OpenClaw’s foundation-backed team published a detailed security roadmap on May 15 covering five areas: filesystem boundaries, network egress, plugin marketplace trust, command approval UX, and static analysis regression testing. The post, authored by Jesse Merhi, arrives after months of escalating incidents, including over 150,000 vulnerable instances identified by researchers, password-harvesting plugins on the ClawHub marketplace, and Gartner classifying OpenClaw as an “unacceptable cybersecurity risk.”
The roadmap is notable less for the individual fixes and more for what it concedes openly: OpenClaw cannot and will not promise risk-free operation.
Filesystem: fs-safe Library and SQLite Migration
The first measure targets path traversal and boundary-crossing bugs. A new shared library called fs-safe consolidates root-bounded filesystem patterns so that core code, plugins, and adjacent services use the same write restrictions. Writes inside a plugin’s designated workspace succeed. Attempts to traverse outside it via symlinks, absolute paths, or archive extraction fail.
The team is explicit about what fs-safe is not: “It is not a sandbox,” the blog post states. A plugin with shell execution permissions can still do anything the shell allows. fs-safe only catches boundary-crossing bugs in filesystem code.
Alongside fs-safe, OpenClaw is migrating runtime state (sessions, transcripts, scheduler state, plugin state) into SQLite, eliminating whole categories of filesystem calls from the runtime path.
Network: Proxyline Replaces URL Validation
The second pillar addresses SSRF attacks, which are harder to prevent in agent runtimes than in traditional web services because model-influenced URL fetches are normal product behavior, not edge cases.
OpenClaw’s previous approach validated URLs before fetching them. The problem: DNS resolution happens twice (once at validation, once at fetch), and a host can point to a public IP during validation but redirect to an internal metadata endpoint by the time the request leaves. According to Blockchain News, this is “a significant leap forward from traditional URL validation methods, which are prone to DNS exploits.”
The replacement is Proxyline, a process-global routing layer that sends all Node.js network traffic through a configured proxy. The proxy enforces connect-time policy: blocking metadata addresses, private IP ranges, and loopback canaries. Organizations running their own managed proxy can route OpenClaw through it for full observability of outbound connections.
Acknowledged limitations: raw sockets, native modules, and non-OpenClaw child processes can bypass the Node-level guardrail.
ClawHub: Trust Tiers for the Plugin Marketplace
ClawHub, OpenClaw’s plugin marketplace, has faced the sharpest criticism. VirusTotal identified numerous plugins that harvested passwords, according to Trending Topics reporting.
The new system assigns trust classifications to specific package versions: clean, suspicious, held, quarantined, revoked, or malicious. Releases marked malicious or quarantined cannot be installed through the ClawHub path at all. The pipeline combines ClawScan, VirusTotal, static analysis, metadata checks, source provenance, and manual moderation.
Plugins sourced from GitHub, private registries, or direct file transfers remain installable. “OpenClaw should not pretend users do not own their own machines,” the blog post states. Higher trust tiers (official packages, verified publishers) are planned but not yet shipped.
Command Approvals: Parsing Over Prompting
OpenClaw’s confirmation dialogs have suffered from prompt fatigue: users click through security prompts or enable “YOLO mode” to keep working, rendering the prompts meaningless.
The fix focuses on parsing accuracy over prompt volume. The shell approval path now evaluates inner command chains for common shell -c wrappers. A policy that understands rm but cannot see inside bash -c "rm -rf ~/something" is “not a policy users should trust,” per the blog post. Tree-sitter powers the command highlighter to surface what OpenClaw detected inside wrapper payloads.
For OpenAI users, Auto Review replaces manual approval at the sandbox boundary with a separate reviewer agent.
Static Analysis: 148 OpenGrep Rules Derived from Past Advisories
After each GitHub Security Advisory patch, the team converts the bug pattern into an OpenGrep rule. The current rulepack contains 148 rules, each tied to a specific advisory, report, or review finding. The rules run on PR diffs, with full scans available manually. CodeQL runs alongside for deeper semantic coverage.
The team emphasizes precision over volume: “A noisy rule is worse than no rule, because it teaches the team to ignore the channel.”
The Concession That Matters
The roadmap’s most significant line is its closing one. “We are not going to promise risk-free agents. Anyone promising that is selling something, or has not shipped enough yet.”
For enterprise buyers evaluating agent deployments, the five-point plan represents a shift from crisis response to structured security engineering. Whether fs-safe, Proxyline, and ClawHub trust tiers move the needle fast enough to reverse Gartner’s risk classification and restore adoption momentum is the open question heading into Q3.