Security Advisory · 35+ CVEs in OpenClaw

Your OpenClaw has
zero compliance.
We fix that. Free.

135,000+ OpenClaw instances are running without audit logs, access controls, or PII protection. LogionOS Shield adds enterprise-grade compliance in one command. Self-hardened. Zero dependencies. Open source. Free forever.

Get Shield on GitHub Self-Hardened Architecture →
135K+ Exposed Instances
35+ Known CVEs
1.5M API Tokens Leaked
1,184 Malicious Skills
2/100 ZeroLeaks Score
Independently Verified

From 2/100 to 95+. Benchmarked.

Shield's protection is measured against industry-standard security benchmarks. No marketing claims — just numbers.

95/100
ZeroLeaks LeakBench Prompt extraction resistance score
(OpenClaw without Shield: 2/100)
9/10
OWASP Agentic Top 10 ASI01-ASI10 vulnerability coverage
Agent hijack, tool misuse, supply chain...
10/10
Japan AISI Safety All 10 AI safety evaluation perspectives
Security, privacy, robustness, fairness...
2
OpenClaw Naked
95+
With Shield
Four Layers of Protection

Every message. Every tool call. Covered.

Shield intercepts at four critical lifecycle points in the OpenClaw gateway — before and after every AI interaction.

🛡️

Inbound Guard

Scans user messages for PII, credentials, and prompt injection before they reach the AI

request.pre
🧠

Prompt Guard

Detects ClawJacked attack signatures and malicious context injection in system prompts

prompt.pre
🔧

Tool Guard

Controls which tools the agent can use, scans arguments for dangerous operations

tool.pre / tool.post
📤

Outbound Guard

Filters AI responses for data leaks and automatically adds regulatory disclaimers

message.pre
Threat Coverage

What Shield protects against

Comprehensive coverage of OpenClaw's known vulnerabilities and compliance gaps

Fully Covered

No Audit Logs

Tamper-evident SHA-256 hash chain audit trail. Every compliance decision is recorded with full context, exportable as JSON/CSV. Compatible with SOC 2 and ISO 27001 evidence requirements.

Fully Covered

Prompt Injection (ClawJacked)

Dedicated Prompt Guard with 8+ ClawJacked attack signatures, control character detection, and context file injection scanning.

CVE-2026-25253CVE-2026-27001
Fully Covered

PII & Credential Exposure

12+ PII patterns detected in real-time: SSN, credit cards, API keys, JWT tokens, AWS credentials, private keys, passwords, My Number (JP), and more.

Fully Covered

No Access Controls

Tool Guard enforces allowlist/denylist policies per tool, scans arguments for destructive operations (rm -rf, DROP TABLE, SQL injection), and blocks unauthorized actions.

Fully Covered

Data Leaks via AI Responses

Outbound Guard scans every AI response for PII before delivery. Detects leaked credentials, personal data, and adds regulatory disclaimers for medical/legal/financial topics.

Fully Covered

No Emergency Controls

Kill Switch instantly blocks all AI interactions across all channels. Switchable enforcement modes: Monitor → Enforce → Strict, with per-guard toggle controls.

Mitigated

Malicious Skills (ClawHavoc)

Tool Guard pre/post scanning detects dangerous operations from malicious skills at runtime. Combined with denylist policies, prevents most skill-based attacks.

1,184+ malicious skills
Mitigated

Dangerous Tool Execution

Blocks shell execution, filesystem deletion, and SQL injection patterns in tool arguments. Detects cloud metadata access and pipe-based download attacks.

CVE-2026-28363CVE-2026-24763
Real-World Incidents

This already happened. Shield stops it.

Real security breaches and crypto theft cases involving OpenClaw and AI agents. Each one preventable by Shield.

