Over 40,000 OpenClaw instances have been found sitting on the open internet with zero authentication. API keys in plaintext. Chat logs accessible to anyone who knows where to look. Credentials for connected services like Slack, GitHub, email - just hanging out in environment variables that got committed to repos or left exposed on default ports.
Quick Summary TLDR
Quick Summary TLDR
- 1OpenClaw's default config exposes API keys, chat logs, and credentials - the defaults are not production-safe.
- 2CVE-2026-25253 enables one-click remote code execution through malicious ClawHub skills; 824+ compromised skills have been found on the registry.
- 3Layer 1: VPS hardening - firewall rules, reverse proxy with TLS, and environment variable isolation outside the project directory.
- 4Layer 2: Mobile proxy for network isolation - carrier IPs carry higher platform trust and keep agent traffic untraceable to real infrastructure.
- 5Layer 3: Non-VoIP SMS numbers for WhatsApp, Telegram, and Discord verification - VoIP numbers face 60-80% rejection rates on platforms with active fraud detection. MCP integration connects all three programmatically.
OpenClaw keeps growing anyway. 190K+ GitHub stars. Fastest-growing open-source project by most metrics. Developers are spinning up agents for customer support, automated research pipelines, internal tooling, all of it. The security posture of most deployments hasn't kept up.
CrowdStrike published a warning. Kaspersky followed. Trend Micro and Cisco Talos both dropped reports within the same two-week window. CVE-2026-25253 enables one-click remote code execution through malicious ClawHub skills. Every single one of these reports describes the problem in detail.
None of them actually tell anyone how to fix their setup.
That's what this guide covers - the full OpenClaw security stack from VPS hardening to network isolation to platform verification, without using personal numbers or leaking home IPs.
What's Actually Going Wrong With OpenClaw Deployments
The typical flow looks like this: install OpenClaw, connect an LLM provider, add a few skills, start building. Default port 3000, no auth layer, environment variables stored in .env files that sometimes end up in Docker images pushed to public registries. Nobody thinks about it until something breaks.
The defaults are not safe for production use.
Here's what security researchers have documented in recent weeks:
- Exposed instances: Over 40,000 OpenClaw deployments found via Shodan with no authentication, leaking API keys for OpenAI, Anthropic, and other providers. That's direct financial exposure. Someone scrapes the key, runs up thousands in charges overnight.
- ClawHub supply chain: CVE-2026-25253 allows one-click RCE when a user installs a compromised skill or visits a malicious webpage. Bitdefender found 824+ malicious skills on ClawHub (roughly 20% of the registry), many installing the AMOS infostealer.
- Credential leakage: Connected service tokens (Slack, Discord, GitHub) stored in plaintext configs. Chat histories containing sensitive business data accessible without login.
- Network exposure: Agents making outbound requests to third-party APIs, web scrapers, and messaging platforms all route through the host's IP. If that's a home connection or office network, every platform the agent touches now has that address.
Most OpenClaw tutorials skip security entirely. They focus on getting the agent running, connecting tools, building workflows. Security is an afterthought when it's mentioned at all.
Layer 1: VPS Hardening for OpenClaw
Running OpenClaw on a local machine is the worst option from a security standpoint. A VPS provides isolation. If something goes wrong, personal devices and the home network stay untouched.
A VPS alone doesn't solve anything if it's configured poorly, though. OpenClaw VPS security starts with the basics.
Firewall rules should block everything except what's explicitly needed. Restricting inbound traffic to only essential ports is the first line of defense against unauthorized access. On Ubuntu/Debian:
1 # Reset UFW and deny all incoming by default 2 sudo ufw default deny incoming 3 sudo ufw default allow outgoing 4 sudo ufw allow 22/tcp # SSH (change port if possible) 5 sudo ufw allow 443/tcp # HTTPS only - no raw 3000 6 sudo ufw enable
Never expose port 3000 directly. OpenClaw's web interface should sit behind a reverse proxy (Nginx or Caddy) with TLS termination and basic auth at minimum.
