Earlier this month, I finally decided to start building my local AI stack, integrated with OpenClaw. I’m an extremely busy person, so I am in desperate need of AI automation. However, during the installation and setup process, I was unaware of the security risks involved.
To be perfectly honest, I used the Rabbit R1’s DLAM (Device-Level Action Model), which functions as an AI-powered desktop agent that can operate your computer to carry out routine tasks. I effectively used AI to build my local AI stack in its own isolated local user account, complete with a Python-based backend for memory storage and recall.
Most users opt for running these in the cloud. Little did I realize that a public-facing OpenClaw setup “straight out of the box” running on its default configurations puts the user at high risk, since OpenClaw was not built with security in mind.
One of the major vulnerabilities users face is OpenClaw’s default gateway configuration, and default port 18789, which makes scanning and enumerating instances of OpenClaw relatively easy. Security writeups warn that exposing this gateway can reveal server information not intended for public access and may provide a direct path to the control panel.
OpenClaw under prompt injection
Because OpenClaw functions as an automation gateway, if an attacker gains access to your instance, they could potentially use whatever the agent can access — including sensitive or personal files, browser sessions, email, calendars, API keys, installed skills, connected messaging channels, and more.
This also means that if an attacker can control the OpenClaw interface, they could chat with your AI agent and ask it to retrieve files, summarize personal information, inspect configurations, expose log files, or use your connected tools.
This is only the beginning.
Prompt injection is when a threat actor hides or inserts instructions into text that an AI system reads, causing it to ignore its intended rules or perform unintended actions. A real-world example occurred in January 2026 with the Microsoft Copilot “Reprompt” exploit, reported by Varonis.
AI users typically overshare very personal things to AI — from account information to medical history, relationship dynamics, and proprietary company information. Whatever you’ve disclosed to AI can also be retrieved by cybercriminals. We both know people tend to overshare. If they overshare on social media, how much more do they overshare when they are speaking to a program?
Attackers can add malicious instructions to memory, notes, prompts, or configuration files to instruct the AI agent to behave differently. By injecting malicious content into files, emails, webpages, or messages that the agent reads later, an attacker can influence its future decisions, trigger unintended actions, and potentially cause it to expose sensitive data or execute harmful tasks without the user’s awareness.
Examining the default gateway config
Public gateway exposure — binding to 0.0.0.0 instead of 127.0.0.1 — turns OpenClaw from a local tool into a data exposure surface. Exposing your gateway on all interfaces lets attackers reach your dashboard and API directly. That means full agent interaction. Everything your agent can access becomes directly exposed.
Another configuration concern is OpenClaw’s open authentication, which allows direct access to your control panel and endpoints. An attacker can run tasks, query memory, and inspect your logs.
Here’s the solution: install NVIDIA NemoClaw, an open-source reference stack designed to run OpenClaw more securely. It adds security and privacy controls through NVIDIA OpenShell, including stronger guardrails, sandboxing, and policy-based protections for autonomous agents.
It’s a good thing most home internet users don’t have a public IP address assigned directly to their device. If OpenClaw is only running on localhost, the risk is much lower — random people across the web cannot directly reach it. But if the machine is ever compromised, everything OpenClaw has permission to do can easily fall under the attacker’s control.
Remote compromise
My OpenClaw instance was wide open for anyone who sat at my computer to use, since my build came with no access controls. And since I’m always experimenting with open-source code from public repos and don’t have time to inspect every file for integrity, there’s always a chance that one of my downloads will be laced with malware — especially from GitHub.
One of the more common ways systems get compromised is through supply-chain attacks, such as poisoning dependencies. When someone pulls scripts from GitHub, it’s usually not even the visible code itself but what gets pulled in around it — the least-inspected component of the scripts and tools we use from the most popular repository on earth.
This creates a significant attack vector, exposing AI tools — from ChatGPT to OpenClaw, or any similar application — to data exfiltration and machine manipulation. With remote access, an attacker could open my ChatGPT session, extract sensitive conversations, and learn more about me than I realize: uploaded files, emails I’ve asked it to summarize, and personal thoughts I’ve shared.
This is the new world.
With the AI boom comes a drive by attackers to leverage what you’ve exposed your AI to.
After all, every secret you have ever shared with it, every file you uploaded, every time you accidentally exposed credentials, personal photos, or unflattering thoughts about coworkers, family, or friends — or even revealed involvement in illegal activity — can become leverage for a determined threat actor.