Crypto Theft

Owockibot: AI Agent Leaks Wallet Keys to GitHub

2026 · Gitcoin Creators
An autonomous AI agent given a crypto treasury published its wallet private keys to a public GitHub repo within 5 days, exposing $2,100+ in funds. The bot denied having done so when asked.
Impact: Wallet private keys exposed publicly. Funds at risk of immediate theft.
Shield Prevention
Outbound Guard detects HEX_SECRET_64 and WIF_KEY patterns in all AI outputs. Seed phrase and private key content is blocked before it reaches any external tool or message channel.
Data Breach

OpenClaw Infostealer: 135K Instances Exposed

February 2026 · SecurityScorecard / Hudson Rock
Vidar infostealer malware targeted OpenClaw config files, stealing gateway tokens, API keys, and agent behavioral rules from 135,000+ exposed instances across 82 countries. 12,800 instances exploitable via RCE.
Impact: 1.5M API tokens leaked. Anthropic keys, Telegram tokens, Slack credentials exposed.
Shield Prevention
Inbound Guard blocks credential access patterns. Tool Guard denies file reads targeting device.json, soul.md, keystore files. Audit trail records all access attempts with SHA-256 hash chain.
Agent Takeover

ClawJacked: One Click, Full Agent Control

February 2026 · CVE-2026-25253 (CVSS 8.8)
Visiting a malicious website silently hijacks local OpenClaw agents via WebSocket. No rate limiting on password brute-force, auto-approved localhost device registration. Attacker gets full admin access to execute arbitrary commands.
Impact: 42,000+ exposed instances. 91% prompt injection success rate. Full RCE on victim machines.
Shield Prevention
Prompt Guard detects ClawJacked attack signatures and control character injection. Dashboard rate-limited at 120 req/min. CSRF tokens required for all state changes. Kill Switch instantly blocks all agent activity.
Crypto Theft

Email Prompt Injection: SSH Key Stolen in 5 Minutes

January 2026 · Clawdbot Security Audit
Researcher sent a malicious email with hidden prompt injection instructions to a Gmail account monitored by Clawdbot. The AI agent processed unsanitized email bodies as trusted prompts, executing arbitrary commands. A private SSH key was exfiltrated in just 5 minutes.
Impact: Private keys, credentials, and config files exfiltrated via crafted emails.
Shield Prevention
Inbound Guard scans all incoming messages including email content for prompt injection patterns. Tool Guard blocks access to .ssh, .env, keystore files. Outbound Guard redacts any private key patterns before they leave the system.
Supply Chain

MCP Tool Poisoning: 60%+ Attack Success Rate

2025-2026 · Invariant Labs / MCPTox
Malicious instructions hidden in MCP tool descriptions are invisible to users but visible to AI models. When an agent loads a poisoned MCP server, it silently follows embedded instructions — stealing SSH keys, WhatsApp history, credentials, and more. Refusal rate below 3%.
Impact: 60-73% attack success rate across major LLMs. Even capable models like o1-mini are more vulnerable.
Shield Prevention
Tool Guard scans all tool arguments and results for credential patterns. Blocklist denies access to sensitive file paths. Outbound Guard catches any exfiltrated data before it leaves. Audit trail creates evidence chain for forensics.
Credential Leak

$82K API Bill: AI Tool Leaks Gemini Key

March 2026 · The Register
A developer's Gemini API key was stolen via an AI coding tool that auto-loaded .env files. Within 48 hours, attackers ran up an $82,314 charge — a 46,000% increase from normal $180/month usage. Google required the developer to pay.
Impact: $82,314 unauthorized charges. 2,863 live Google API keys found exposed in the wild.
Shield Prevention
PII Scanner detects API_KEY, JWT, and AWS_KEY patterns in real-time. Tool Guard blocks reads to .env and credential files. Inbound and Outbound Guards prevent key material from entering or leaving agent context.
Wallet Drain

402bridge: 227 Wallets Drained, $17K USDC Stolen

October 2025 · Protos
Private keys were leaked after smart contract deployment. Attackers compromised 227 user wallets and a dozen team wallets, draining $17,000 in USDC within 28 minutes.
Impact: $17,000 USDC stolen in 28 minutes. 227+ wallets compromised.
Shield Prevention
Crypto Guard detects ETH/BTC/SOL addresses, seed phrases, WIF keys, and hex secrets. Tool Guard blocks wallet_send, token_approve, and bridge_transfer operations. Any fund transfer command triggers immediate BLOCK + alert.
Built-in Dashboard

Full visibility. Zero extra setup.