Reverse proxy config (Nginx):
1 server { 2 listen 443 ssl; 3 server_name your-agent.example.com; 4
5 ssl_certificate /etc/letsencrypt/live/your-agent.example.com/fullchain.pem; 6 ssl_certificate_key /etc/letsencrypt/live/your-agent.example.com/privkey.pem; 7
8 auth_basic "Restricted"; 9 auth_basic_user_file /etc/nginx/.htpasswd; 10
11 location / { 12 proxy_pass http://127.0.0.1:3000; 13 proxy_set_header Host $host; 14 proxy_set_header X-Real-IP $remote_addr; 15 } 16 }
Environment variable isolation is the next critical step. This is the core of OpenClaw API key leak prevention. Never store keys in .env files that live alongside application code. Docker secrets, HashiCorp Vault, or at minimum a separate file outside the project directory with restricted permissions (chmod 600) - any of these work. For Docker Compose deployments, mount secrets as read-only volumes rather than passing them as build args. Production .env files sitting in version-controlled directories with 644 permissions are more common than they should be.
ClawHub Skill Audit Required
CVE-2026-25253 allows remote code execution through malicious skill packages. Audit skill source code before installation, or restrict ClawHub access entirely on production instances.
Layer 2: Network Isolation With a Mobile Proxy
VPS hardening protects the server. But every outbound request the agent makes - hitting APIs, scraping pages, connecting to messaging platforms - reveals the VPS IP address. That IP is static, traceable, and once it gets flagged or banned on one platform, it's burned across all of them.
Datacenter IPs get flagged constantly. Platform trust scoring for different IP types means an AI agent running through a datacenter IP on a $5 VPS will trigger CAPTCHAs, rate limits, and outright blocks faster than most people expect. Mobile carrier IPs are one of the few reliable ways AI agents bypass CAPTCHA walls on platforms like Google, Meta, and Discord because the IP type itself carries higher trust - carrier-assigned addresses route through CGNAT infrastructure that shares a single IPv4 across hundreds of users, making individual agent traffic harder to isolate and flag.
Network isolation here means routing agent traffic through a dedicated mobile proxy. Real 4G/5G IPs from carrier infrastructure, not datacenter IPs dressed up as residential. For OpenClaw security this matters because the agent's outbound footprint becomes untraceable back to the operator's actual infrastructure. This same pattern is covered in depth in connecting AI agents via MCP and mobile proxies.
| Factor | Raw VPS IP | Datacenter Proxy | Mobile Proxy |
|---|---|---|---|
| Platform trust score | Low | Low-Medium | High |
| CAPTCHA trigger rate | High | High | Low |
| IP reputation | Easily flagged | Often pre-flagged | Clean carrier pool |
| Traceability to operator | Direct | One hop | Carrier-level isolation |
| Cost | Free (included) | $2-5/mo | $15-30/mo |
VoidMob's mobile proxy infrastructure runs on real device SIMs across 4G/5G networks, with dedicated or rotating IPs depending on the use case. For an OpenClaw agent that needs consistent identity on a platform, sticky sessions hold the same IP. For distributed scraping tasks, rotating sessions cycle through the carrier pool. The distinction matters more than it might seem at first - some platforms will flag an account that jumps between IPs within a session, while others care more about the IP type than consistency.
Layer 3: Non-VoIP SMS for Platform Verification
Most AI agents eventually need to connect to messaging platforms. WhatsApp Business API, Telegram bots, Discord integrations. Every one of these requires phone number verification. Figuring out how to get a number for an AI agent that actually passes platform checks is a bigger problem than most developers expect.
Using a personal number is an obvious privacy problem. VoIP numbers - the cheap ones from Twilio, Google Voice, TextNow - get rejected by most platforms outright. WhatsApp blocks VoIP registrations aggressively. Telegram flags them. Discord's detection has gotten significantly better over the past year. Carrier lookup APIs can identify line type in real time, which is exactly what these platforms use to screen registrations before an OTP is ever sent.
So what actually works for AI agent verification? Non-VoIP numbers from real SIM cards. These register as standard mobile numbers on carrier networks, pass platform verification checks, and don't tie back to a personal identity. The platforms can't distinguish them from a regular consumer line because, at the carrier level, they aren't different. For a deeper look at how this detection works, see how platforms detect virtual phone numbers.
VoidMob provides non-VoIP numbers sourced from physical SIM infrastructure. No KYC, crypto payments accepted, instant activation. For OpenClaw deployments specifically, this means the agent can verify on WhatsApp or Telegram without the operator exposing their personal phone number and without fighting VoIP detection blocks.
Non-VoIP vs VoIP for Platform Verification
VoIP numbers face 60-80% rejection rates on platforms with active fraud detection, including WhatsApp, Telegram, and increasingly Discord. Non-VoIP numbers from real SIM cards pass consistently because carriers register them identically to consumer mobile lines.
