OpenClaw 보안 이슈 정리: Moltbook 노출·악성 스킬·안전 운영 체크리스트

Introduction

TL;DR: OpenClaw is an open-source AI agent designed to run on a personal machine and execute real actions via chat-based commands. Reported incidents around Moltbook key exposure, malicious “skills,” and a published advisory show that agentic utility and agentic risk scale together. Use sandboxing, least privilege, secret hygiene, and tight input/tool controls before you grant it real accounts.

Why it matters: “Agents” aren’t just chat—they’re delegated execution. Delegated execution without governance is a security incident waiting to happen.

OpenClaw definition, scope, and the common misconception

Definition

OpenClaw is an open-source AI agent that runs on a user-controlled machine and is positioned as a chat-driven personal assistant that can take actions across everyday apps and tools. (GitHub)

Scope (what it is / isn’t)

It is about execution (email, calendar, commands, workflows). (IBM)
It isn’t “safe by default” if you expose its UI to the internet or install untrusted skills. (The Hacker News)

Misconception

“Open source means secure.” In agent systems, the core risks are still permissions, secrets, untrusted inputs, and supply-chain artifacts. (OWASP)

Why it matters: The value proposition (do things) is the risk multiplier (can do things).

Architecture at a glance: Gateway, channels, tools/skills, sandboxing

Docs emphasize a secure baseline: local binding, token auth, DM pairing, and sandboxing (Docker) with per-agent/per-session isolation and workspace access controls. (OpenClaw docs)

Why it matters: Security is mostly “where you put the boundaries” (input → tools → execution), not a single setting.

Security incidents cross-check: Moltbook exposure, malicious skills, and advisories

Moltbook exposure

Reports tied to security research describe exposed credentials/API keys and user emails; some coverage also raised the risk of controlling agents via exposed backend access. (1Password)

Malicious skills / registry supply chain

Coverage describes malicious skills distributed via a skill registry and warns that “installing a skill” can be equivalent to executing untrusted code in an agent environment. (Tom’s Hardware)

Advisory: don’t expose the UI publicly

The published advisory and guidance stress that the web interface is intended for local use and should not be exposed to the public internet; keep versions patched. (The Hacker News)

Why it matters: Incidents aren’t edge cases—they’re predictable failure modes of agentic systems.

Practical checklist: pre-flight and operations

Pre-flight

Run in a dedicated environment first; avoid “primary PC + primary accounts.”
Bind locally, enforce token auth, and keep channel input policies strict. (OpenClaw docs)
Enable sandboxing and tighten tool allow/deny; use read-only profiles where possible. (Molt Documentation)
Treat skills as supply chain: verify provenance and review behavior. (Tom’s Hardware)
Track advisories and patch. (The Hacker News)

Operations

Rotate secrets, mask logs, and monitor tool/skill installs and abnormal action spikes. (OpenClaw docs)

Why it matters: This is what turns a viral demo into something you can trust in daily life.

Alternatives (quick compare)

AutoGPT (automation platform) (GitHub)
OpenHands (coding agents) (GitHub)
Open Interpreter (local code execution) (GitHub)
LangGraph (controllable agent runtime) (langchain.com)

Why it matters: Choose “assistant product” vs “agent framework” deliberately, or you’ll inherit the wrong risk profile.

Conclusion

OpenClaw’s breakthrough is execution—not conversation. (IBM)
Moltbook exposure and malicious skills show the agent ecosystem is already dealing with classic security problems (secrets, supply chain, exposure surfaces). (1Password)
If you haven’t implemented sandboxing + least privilege + secret hygiene + input/tool controls, you’re not “early”—you’re exposed. (OpenClaw docs)

Summary

Execution is the core value and the core risk.
Treat skills as supply chain artifacts.
Don’t expose local-first UIs to the internet; patch aggressively.
Use sandboxing, least privilege, and strict tool/input policies.

Recommended Hashtags

#openclaw #aiagent #llmsecurity #promptinjection #secretsmanagement #supplychainsecurity #docker #devsecops #sandboxing #moltbook

References

(OpenClaw (GitHub Repo), 2026-02-03)[https://github.com/openclaw/openclaw]
(Security - OpenClaw, 2026-02-03)[https://docs.openclaw.ai/gateway/security]
(CVE-2026-25253, 2026-02-03)[https://nvd.nist.gov/vuln/detail/CVE-2026-25253]
(OWASP Top 10 for LLM Applications, 2026-02-03)[https://owasp.org/www-project-top-10-for-large-language-model-applications/]
(It’s incredible. It’s terrifying. It’s OpenClaw., 2026-02-02)[https://1password.com/blog/its-openclaw]
(Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site, 2026-02-02)[https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/]
(Viral AI personal assistant seen as step change – but experts warn of risks, 2026-02-02)[https://www.theguardian.com/technology/2026/feb/02/openclaw-viral-ai-agent-personal-assistant-artificial-intelligence]
(OpenClaw’s AI assistants are now building their own social network, 2026-01-30)[https://techcrunch.com/2026/01/30/openclaws-ai-assistants-are-now-building-their-own-social-network/]
(Exposed Moltbook database revealed secrets, 2026-02-02)[https://www.reuters.com/world/us/exposed-database-ai-agent-social-media-site-revealed-secrets-researchers-say-2026-02-02/]
(The strange new social network for AI agents had a huge security hole, 2026-02-01)[https://www.theverge.com/ai-artificial-intelligence]
(OpenClaw: The viral “space lobster” agent testing limits, 2026-01-29)[https://www.ibm.com/think/news/clawdbot-ai-agent-testing-limits-vertical-integration]
(Malicious OpenClaw ‘skill’ targets crypto users on ClawHub, 2026-02-02)[https://www.tomshardware.com/software/security-software/malicious-openclaw-skill-targets-crypto-users-on-clawhub]
(Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users, 2026-02-02)[https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html]
(Molt Documentation - Sandboxing, 2026-02-03)[https://docs.molt.bot/gateway/sandboxing]
(LangGraph, 2026-02-03)[https://www.langchain.com/langgraph]
(AutoGPT, 2026-02-03)[https://github.com/Significant-Gravitas/AutoGPT]
(OpenHands, 2026-02-03)[https://github.com/OpenHands/OpenHands]
(Open Interpreter, 2026-02-03)[https://github.com/openinterpreter/open-interpreter]

Introduction#

OpenClaw definition, scope, and the common misconception#

Definition#

Scope (what it is / isn’t)#

Misconception#

Architecture at a glance: Gateway, channels, tools/skills, sandboxing#

Security incidents cross-check: Moltbook exposure, malicious skills, and advisories#

Moltbook exposure#

Malicious skills / registry supply chain#

Advisory: don’t expose the UI publicly#

Practical checklist: pre-flight and operations#

Pre-flight#

Operations#

Alternatives (quick compare)#

Conclusion#

Summary#

Recommended Hashtags#

References#