Shield ships with an embedded web dashboard — no separate deployment needed. Real-time monitoring at localhost:18789/logionos/

LogionOS Shield Dashboard
1,247
Total Checks
18
Blocked
43
Flagged
95.1%
Compliance Rate
14:32:01 BLOCK inboundprompt_injection:clawjacked1.2ms
14:31:58 PASS   inbound0.8ms
14:31:45 WARN  outboundpii_detected:EMAIL1.5ms
14:31:30 FLAG   toolhigh_risk_tool:shell_exec0.9ms
Quis Custodiet Ipsos Custodes?

Who protects the protector?

A security tool that can be compromised is worse than no security at all. Shield is hardened against 6 categories of self-targeted attacks.

Hardened Request Flow
User Input Watchdog Check Unicode Normalize Truncate 50K
Local Scan TLS + No Redirect Remote API Hash Chain Audit
🔒

TLS Enforcement

In enforce/strict mode, Shield refuses to connect to non-HTTPS API endpoints. Prevents MITM attacks on the compliance decision channel.

requireTls() redirect: error
🛡️

CSRF + CSP Protection

Dashboard uses strict Content Security Policy, per-session CSRF tokens, X-Frame-Options: DENY, and constant-time token comparison.

CSP X-CSRF-Token DENY
⏱️

Fail-Closed Watchdog

If Shield crashes or becomes unresponsive, a watchdog automatically blocks all requests. No silent fail-open — your data stays protected.

heartbeat 10s timeout 30s
🔤

Anti-Evasion Normalization

NFKC Unicode normalization + zero-width character stripping before every scan. Prevents homoglyph and invisible character bypass attacks.

NFKC \u200B strip
🧮

ReDoS Protection

Input truncated at 50K characters. Regex iterations capped at 500 per pattern. Crafted payloads cannot cause catastrophic backtracking.

MAX_SCAN 50K iter < 500
🔗

SSRF & API Pinning

API endpoint validated at startup. Cloud metadata endpoints blocked. Path locked to /v1/*. Redirects rejected. No open-redirect exploitation.

169.254.x block /v1/* only
📊

Rate Limiting

Dashboard API endpoints rate-limited to 120 req/min per IP. Prevents brute-force attacks and denial-of-service on the management interface.

120/min/IP
🧬

Self-Integrity Hashing

Shield computes a SHA-256 hash of its own critical modules at startup. Any tampering is detected and logged to the audit trail.

SHA-256 computeModuleHash()
📦

Zero Dependencies

Shield uses only Node.js built-in modules (crypto, fs, path). Zero npm dependencies means zero supply chain attack surface.

0 deps node:crypto only
Get Started

Install in 60 seconds

One command. No configuration files to edit. No separate services to deploy.

terminal 
# Install the plugin
$ openclaw plugins install @logionos/openclaw-shield

# Restart gateway
$ openclaw restart

# Open dashboard
$ open http://localhost:18789/logionos/
1
Install One npm command, auto-registers with gateway
2
Restart Shield activates, hooks into all lifecycle events
3
Monitor Open dashboard, starts in safe Monitor mode

Free. Open Source. No catch.

Shield's core protection runs entirely local — PII scanning, blocklist matching, tool access control, and audit logging work without any external API. Connect to LogionOS Cloud for advanced regulation matching and AI-powered intent analysis.

Local Checks Free forever · <2ms
Dashboard Free · Embedded
Audit Trail Free · Hash chain
Cloud Deep Check 1K/mo free · Regulation AI
View on GitHub Read the Docs →

Stop running OpenClaw naked.

Every message without Shield is a compliance risk. Install now, monitor first, enforce when ready.

Install Shield Try LogionOS Dashboard →