In January 2026, a security researcher at Cisco Talos published a report that should have been front-page news but instead circulated quietly through InfoSec Slack channels and a handful of specialized newsletters. The finding: multiple community-contributed ClawdBot skills -- plugins that extend the open-source AI agent's capabilities -- contained code that exfiltrated user data to external endpoints. Not hypothetically. Not in a proof of concept. In production, in skills that had been downloaded and installed by thousands of users who believed they were adding calendar management, code formatting, and document summarization capabilities to their AI agent.
The skills worked exactly as advertised. They also did something else.
This is the story of ClawdBot's security architecture, why 145,000 GitHub stars do not equal a security audit, and what enterprises should do about it. If you have been following our coverage of AI tool risks in enterprise environments, you will recognize some of the themes from our earlier analysis of ClawdBot, OpenClaw, and Molt in production settings. This post goes deeper on ClawdBot specifically, because the open-source AI agent model presents a category of risk that is distinct from -- and in some ways more serious than -- the risks posed by commercial AI tools.
The Attack Surface: 430,000 Lines of Unaudited Code
ClawdBot's codebase, including the core agent framework and the OpenClaw plugin ecosystem, comprises approximately 430,000 lines of code contributed by over 2,800 individual developers. The project has accumulated 145,000+ GitHub stars, making it one of the most popular open-source AI projects in history. It has been forked over 18,000 times. The community is vibrant, enthusiastic, and prolific.
It is also, from a security perspective, largely unaudited.
Open-source software has a well-documented security paradox: the theory is that many eyes make all bugs shallow (Linus's Law), but the reality is that most contributors are focused on functionality, not security. A 2025 study by the Linux Foundation and the Open Source Security Foundation (OpenSSF) found that only 2.4% of commits to the top 500 open-source projects include any security-relevant review, and that number drops to 0.8% for plugin and extension ecosystems where the barrier to contribution is lowest.
ClawdBot's plugin ecosystem -- the skills marketplace -- is precisely the kind of extension ecosystem where security review is most sparse and most critical. The core framework is maintained by a relatively small group of experienced developers who do conduct code reviews. The skills, however, are contributed by anyone. There is no formal security audit process for skill submissions. There is no code signing. There is no sandbox. There is no vetting beyond basic functionality testing, and even that is inconsistent.
What a ClawdBot Skill Can Do
To understand the risk, you need to understand what a ClawdBot skill is, architecturally. A skill is executable code that runs with the same permissions as the ClawdBot process itself. When you install a skill, you are granting it:
Unrestricted filesystem access. A skill can read and write any file that the ClawdBot process owner can access. On most developer workstations, that means the user's home directory, including SSH keys, cloud credentials, browser profiles, password manager databases, and every document, spreadsheet, and configuration file on the machine.
Unrestricted shell access. A skill can execute arbitrary shell commands. It can install software, modify system configurations, open network connections, and run background processes. There is no capability restriction, no permission prompt, no sandboxing layer between the skill and the operating system.
Access to all API keys and credentials. ClawdBot stores API keys and configuration data in plaintext markdown and JSON files. Any skill -- and any process running on the machine -- can read these files. There is no encrypted secrets vault, no hardware security module integration, no separation between skill-specific credentials and system-wide credentials.
Network access. A skill can make arbitrary HTTP requests to any endpoint. It can POST data to external servers, download additional payloads, establish persistent connections, and exfiltrate data over any protocol the host machine supports.
Cross-skill data access. There is no isolation between skills. A skill installed to manage your calendar can read the configuration and data of the skill that manages your database connections. A skill that formats code can access the conversation history that another skill has been processing. Every skill operates in the same process space with the same permissions.
This is not a bug. It is the architecture. ClawdBot was designed for maximum extensibility and minimum friction. That design philosophy has driven its extraordinary adoption. It has also created an attack surface that would make any enterprise security team deeply uncomfortable.
Cisco Talos: What They Found
In late 2025 and early 2026, Cisco Talos conducted a systematic review of the 200 most-installed ClawdBot skills. Their findings, published in a technical advisory in January 2026, documented several categories of security concern.
Data Exfiltration in Community Skills
Cisco identified 14 skills that contained code paths for sending user data to external endpoints unrelated to the skill's stated functionality. The mechanisms varied:
-
Three skills included analytics endpoints that transmitted conversation excerpts, user queries, and response content to third-party data collection services. The data was sent as telemetry, labeled as anonymous usage metrics, but included sufficient context to reconstruct user conversations.
-
Two skills contained obfuscated code that, upon specific trigger conditions (such as detecting certain keywords in user queries), would POST the full contents of the ClawdBot configuration directory -- including all API keys -- to an external endpoint. One of these skills had been installed by over 8,000 users.
