Originally reported by Sam Bent
TL;DR
OpenClaw faces criticism for weak security practices including 160+ advisories in one year and exclusion of key attack vectors from their threat model. The company lacks a bug bounty program despite the high volume of discovered vulnerabilities.
While no immediate exploit is described, the combination of 160+ security advisories in one year and exclusion of primary attack vectors from the security model indicates significant systemic security issues that could impact enterprise deployments.
Security researcher Sam Bent has published a scathing analysis of OpenClaw's security posture, highlighting what he characterizes as "security theater" that ultimately benefits law enforcement rather than protecting users.
According to Bent's research, OpenClaw has accumulated over 160 security advisories within the past year alone. This exceptionally high volume of security disclosures suggests either a reactive approach to vulnerability management or fundamental architectural security issues.
The frequency of these advisories—averaging more than three per week—indicates potential systemic problems in the development lifecycle rather than isolated security incidents.
Bent's analysis identifies a critical flaw in OpenClaw's security approach: the exclusion of what he terms "the primary attack vector" from their security model. While the specific attack vector is not detailed in the available information, this exclusion represents a significant blind spot in threat modeling.
Security models that fail to account for primary attack vectors leave organizations vulnerable to the most likely forms of compromise, potentially rendering other security measures ineffective.
Despite the high volume of discovered vulnerabilities, OpenClaw operates without a formal bug bounty program. This absence is particularly notable given the apparent frequency of security issues requiring disclosure.
Bug bounty programs serve as force multipliers for security teams, providing external validation of security measures and creating economic incentives for responsible disclosure rather than exploitation.
Bent frames these security deficiencies as inadvertently beneficial to law enforcement, suggesting that the weak security posture may facilitate surveillance or investigative activities. This characterization aligns with broader concerns about whether security weaknesses in commercial software are sometimes preserved to enable government access.
Organizations evaluating OpenClaw for enterprise deployment should consider:
Originally reported by Sam Bent