running OpenClaw gateway (port 18789), allowing the agent to execute arbitrary commands with host user privileges. This is an attack chain where a single browser tab leads to the compromise of an entire server. Around the same time, ClawHub discovered over 341 malicious skills, and an analysis revealed that up to 36% of all skills contained security flaws. OpenClaw instances currently in operation may also be included in this list.
This article is intended for backend and infrastructure developers who directly deploy or operate OpenClaw. After reading this, you will be able to immediately harden your existing OpenClaw instances with just three steps and establish criteria for selecting the appropriate alternative between NanoClaw and ZeroClaw for your environment. The key is not to trust defaults and to structurally embed credential isolation and the principle of least privilege from the design stage.
TL;DR
- CVE-2026-25253: WebSocket origin unverified → 1-click RCE, CVSS 8.8
- OpenClaw Immediate Action: Upgrade to version 2026.1.29 or higher, bind Gateway
127.0.0.1, apply Docker isolation - When transitioning to a security-centric approach: Consider NanoClaw for regulated industries and ZeroClaw for edge/distributed deployments.
- You can go directly to the section you need from the table of contents below.
Key Concepts
What is Credential Isolation
Credential isolation is a principle that grants dedicated and least-privilege credentials to each agent instance, does not store secrets directly in the file system, and injects them at runtime only through a secret management system.
Many teams store API keys in the .env file for development convenience. If this file is included in a container image or exists in plain text on the file system, all credentials are exposed at once the moment the agent is compromised. Credential isolation blocks this attack vector itself.
# 잘못된 방식: 파일시스템에 시크릿 저장
echo "API_KEY=sk-xxx" > /home/agent/.env
# 올바른 방식: 비밀 관리 시스템을 통한 런타임 주입
docker run \
--env API_KEY=$(vault kv get -field=key secret/agent) \
--read-only \
--user 1001:1001 \
openclaw:latestDefinition of Terms The --read-only flag mounts the container filesystem as read-only. It blocks agents from writing arbitrary files or saving malicious code to disk at the kernel level.
The vault kv get command assumes that HashiCorp Vault is pre-installed and that Vault authentication, such as AppRole or Kubernetes auth, is complete. Vault is an open-source platform for centrally managing secrets and is a standalone infrastructure that requires separate installation and configuration. For environments where Vault cannot be implemented (small teams, lack of on-premises configuration, etc.), the following alternatives may be considered.
- AWS Environment: Injecting secrets into containers using AWS Secrets Manager + IAM Role (IRSA)
- Kubernetes Environment: Inject
ExternalSecrets Operator+ Kubernetes Secret - Simple Alternative: AWS Systems Manager Parameter Store (
aws ssm get-parameter)
The core principles of API key management are agent-specific key separation and periodic rotation. Since manual rotation carries the risk of omissions, automation using Vault Dynamic Secrets (TTL-based automatic expiration) or AWS Secrets Manager Rotation Lambda is recommended. A 90-day limit can be set for the manual rotation cycle.
Least Privilege Skill Design
The principle of least privilege means restricting each skill from the design stage to request only the permissions actually necessary. A design where an agent requests broad privileges on the grounds that "it might be needed" provides a wide attack surface for attackers.
| Agent Type | Required Permissions | Permissions to Block |
|---|---|---|
| Daily Briefing Agent | Read Email/Calendar | Write Filesystem, sudo |
| RAG Search Agent | Vector DB Search/Read | DB Deletion/Modification, External Network |
| Messaging Agent | Sending Scope | Cloud Infrastructure Access Token |
| Code execution agent | exec inside isolation container | Host filesystem, network |
Why exec and apply_patch are High Risk If these tools are executed outside the isolation container—that is, with host user privileges—they can directly access the host file system and the network. This is why a single vulnerability can lead to the compromise of the entire server. They must be allowed only within a separate isolation container.
**Linux kernel capabilities are granular units of privilege that allow special operations (port binding, network interface configuration, kernel module loading, etc.) without using the root account. --cap-drop=ALL removes this entire unit of privilege, preventing a process from making high-risk system calls even if it runs as root.
Comparison of Security Models in Three Frameworks
Since the OpenClaw crisis, an increasing number of teams are choosing security-focused alternatives. The security philosophies of the three frameworks are fundamentally different.
| Framework | Core Security Model | Default Execution Context | Marketplace |
|---|---|---|---|
| OpenClaw | Open Ecosystem + Customizable Security | Host User Permissions (Insecure) | ClawHub (Supply Chain Risk) |
| NanoClaw | Fully isolated at the container level + audit logs | Independent container per skill | Limited (separate verification) |
| ZeroClaw | deny-by-default allowlist + kernel sandboxing | Landlock/Bubblewrap sandbox | None (no supply chain attack surface) |
OpenClaw's strength lies in ClawHub's rich skill ecosystem, but its default settings are insecure. Unless users manually harden their systems, they remain exposed to CVE-2026-25253 family vulnerabilities. ZeroClaw blocks all behavior not explicitly allowed, which entails a heavy initial setup burden, but structurally limits the scope of compromise. NanoClaw provides container isolation by default, making it advantageous for responding to audits in regulated industries.