-
Four skills implemented legitimate functionality but also quietly scanned the host filesystem for common credential file patterns (
.env,credentials.json, AWS credential files, SSH private keys) and transmitted file paths and partial contents during the skill's initialization sequence. -
Five skills had been abandoned by their original developers and subsequently updated by new maintainers who introduced data collection code that was not present in the original versions. This is a classic supply chain attack vector: acquire a trusted project, then modify it.
The combined installation count of the 14 flagged skills exceeded 47,000 installations. Not all installations were active, and not all active installations triggered the exfiltration code paths. But the exposure was real, and Cisco assessed the risk as "high" for any organization that had deployed ClawdBot with community skills in an environment with access to production credentials or sensitive data.
Supply Chain Risk: 5,700+ Unvetted Skills
Beyond the specific skills flagged for active data exfiltration, Cisco's broader assessment painted a concerning picture of the overall skill ecosystem. As of January 2026, the ClawdBot skill registry contained 5,700+ skills contributed by 3,100+ developers. Cisco's analysis found:
- 68% of skills had not received a code update in over six months, suggesting they were unmaintained
- 23% of skills contained dependencies with known CVEs that had not been patched
- 41% of skills made network requests to endpoints outside the skill developer's own infrastructure (third-party APIs, analytics services, CDNs)
- 12% of skills included minified or obfuscated code segments that were difficult to audit visually
The skill registry has no mechanism for reporting security concerns, no process for revoking compromised skills, and no way to notify users who have installed a skill that has been identified as malicious. When Cisco reported their findings to the ClawdBot maintainers, the response was to remove the flagged skills from the registry. Users who had already installed those skills received no notification.
The Plaintext Credentials Problem
The data exfiltration findings are alarming, but they depend on installing a malicious skill. The plaintext credentials problem is arguably more fundamental because it affects every ClawdBot installation, regardless of which skills are installed.
ClawdBot stores its configuration in a directory structure of markdown and JSON files. This includes:
- API keys for every connected service (OpenAI, Anthropic, Google, custom endpoints)
- OAuth tokens for integrated platforms
- Database connection strings, often including passwords
- Webhook URLs with embedded authentication tokens
- Custom environment variables that users configure for their workflows
All of this is stored in plaintext. There is no encryption at rest. There is no access control beyond filesystem permissions. There is no integration with platform-native secret managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, 1Password). There is no mechanism to rotate credentials automatically or to detect when credentials have been accessed by an unauthorized process.
The practical implication is stark: any process running on the same machine as ClawdBot, with the same user permissions, can read every credential that ClawdBot has been configured with. This includes not only malicious skills but also any other compromised software, any malware, any unauthorized remote access tool, and any coworker with access to the machine.
For an individual developer running ClawdBot on a personal laptop, the risk is real but bounded. For an enterprise that has deployed ClawdBot across a development team -- with shared machines, shared credentials, and API keys that access production systems -- the risk is a credential management nightmare.
A 2025 GitGuardian report found that the average enterprise developer has access to 12.7 distinct API keys and credentials through their development environment. When those credentials are stored in plaintext in a known, predictable directory structure, accessible to any process on the machine, the blast radius of a single compromise extends far beyond ClawdBot itself.
Real-World Risk Scenarios
The abstract risks become concrete when you walk through specific scenarios that enterprise security teams should be modeling.
Scenario 1: The Productivity Skill That Phones Home
A team lead installs a well-reviewed ClawdBot skill that integrates with Google Calendar and Slack. The skill works beautifully -- it summarizes upcoming meetings, drafts agenda items, and sends reminders. It also, on every invocation, sends the meeting titles, attendee lists, and meeting descriptions to an analytics endpoint operated by a company in a jurisdiction with no data protection agreements with the organization's home country.
The meeting titles alone -- "Q3 Acquisition Target Review," "Pre-IPO Legal Strategy," "Board Compensation Committee" -- constitute material non-public information. The attendee lists reveal organizational structure, reporting relationships, and strategic priorities. None of this data was intended to leave the organization's perimeter. All of it left through a tool that the team lead installed because it had 4.5 stars and 2,000 downloads.
Scenario 2: The Reverse Proxy Nobody Noticed
A developer installs a skill that provides enhanced terminal capabilities within ClawdBot. The skill includes a feature that "optimizes network performance for API calls." In reality, the optimization involves installing a lightweight reverse proxy that routes certain outbound connections through an intermediate server. The proxy is configured to log API request headers, which include Bearer tokens and API keys for every external service the developer's machine communicates with.
The proxy runs as a background process that persists after ClawdBot is shut down. It does not appear in the skill's visible process list. It communicates over standard HTTPS, so it does not trigger network anomaly detection. It operates for three months before a security engineer notices an unfamiliar process during a routine endpoint audit.
