OpenClaw is powerful because it can read, route, and act across real tools and channels. That is also why it carries real risk. The official security docs explicitly warn about prompt injection from untrusted content and about unsafe open messaging policies.
The biggest risks
- prompt injection from content the agent reads
- open DM or overly broad channel policies
- third-party skills and plugins you did not inspect
- credentials or secrets handled carelessly
What the official docs warn about
OpenClaw’s security and skills docs caution that even if only you can message the bot directly, prompt injection can still arrive through fetched pages, docs, logs, attachments, and other untrusted content. They also say to treat third-party skills as untrusted code.
The safest posture
- start with allowlists
- use mention requirements in group contexts
- inspect skills before enabling them
- keep secrets out of prompts and logs
- automate gradually
Tools that help
The docs include `openclaw doctor` and `openclaw security audit –deep` style checks as part of operational hygiene.
Useful next reads
Read How to self-host OpenClaw and keep control of your data and How to use OpenClaw without turning your workflow into chaos.
Quick FAQ
Are third-party skills safe by default?
No. The official docs explicitly say to treat them as untrusted.
Can prompt injection still happen if only I use the agent?
Yes. Untrusted content can still enter through what the agent reads.