The developers of your organization have already started using OpenClaw at home. Censys has observed a significant increase in the number of publicly exposed deployments of this open-source AI agent, from around 1,000 instances to over 21,000 within a week. Bitdefender’s GravityZone telemetry has confirmed security concerns, revealing that employees are deploying OpenClaw on corporate machines with single-line install commands, giving autonomous agents access to shell, file system privileges, and OAuth tokens for services like Slack, Gmail, and SharePoint.
Two critical vulnerabilities, CVE-2026-25253 and CVE-2026-25157, have been identified in OpenClaw, allowing attackers to steal authentication tokens and execute arbitrary commands through the macOS SSH handler. Additionally, a security analysis of skills on the ClawHub marketplace found that 7.1% of the registry contains critical security flaws exposing sensitive credentials.
The security risks extend beyond OpenClaw to Moltbook, a social network built on OpenClaw infrastructure, which left its Supabase database publicly accessible, exposing API authentication tokens, email addresses, and plaintext OpenAI API keys. To address these security concerns, Cloudflare has introduced the Moltworker framework, which provides ephemeral containers, encrypted storage, and Zero Trust authentication for secure evaluation of OpenClaw.
By running OpenClaw in a Cloudflare Sandbox, organizations can isolate the agent’s logic from the execution environment, preventing attacks like prompt injection and unauthorized access to sensitive data. The four-layer architecture of Moltworker includes a Cloudflare Worker, a sandboxed container running Ubuntu with Node.js, R2 object storage for encrypted persistence, and Cloudflare Access for Zero Trust authentication.
Setting up a secure evaluation instance with Moltworker involves configuring storage and billing, generating tokens, deploying the agent, enabling Zero Trust authentication, and connecting a test messaging channel. The cost of running an evaluation instance is affordable, providing a safe environment to test the agent’s capabilities without exposing real data.
Organizations are advised to conduct a 30-day stress test on throwaway identities before expanding access, focusing on credential handling, adversarial tests, and sandbox boundary validation. By following this evaluation framework, organizations can ensure the security of agentic AI deployments and avoid potential breaches caused by vulnerable AI agents.
