OpenClaw security crisis — patches, supply-chain exploit, phishing, CVEs, hardening, China guidance & Anthropic blocks
Key Questions
What security issues affect OpenClaw and have patches been released?
OpenClaw faces ClawJacked supply-chain exploits, RCEs like CVE-2026-25253 (patched in v4.1) and CVE-2026-32042 (unpatched), phishing, and NemoClaw flaws. v4.1 introduces guardrails and cron lists for improved stability and hardening. Guides from Tailscale, HostGator, RSAC, Jentic, ClawSecure, TCAI, Kaspersky, CNCERT, and NSFOCUS recommend secure setups and migrations.
Why did Anthropic block OpenClaw access via Claude subscriptions?
Anthropic cut off Claude subscription access to OpenClaw on April 4, introducing extra fees for Claude Code usage and pushing pay-as-you-go API. This affects heavy users powering OpenClaw with Claude models. Users are advised to explore local or hosted workarounds.
Is Nvidia's NemoClaw a safe alternative to OpenClaw?
Tests on Nvidia's NemoClaw reveal it still has the same persistent security problems as OpenClaw. ClawHub audits confirm Hitem3D is safe, but NemoClaw flaws remain. Users should follow ClawHub audits and security guides for safer options.
What changes does OpenClaw v4.1 introduce for AI agents?
OpenClaw 4.1 changes how AI agents work with new guardrails, cron lists, and stability improvements amid ongoing security crises. It patches some CVEs like CVE-2026-25253 but leaves others unpatched. This version aims to address RCEs and exploits while enhancing overall control.
How can users monitor and control OpenClaw token consumption?
Set alerts for token consumption growth rate exceeding N tokens/min using metrics like sum(rate(openclaw_tokens[10m])). This helps ensure OpenClaw is under control. Tools from DEV Community provide queries for tracking usage.
v4.1 guardrails/cron lists/stability amid ClawJacked/RCEs (CVE-2026-25253 patched; CVE-2026-32042 unpatched); Anthropic Claude sub cutoff Apr 4 + extra fees for Claude Code pushing local/hosted workarounds; ClawHub audits (Hitem3D safe); NemoClaw flaws; Tailscale/HostGator guides, RSAC/Jentic/ClawSecure/TCAI/Kaspersky/CNCERT/NSFOCUS; secure setup/migration guides.