The Unlocked Door: Ryan Eade on What OpenClaw Users Need to Secure Right Now
Ryan Eade, CPTO at PtEverywhere, covers the three ways your OpenClaw instance can be compromised: open ports, untrusted skills, and prompt injection. And exactly how to close each one.
At the June 10th TweenerClaw meetup in Research Triangle Park, Ryan Eade gave a focused, practitioner-level talk on something most of us avoid: securing our OpenClaw instances. Rather than covering what to build with OpenClaw (everyone already has a list), Ryan walked through the three main attack vectors he's seen in the wild and the concrete steps to close each one. Short, tight, and actionable, this one's worth your time if you have OpenClaw running anywhere.
We couldn’t bring you 100% original founder-to-founder content like this without the support of our awesome-sauce sponsors:
Loving our content? It wouldn’t be possible without our amazing sponsors and our paid subscribers, so THANK YOU!
Featured Platinum Sponsor
Featured Gold Sponsor
Featured Silver Sponsor
And special thanks to our friends at Walk West for partnering with us to produce this pod!
Summary
Ryan Eade is the Chief Product & Technology Officer at PtEverywhere and a regular in the Triangle's OpenClaw community. At the June TweenerClaw meetup, he gave a candid talk on the security gaps he's encountered and had to fix while running OpenClaw in production. The talk covers three threat vectors: leaving your instance exposed on an open port, installing unvetted third-party skills (36% of early skills carried prompt injection), and prompt injection delivered through external content like X posts and README files. Ryan closes with a practical defense framework built around one memorable mental model, to treat OpenClaw like staff, not software, with specific guidance on API key hygiene, one-time credit cards, separate email accounts, upgrade cadence, and why your system prompts matter more than your session instructions.
Stick around for the highlights below. 👇
Highlights
The false comfort of “local only”: Most people assume that running OpenClaw on a home network means security isn’t a concern. Ryan’s first point is that this is wrong. OpenClaw enables remote code execution and likely has access to your API keys, personal files, and credentials, regardless of where it’s hosted.
Check port 18789 immediately: Run
curlagainst your OpenClaw instance on port 18789. If you get a response, you’re running a very old version with full unauthenticated access to your machine. This is the most urgent security check to perform.Know the critical upgrade windows: Versions from late January exposed port 18789 with unauthenticated remote code execution. Versions before the March 12 release contained a gateway key bypass vulnerability. The April 5 release introduced a large batch of security fixes. If you’re running a version older than April, you should assume you’re exposed and upgrade.
Docker doesn’t automatically make you safer: Running OpenClaw in Docker can bypass your local machine’s firewall protections. What feels like an extra security layer may actually increase your exposure.
Treat every third-party skill as untrusted: At one point, 36% of early OpenClaw skills contained prompt injection. Although submissions are now scanned, Ryan recommends always pulling the GitHub repository, reviewing the code yourself, and treating every third-party skill as untrusted until you’ve verified it.
Prompt injection from the web is a real attack vector: If OpenClaw reads content from X, email, GitHub, or other external sources, any of that content can inject instructions into your agent. GitHub README files are a known vector. A typical attack chain is: hidden instructions embedded in a README → the agent writes a local file → that file creates a backdoor → the attacker gains persistent access → you only notice when your API bill spikes.
Session instructions can disappear mid-run: As the context window fills up, OpenClaw compresses conversation history, and session-level instructions can silently be dropped. Put critical security guardrails in the system prompt, not session instructions, since system prompts persist.
Think of AI agents as staff, not software: Ryan’s mental model is to give agents only the access they need. Just as you wouldn’t hand a new employee your personal credit card, don’t give OpenClaw unrestricted access. Use dedicated email accounts, scoped API keys with minimum permissions, and one-time-use or limited virtual credit cards for purchasing tasks.
Build human approval gates into risky actions: Require explicit confirmation before destructive operations like deleting files, sending emails, or modifying data. Ryan routes these actions into dedicated Slack channels where OpenClaw proposes the action and waits for a human “yes” before proceeding. This extra approval layer has caught the most mistakes.
Expect every upgrade to break something and upgrade anyway: Ryan says every OpenClaw upgrade has required a couple of hours of cleanup. He budgets for that maintenance because the alternative is running software with known vulnerabilities on a machine that holds API keys, credentials, and sensitive data.
Security's not the fun part, but Ryan makes a pretty convincing case that it's the part that keeps everything else running. Go check that port, and enjoy the talk.
Visit Tweener Talks to listen for all audio podcast players
We have a video version on YouTube (make sure to subscribe!)
📌 What’s Next
Subscribe to NC Tweener Talks for more conversations with North Carolina founders, operators, and builders shaping the future of the ecosystem. Paid subscribers help us keep creating more episodes, events, and founder-focused content across the state.