Scenario 3: Cross-Skill Configuration Leakage
An organization's data team installs a ClawdBot skill for database query optimization. The marketing team installs a separate skill for content generation. Both skills are legitimate, well-intentioned, and free of malicious code. However, because there is no isolation between skills, the content generation skill's logging function inadvertently captures the database skill's configuration data -- including the connection string to the production analytics database -- in its debug output. That debug output is written to a log file that is accessible to all users on the shared development server.
No one intended for the production database credentials to be logged. No malicious actor was involved. The architecture simply does not prevent cross-skill information leakage, and the inevitable result is credential exposure through normal operation.
Scenario 4: The Abandoned Skill Takeover
A widely-used ClawdBot skill for Jira integration is abandoned by its original developer, who has moved on to a different project. Eight months later, a new contributor offers to maintain the skill. The offer is accepted -- the project needs maintainers, and the new contributor's initial commits are helpful bug fixes and feature improvements. Three months after gaining commit access, the new maintainer adds a telemetry module that uploads Jira ticket titles, descriptions, and assignee information to an external server. The update is pushed to all users who have automatic skill updates enabled.
This is not a hypothetical attack pattern. It has been documented repeatedly in the npm, PyPI, and RubyGems ecosystems. The open-source skill model is vulnerable to exactly the same supply chain attacks that have plagued every other open-source extension ecosystem.
The Sandboxing Gap
The most fundamental security gap in ClawdBot's architecture is the absence of sandboxing. In a sandboxed architecture, plugins execute in an isolated environment with restricted access to the host system. They can interact with the host only through well-defined APIs that enforce permission boundaries. A sandboxed plugin cannot read arbitrary files, execute arbitrary commands, or make arbitrary network connections unless the sandbox policy explicitly permits it.
ClawdBot has no sandbox. Skills execute in the main process with full host access.
This is not merely a missing feature. It is an architectural decision that permeates the entire skill ecosystem. Because skills have always had full access, they have been written to depend on full access. A significant portion of the existing 5,700+ skills would break if sandboxing were introduced, because they rely on direct filesystem access, shell execution, or unrestricted network calls for their core functionality.
Retrofitting sandboxing onto an ecosystem that was built without it is one of the hardest problems in software engineering. It is the reason that browser extension sandboxing took years to implement and caused significant breaking changes. It is the reason that mobile app permission models are imperfect despite a decade of iteration. And it is the reason that expecting ClawdBot's community to solve this problem organically -- without a funded, coordinated security engineering effort -- is unrealistic.
Comparison to enterprise platforms: managed AI agent platforms like Swfte execute agent logic and integrations in sandboxed containers with explicit capability grants. Each integration runs in its own isolated environment with access only to the specific APIs and data sources it has been configured to use. Credentials are stored in an encrypted secrets vault, never in plaintext, and are injected into the sandbox at runtime without being exposed to the integration code. Network egress is restricted by policy, and all access is logged to an immutable audit trail.
The difference is not cosmetic. It is the difference between an architecture that assumes trust and one that enforces it.
What Enterprises Should Do
The recommendations depend on where your organization stands with ClawdBot today.
If You Are Already Using ClawdBot
1. Audit every installed skill immediately. Generate a list of all skills installed across your organization. Cross-reference against the Cisco Talos advisory. Remove any skill that appears on the flagged list. For remaining skills, review the source code of each one -- or have your security team review it -- with specific attention to network calls, filesystem access patterns, and any obfuscated code.
2. Rotate all API keys and credentials. Assume that every credential stored in ClawdBot's configuration has been exposed. Rotate every API key, OAuth token, database password, and webhook secret that has been configured in any ClawdBot instance. This is not optional. If you have been running ClawdBot with community skills and plaintext credentials, you should treat this as a potential credential compromise and respond accordingly.
3. Run ClawdBot in a sandboxed container. Deploy ClawdBot inside a Docker container or VM with restricted filesystem mounts, restricted network egress, and no access to production credentials or systems. Mount only the specific directories that ClawdBot needs, and use environment variables or a secrets manager to inject credentials at runtime rather than storing them in ClawdBot's configuration directory.
4. Implement network egress rules. Configure your firewall or network policy to restrict ClawdBot's outbound network access to only the endpoints it needs to communicate with: your AI model provider's API, your integrated services, and nothing else. Block all other outbound connections. This will break skills that phone home to undocumented endpoints -- which is exactly the point.
5. Disable automatic skill updates. Pin skill versions and review all updates manually before deploying them. This prevents supply chain attacks through compromised skill updates.
If You Are Evaluating AI Agents
If your organization is evaluating AI agent platforms and ClawdBot is on the shortlist, the security considerations should be weighted heavily in your decision.