Practical Application
Example 1: OpenClaw Docker Isolation Enhancement
If you need to continue using OpenClaw, it is recommended to apply at least the Dockerfile and run options below. The image can be downloaded from the official openclaw repository on Docker Hub.
# Docker Hub: docker pull openclaw/openclaw:2026.1.29
FROM openclaw/openclaw:2026.1.29
# 비루트 사용자로 실행 (UID 1001)
RUN useradd -r -u 1001 agent
USER 1001
# 게이트웨이는 반드시 localhost만 바인딩
ENV OPENCLAW_GATEWAY_HOST=127.0.0.1
ENV OPENCLAW_GATEWAY_PORT=18789docker run \
--read-only \
--user 1001:1001 \
--cap-drop=ALL \
--network=none \
--env API_KEY=$(vault kv get -field=key secret/openclaw/prod) \
openclaw/openclaw:2026.1.29| Options | Roles |
|---|---|
--read-only |
Filesystem writing completely blocked |
--user 1001:1001 |
Prevent Root Execution |
--cap-drop=ALL |
Remove all kernel capabilities (special permissions such as port binding and network settings) |
--network=none |
Block network access (If external communication is required, replace with --network=bridge and apply egress filter) |
vault kv get ... |
Secret injection in Vault instead of filesystem |
What happens when ENV OPENCLAW_GATEWAY_HOST=127.0.0.1 and --network=none are used together? The two configurations control different layers. ENV restricts the interfaces that the OpenClaw process binds to, while --network=none isolates the container network namespace itself. For offline agents that do not need to connect to OpenClaw from the outside, the two configurations act as Defense in Depth. If external channel connectivity is required, you can operate by applying explicit egress rules instead of --network=none while keeping the ENV bindings intact.
Caution You must use OpenClaw version 2026.1.29 or higher. Binding the gateway port (18789) to 0.0.0.0 exposes you to the CVE-2026-25253 family of vulnerabilities.
Example 2: ZeroClaw deny-by-default allow list settings
ZeroClaw executes only the actions explicitly allowed in the zeroclaw.toml configuration file. The configuration file itself serves as the security policy document.
# zeroclaw.toml — 명시적 허용만 실행됨
[permissions]
# 특정 디렉토리 읽기만 허용
file_read = ["/data/reports"]
# 내부 API 서버 443 포트만 허용 (IP 기반 필터링 권장)
network = ["10.0.1.50:443"]
# 실행 명령어 완전 차단 (빈 배열)
exec = []The method for applying the configuration file and running the agent is as follows.
zeroclaw run --config zeroclaw.tomlYou can use a domain name like api.internal:443 in the network entry, but DNS is vulnerable to spoofing. If possible, it is recommended to specify an IP address (10.0.1.50:443) or to use a domain name only in environments where the internal DNS server is trusted.
In this configuration, file readings other than /data/reports, network requests other than allowed endpoints, and the execution of all shell commands are blocked at the kernel level by Landlock/Bubblewrap sandboxing.
Definition of Terms Landlock is a kernel security module introduced in Linux 5.13 that allows processes to restrict the filesystem paths they can access. It enables granular isolation without root privileges. Bubblewrap is a sandboxing tool that combines process namespaces and seccomp filters, and is also used in tools like Flatpak.
Example 3: NanoClaw Session Isolation by Chat Group
If you are operating in a regulated industry or a multi-tenant messaging agent, NanoClaw's container-level session isolation is a strength.
# WhatsApp 그룹마다 독립 NanoClaw 컨테이너 실행
for GROUP_ID in group1 group2 group3; do
docker run -d \
--name "nanoclaw-${GROUP_ID}" \
--read-only \
--user 1001:1001 \
--cap-drop=ALL \
--label "group=${GROUP_ID}" \
nanoclaw:latest
done--label "group=${GROUP_ID}" is for management and monitoring purposes, not for security settings. Like docker ps --filter label=group=group1, it is a metadata tag used to filter containers by group or for Prometheus label-based aggregation.
In this pattern, data leakage between groups is structurally blocked. All skill actions are automatically recorded in the audit log, and responding to regulatory audits is easy thanks to an auditable core codebase of 700 lines or less.
