🚀 v1.5 is live — 8 panels, credential flow mapping, accept risk, and more. Read the changelog →
BULWARKAI BLOG

Security insights for OpenClaw.

Hardening guides, threat analysis, and tool comparisons from a Platform Security Architect with 20+ years in the industry.

MARCH 8, 2026 · 10 MIN READ
openclaw-security-dashboard v1.5: One Command, Full Coverage
v1.5 adds built-in audit integration, credential flow mapping, SSRF detection, sandbox scoring, accept risk, capability drift, network policy generation, and tamper-evident audit trail.
Read →
MARCH 5, 2026 · 10 MIN READ
You Ran openclaw security audit. Here’s the Other 40%.
The built-in audit has 78 config checks. It doesn’t scan skills against 1,184+ malicious IOCs, verify identity files, audit MCP servers, or detect persistence. Here’s what covers the rest.
Read →
MARCH 4, 2026 · 12 MIN READ
Your OpenClaw API Keys Are Leaking — Here Are 5 Levels of Fix
7% of ClawHub skills expose credentials through the LLM context window. Plaintext config is just level 0. Here’s the full hierarchy of API key protection.
Read →
MARCH 5, 2026 · 11 MIN READ
Meta Banned OpenClaw. Korean Tech Giants Followed. Here’s Why Your Company Should Care.
Meta, Kakao, Naver, and Karrot Market banned OpenClaw from corporate networks. Google restricted paying subscribers who used it. Here’s why — and what it means if your employees are already running it.
Read →
MARCH 4, 2026 · 10 MIN READ
China’s Government Warned About OpenClaw — Here’s What They Found and Why It Matters
China’s MIIT issued a formal security alert about OpenClaw — while Chinese cloud providers were actively selling hosting packages for it. The full story, what they found, and what it means for global deployments.
Read →
MARCH 3, 2026 · 12 MIN READ
When 3 Governments, Gartner, and Big Tech All Warn About the Same AI Tool
Belgium, China, and South Korea issued formal security warnings. Gartner called it “insecure by default.” Meta banned it. Here’s what they found — and what it means for your deployment.
Read →
MARCH 1, 2026 · 9 MIN READ
ClawJacked: How a Browser Tab Can Hijack Your OpenClaw Agent — And What to Do About It
CVE-2026-25253 allows any website to silently hijack your OpenClaw agent via WebSocket brute-force. How it works, what to do, and why patching alone isn’t enough.
Read →
MARCH 1, 2026 · 8 MIN READ
ClawShield vs BulwarkAI — Runtime Protection vs. Security Hardening
ClawShield is a runtime security proxy. BulwarkAI is a security assessment service. How they compare, when to use each, and why the answer is probably both.
Read →
FEBRUARY 25, 2026 · 8 MIN READ
The 40% Gap: What OpenClaw's Built-In Security Audit Misses
The built-in audit covers about 60% of your attack surface. Here are the 6 categories it misses — with specific commands to check each gap.
Read →
FEBRUARY 25, 2026 · 6 MIN READ
BulwarkAI vs SecureClaw vs Free Scanners: Which OpenClaw Security Tool Do You Need?
Honest comparison of OpenClaw security tools — what each does well, what each misses, and which fits your situation.
Read →
FEBRUARY 25, 2026 · 5 MIN READ
OpenClaw Security Hardening Checklist (2026)
10 essential security checks for your OpenClaw deployment. Commands included. The top 10 from the full 40-point audit.
Read →
FEBRUARY 26, 2026 · 6 MIN READ
Is OpenClaw Safe for Business? What Non-Technical Owners Need to Know
OpenClaw is powerful, but not safe by default. Here's what business owners need to know about the risks — and what to do about them.
Read →
FEBRUARY 26, 2026 · 10 MIN READ
ClawHavoc Campaign Analysis: How 1,184 Malicious Skills Passed ClawHub Review
Technical analysis of the largest supply chain attack in the OpenClaw ecosystem — attack architecture, detection gaps, and IOC samples.
Read →
FEBRUARY 26, 2026 · 5 MIN READ
Why "Just Run OpenClaw in Docker" Isn't a Security Strategy
Docker is a useful layer but not a security strategy. Here's what it protects, what it doesn't, and the 5 other layers you need.
Read →
FEBRUARY 27, 2026 · 7 MIN READ
OpenClaw MCP Server Security: The Attack Vector Nobody Is Talking About
MCP servers are the most underaudited component in OpenClaw deployments. How attackers exploit them and how to lock yours down.
Read →
FEBRUARY 28, 2026 · 5 MIN READ
OpenClaw Security for Agencies: How to Protect Client Deployments (and Charge for It)
If you're deploying OpenClaw for clients, you're inheriting their security liability. Turn hardening into a billable service.
Read →
MARCH 1, 2026 · 9 MIN READ
The OpenClaw Threat Landscape in 2026: CVEs, Campaigns, and What's Next
Every known vulnerability, attack campaign, and security advisory in one place. The reference guide for defenders and journalists.
Read →
MARCH 3, 2026 · 9 MIN READ
I Ran Every Free OpenClaw Security Tool. Here's What Each One Found.
Side-by-side comparison: built-in audit, SecureClaw, Aikido.dev, and BulwarkAI scripts on the same deployment. Fair comparison with honest tradeoffs.
Read →