Question 1

What is CVE-2026-25253 and am I affected?

Accepted Answer

CVE-2026-25253 (CVSS 8.8, nicknamed “ClawJacked”) is a one-click remote code execution vulnerability. A malicious website can trick your browser into establishing a WebSocket connection to your local OpenClaw instance, steal the auth token, and execute shell commands — even if your instance was never internet-facing. All versions before v2026.1.29 are affected.

Question 2

Is my OpenClaw deployment exposed even with UFW enabled?

Accepted Answer

Possibly. Docker bypasses UFW via nat table rules. Any port published with -p may be reachable from the internet even if UFW shows it blocked. Fix: configure the DOCKER-USER iptables chain and bind the gateway to 127.0.0.1.

Question 3

What happened in the ClawHavoc attack?

Accepted Answer

Between January–March 2026, attackers uploaded 1,184+ malicious skills to ClawHub disguised as legitimate tools. They delivered Atomic Stealer (AMOS) — harvesting browser credentials, SSH keys, and keychain passwords. Check your installed skills against the Koi Security removal list. Any skill from an unverified publisher during that period is suspect.

Question 4

How do I prevent the context compaction problem?

Accepted Answer

Implement safety constraints at the system level — hardcoded in Docker configuration, not entered as chat messages. System-level instructions cannot be compacted away. Also configure write permissions through tool allowlists at the Docker level so even if an instruction is lost, the permission boundary holds.

Question 5

My OpenClaw is already running. How do I audit it?

Accepted Answer

Check: (1) --cap-drop=ALL present, docker.sock absent. (2) Gateway binds to 127.0.0.1. (3) DOCKER-USER chain has deny rules. (4) Credentials in Composio vault, not .env. (5) Safety constraints in Docker system prompt, not chat. If you want a full audit, ManageMyClaw deployments include a 14-point security review.

Tag: docker sandboxing

OpenClaw Security: The 5 Things You Must Get Right