Pros and Cons Analysis
Advantages
| 항목 | OpenClaw | NanoClaw | ZeroClaw |
|---|---|---|---|
| Ecosystem Richness | Numerous ClawHub skills, vast community documentation | Specialized in messaging agents | No marketplace (no supply chain attack surface) |
| Security Default | Low (Requires user hardening) | High (Container isolation by default) | Very High (deny-by-default) |
| Deployment Efficiency | General | Container Overhead Included | 3.4MB Single Binary, 10ms Boot |
| Auditability | Limited | 700-line core, automatic audit log | Rust memory safety, explicit policy file |
| Regulatory Industry Compatibility | Additional Work Required | Suitable for Financial and Healthcare Environments | Economical for Edge and Distributed Deployment |
Disadvantages and Precautions
| Item | Content | Response Plan |
|---|---|---|
| OpenClaw default vulnerability | Host user privilege execution, over 138 CVEs being tracked | Using 2026.1.29 or later, Docker isolation applied |
| ClawHub Supply Chain Risk | Up to 36% of all skills contain security flaws | Must be verified in an independent sandbox before production |
| ZeroClaw initial setup burden | All permissions must be specified | Apply the principle of least privilege from the design phase |
| ZeroClaw Repository Issues | March 2026 Availability Issue Report | Reconfirming Stability Before Production Deployment Recommended |
| Runtime governance gap | Immature real-time authorization control system during agent execution | Concurrent log-based post-audit + network egress filtering |
Runtime Governance is a system that monitors and controls the behavior and authority of agents in real time while they are running. Currently, it is one of the most immature areas in the industry, and post-audit logs and network egress filtering are realistic solutions.
The Most Common Mistakes in Practice
- Binding Gateway Port 18789 to
0.0.0.0— This occurs when deploying the development environment settings to production as is. It is recommended to bind only to127.0.0.1or the internal network interface, and configure remote access to go through Tailscale or WireGuard VPN. - Installing ClawHub skills directly into production without verification — All external skills must be treated as untrusted code. You can establish a procedure to integrate Semgrep static analysis ([Official Installation Guide](https://semgrep.dev/docs/getting-started; for OpenClaw-specific rule sets, refer to Semgrep Blog Checklist) into your CI pipeline, verify its behavior in an independent sandbox environment, and then deploy it to production.
- Multiple agents using a single shared API key — In the event of a breach, all agents and all services connected to that key are affected simultaneously. By separating keys by agent and applying an auto-rotation policy, you can structurally limit the scope of the breach.
In Conclusion
The core of AI agent security is to not trust default values and to structurally embed credential isolation and the principle of least privilege from the design stage.
If you want to immediately inspect your current OpenClaw environment or build a new security-focused agent, you can start with the following three steps.
- Check Version/Port — Check the gateway binding address with
docker inspect <컨테이너>orss -tlnp | grep 18789. If0.0.0.0is visible, change it immediately to127.0.0.1, and if the version is less than 2026.1.29, an upgrade is required. - Skill Permission Audit — You can review the list of skills installed on ClawHub and check whether the permissions requested by each skill are excessive compared to its actual functionality. We recommend adding a skill verification process using Semgrep and an independent sandbox to your CI pipeline.
- Review security-centric frameworks first for new agents — You can first examine whether ZeroClaw's
zeroclaw.tomlallowlist model or NanoClaw's container isolation model is suitable for your environment. The example configuration file introduced in this article will be provided in a format that can be copied directly from GitHub Gist (example link) and applied immediately.
This is the first article (1/2) of the OpenClaw security series.
Next Post (2/2): Implementing OpenClaw Runtime Governance — An eBPF-based audit architecture that monitors agent behavior in real-time and automatically blocks anomalous behavior
Reference Materials
Vulnerability Report
- CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration | SOCRadar
- NVD — CVE-2026-25253
- OpenClaw RCE Vulnerability (CVE-2026-25253): One-Click Attack & Fix | Proarch
- The OpenClaw Security Crisis: 135,000 Exposed AI Agents | DEV Community
- Is OpenClaw Safe? The ClawHub Malware Crisis | Blink
Official Documentation and Practical Guide
- Security — OpenClaw Official Documentation
- Running OpenClaw safely: identity, isolation, and runtime risk | Microsoft Security Blog
- OpenClaw security: architecture and hardening guide | Nebius
- Security Best Practices to Securely Deploy OpenClaw | Repello AI
- OpenClaw Security Guide 2026 | Contabo Blog
- OpenClaw Security Engineer's Cheat Sheet | Semgrep
- slowmist/openclaw-security-practice-guide | GitHub
- OpenClaw Security Risks: What security teams need to know | Barracuda Networks
Framework Comparison
- ZeroClaw vs OpenClaw vs NanoClaw 2026 Comparison | Lushbinary
- After the OpenClaw Crisis: ZeroClaw vs NanoClaw vs Moltis | ZeroClaw Blog
- OpenClaw Alternatives for Enterprise Security | Fountaincity Tech
- OpenClaw vs NanoClaw vs PicoClaw vs ZeroClaw | Wael Mansour
- AI Agent Security Risks 2026: MCP, OpenClaw & Supply Chain | Cyberdesserts