Tying It Together: MCP Proxy Integration
Model Context Protocol allows external tools to connect programmatically, so the agent can request resources, receive responses, and act on them without human intervention. This is the architecture behind OpenClaw MCP server integration - and it's what makes the three security layers work as a single automated system rather than three separate manual steps.
VoidMob's MCP server handles both proxy assignment and SMS verification through a single integration. The flow is straightforward:
- Agent needs to verify on WhatsApp, so it requests a non-VoIP number via MCP.
- MCP server provisions the number and returns it to the agent.
- Agent submits the number to WhatsApp, OTP is sent.
- MCP server receives the OTP, passes it back to the agent.
- Simultaneously, a matched mobile proxy is assigned for that platform's traffic.
No manual copying of verification codes. No switching between dashboards. The entire verification and network isolation process runs inside the agent's workflow, which is really the whole point of building with autonomous agents in the first place. For teams running multiple agents across platforms, the approach in MCP-first proxy orchestration shows how this scales further.
"Every security firm published the warning. Nobody published the fix. OpenClaw security requires infrastructure changes - not just awareness."
Common Issues and Quick Fixes
Agent Keeps Getting CAPTCHAs on Target Platforms
Check your IP first with VoidMob's IP address checker to confirm it shows as mobile carrier, not datacenter. Almost always a proxy issue. Datacenter IPs trigger verification loops. Switching to a mobile proxy with sticky sessions typically resolves it - AI agents hit CAPTCHA challenges at dramatically lower rates on carrier IPs.
OTP Never Arrives During Verification
First thing to check: is the number actually non-VoIP? VoIP numbers get silently dropped by WhatsApp and Telegram's SMS gateways. Also worth verifying the number hasn't been recently recycled.
API Keys Still Showing in Logs
OpenClaw's default logging level captures request headers, which is a problem most people don't realize until someone points it out. Set LOG_LEVEL=error in production and pipe logs through a filter that redacts patterns matching API key formats.
ClawHub Skill Installed Something Unexpected
Isolate immediately. If running in Docker, stop the container - don't restart it. Audit the skill's source, check for outbound connections in network logs, rotate all credentials. This is one of those situations where speed matters more than diagnosis.
FAQ
1Is OpenClaw safe to use in production?
With proper hardening, yes. The defaults are not production-ready though. VPS isolation, reverse proxy, auth layers, and OpenClaw API key leak prevention through proper environment variable management are all necessary before exposing any instance to the internet.
2Why can't a regular VPN replace a mobile proxy for OpenClaw security?
VPN IPs come from datacenter ranges and get flagged just as fast. Mobile proxies use real carrier IPs that platforms trust at a fundamentally different level. VPNs also don't provide per-session IP rotation, which matters for agents running multiple concurrent tasks.
3Do non-VoIP numbers work for WhatsApp Business API verification?
Yes. WhatsApp requires a number capable of receiving SMS, and non-VoIP numbers from real SIM infrastructure pass this check consistently. VoIP numbers face high rejection rates on platforms with fraud detection.
4Can the MCP integration handle multiple platform verifications simultaneously?
VoidMob's MCP server supports concurrent requests. An agent can verify on Telegram and Discord in parallel, each receiving a separate number and matched proxy.
5What's the minimum VPS spec for running OpenClaw securely?
2 vCPUs, 4GB RAM, 40GB SSD handles most single-agent deployments. Add resources for multiple agents or heavy skill workloads. The security layers (Nginx, firewall) add negligible overhead.
Start Hardening Your OpenClaw Setup
OpenClaw security isn't a single fix. It's three layers working together: VPS hardening stops unauthorized access and credential leakage, mobile proxies isolate agent traffic from real infrastructure, and non-VoIP SMS verification keeps personal numbers out of platform registrations. MCP integration connects all three programmatically so the agent handles it autonomously.
The OpenClaw team has acknowledged these issues and is working on improved defaults for future releases. Until then, the infrastructure described above is the difference between a deployment that leaks credentials on day one and one that actually holds up in production.
Mobile Proxies and Non-VoIP Numbers for OpenClaw
VoidMob unifies SMS verification, 4G/5G mobile proxies, and global eSIMs in a single dashboard - with MCP server integration for autonomous agent workflows.