Evaluate managed platforms with built-in security. Platforms like Swfte are designed from the ground up with enterprise security requirements: SOC 2 Type II certification, sandboxed execution environments, encrypted secrets management, role-based access control, comprehensive audit logging, and 24/7 security monitoring. These are not features bolted onto an existing architecture -- they are foundational design decisions that shape every layer of the platform.
Consider Swfte's Dedicated Cloud for workloads that require the highest level of isolation. Dedicated Cloud provides single-tenant infrastructure where your AI agents, data, and logs run in a completely isolated environment. No shared resources, no multi-tenant risk, no ambiguity about data residency or access control.
Try before you commit. Start a free trial to evaluate how a managed platform handles the security concerns that ClawdBot leaves to the user. Deploy an agent, connect an integration, and examine the security controls, audit logs, and permission model firsthand.
Regardless of Your Current Platform
Establish an AI agent security policy. Your organization almost certainly has policies for SaaS procurement, open-source software usage, and data classification. It should also have a policy specifically for AI agents that covers: what data AI agents can access, where agent-processed data can be stored and transmitted, what security review is required before deploying an agent or installing a plugin, who is responsible for monitoring agent behavior in production, and how credential management is handled for agent integrations.
Require security review for all agent deployments. No AI agent should be deployed in a production or production-adjacent environment without a security review that covers the attack surface areas discussed in this post: credential storage, plugin/skill vetting, sandboxing, network access, and data exfiltration risk.
Monitor agent behavior in production. Deploy network monitoring, endpoint detection, and log analysis to detect anomalous behavior by AI agents. Look for unexpected outbound connections, unusual filesystem access patterns, and data flows that do not match the agent's stated functionality.
The Open-Source Dilemma
None of this is an argument against open-source software. Open-source infrastructure runs the internet. Open-source tools power the majority of enterprise software development. The Linux kernel, PostgreSQL, Kubernetes, and thousands of other open-source projects have demonstrated that community-developed software can achieve extraordinary levels of quality, reliability, and security.
But those projects achieved security through sustained, funded investment in security engineering, security review processes, and security infrastructure. The Linux kernel has a dedicated security team. PostgreSQL has a security policy, a CVE process, and a track record of rapid response to vulnerability reports. Kubernetes has security audits funded by the Cloud Native Computing Foundation.
ClawdBot, as of early 2026, does not have a dedicated security team, a formal security audit process, a CVE response protocol, or a funded security engineering effort. The project's security depends on the same community volunteers who are also building features, fixing bugs, writing documentation, and managing the community itself. That is not a criticism of the contributors -- it is a statement about the structural challenge of securing a 430,000-line codebase with a 5,700-plugin ecosystem using volunteer effort alone.
Enterprise adoption changes the calculus. When ClawdBot was a tool for individual developers experimenting with AI agents, the security model -- trust the user, trust the skills, store everything in plaintext -- was acceptable. When ClawdBot is deployed across engineering teams at companies that handle customer data, financial information, healthcare records, or classified material, that security model is no longer adequate.
The community knows this. There are open issues, proposals, and discussions about sandboxing, credential encryption, skill vetting, and security audit processes. Progress is being made. But the gap between where ClawdBot's security is today and where it needs to be for enterprise deployment is significant, and closing it will require either substantial funding or a fundamental architectural redesign -- or both.
The Bottom Line
ClawdBot is a remarkable piece of software. The vision of an open-source, extensible AI agent that anyone can run, modify, and extend is genuinely compelling. The community that has built it is talented and motivated. The 145,000 GitHub stars are earned.
But stars are not a security audit. Community enthusiasm is not a substitute for sandboxing. And the fact that a tool is popular does not mean it is safe to deploy in an environment where a credential leak could trigger a breach notification, a regulatory investigation, or a front-page headline.
The core finding from Cisco Talos is not that ClawdBot is malicious. It is that ClawdBot's architecture makes it trivially easy for malicious actors to exploit the trust that users place in the ecosystem. The lack of sandboxing, the plaintext credential storage, the absence of skill vetting, and the unrestricted host access are not bugs to be fixed in a patch. They are architectural characteristics that require architectural solutions.
Enterprises that need AI agent capabilities today have a choice: invest the significant engineering effort required to secure ClawdBot for enterprise deployment (sandboxed containers, network egress rules, credential rotation, skill auditing, continuous monitoring), or adopt a platform that was built with enterprise security as a design constraint from the beginning.
Both paths lead to AI agents in production. Only one of them starts with security as a given rather than an afterthought.
For more on AI security risks in enterprise environments, see our analysis of ClawdBot, OpenClaw, and Molt in production and our comprehensive guide to AI security and compliance.