Security Architecture

The cute little lobster.
And the big one hiding behind it.

OpenClaw's mascot is a friendly red lobster. The community loves it. What they don't talk about is what's underneath — a skeletal updater that can pump malware directly into your agents.

Problem 1
The Lobster Mothership
OpenClaw's mascot is literally a lobster. The project started as "Clawdbot" — a pun on Anthropic's Claude — got trademark-sued, became "Moltbot" (lobsters molt), then landed on "OpenClaw." In China, installing OpenClaw is called "raising a red lobster."

But here's what people don't talk about: "Lobster" is also the name of OpenClaw's actual workflow shell — a typed, local-first macro engine that powers its automation pipelines. When a new capability emerges, someone has to write a new Lobster workflow, upload it to GitHub, and hope 100,000 people install it before the ClawHavoc attackers do.

They already did — 20% of the ClawHub marketplace was malware.

The mothership feeds the agents, and the mothership is poisoned.
Chatsey has no lobster. No community dependency. No marketplace to poison. Skills are curated, reviewed, and deployed through the Tool Forge — not uploaded by anonymous accounts.
Problem 2
The Gateway Umbilical Cord
Every single OpenClaw agent — every Telegram bot, every Discord assistant, every WhatsApp integration — routes ALL communication through a local WebSocket gateway server that must be running 24/7 on someone's machine. This is openclaw gateway at localhost:18789.
User message → Telegram → OpenClaw Gateway (your machine) → LLM → Response Must be running. Always. If it dies, everything dies. If it's compromised, everything is compromised.
Kill the gateway = kill every agent simultaneously. Power outage, Mac sleep, npm crash — all agents go dark.

Compromise the gateway = own everything. ClawX hijacked the gateway and owned every connected agent in one move. CVE-2026-25253 exploited the WebSocket endpoint directly — one malicious webpage, full admin control.

40,000+ gateways exposed to the public internet because users needed remote access. Cisco called it "a cybersecurity disaster."

The big lobster: OpenClaw installs a macOS LaunchAgent (ai.openclaw.gateway.plist) that auto-launches at login and a watchdog script that restarts it if it dies. You literally cannot turn it off without a full system purge. This is the skeletal updater — the persistent backdoor that can push payloads straight into your agents.
Chatsey runs on serverless Edge Functions — globally distributed, zero single point of failure, no gateway process, no umbilical cord. Kill a laptop, lose nothing.
Chatsey's Architecture
Security by design, not by policy.
No gateway process to hijack. Agents run on Supabase Edge Functions — serverless, globally distributed.

No community marketplace to poison. All tools are curated, versioned, and deployed through the Tool Forge — generated, audited, and indexed. No external uploads. No unvetted code.

Tamper-evident identity. Every agent's identity includes a SHA-256 hash of its core constraints. Tampering is detected and the agent refuses to start.

No plaintext credentials. All API keys and tokens managed through Supabase Vault — encrypted at rest, never exposed in config files.

Every action logged. Immutable audit trail. Every tool call, every decision, every external action — logged with full reasoning before execution.
The Numbers

OpenClaw's 2026 security record.

Every finding on this page is sourced from NIST NVD, major security vendors, or published incident reports. No speculation.

CVE-2026-25253
8.8
CVSS HIGH · Gateway Token Theft
Unauthenticated remote attacker steals auth token via query string WebSocket hijack. One click → full RCE. 30,000+ compromised instances.
CVE-2026-25157
9.1
CVSS CRITICAL · DM Data Exfil
Open DM configuration broadcasts agent memory to unauthenticated WebSocket clients. Complete data exfiltration with zero user interaction.
CVE-2026-24763
7.5
CVSS HIGH · Prompt Injection
Unvalidated tool parameters allow injection through crafted user input. Marketplace skills executed with full local system permissions.
ClawX / ClawHavoc
341+
Malicious Marketplace Skills
Active organized campaign uploading malware-laced skills. China's state banks banned OpenClaw. 40,000+ exposed deployments (Cisco).
Side by Side

The full comparison.

OpenClaw — 2026 Record
CVE-2026-25253 · CVSS 8.8 · Gateway token theft → RCE
CVE-2026-25157 · CVSS 9.1 · Open DM data exfiltration
CVE-2026-24763 · CVSS 7.5 · Prompt injection via tools
341+ malicious marketplace skills (ClawX/ClawHavoc)
40,000+ exposed deployments (Cisco research)
Banned by China's state banking sector
localhost:18789 WebSocket — persistent attack surface
LaunchAgent persistence — can't stop without system purge
Chatsey — 2026
0 CVEs — no gateway, no attack surface
Supabase Row Level Security — DB engine enforced
SHA-256 tamper-evident identity
Curated Tool Forge — every tool reviewed
AUDIT agent on every action
Serverless Edge Functions — no local process
Immutable audit log — every action, forever
HIPAA/SOC 2 ready architecture
Research & Sources

Every claim is sourced.

OpenClaw CVEs
↗ CVE-2026-25253 · CVSS 8.8 · NIST NVD ↗ CVE-2026-25253 Analysis — Tenable ↗ CVE-2026-25253 Deep Dive — Wiz ↗ CVE-2026-25253 — SentinelOne Labs
Incident Reports
↗ 40,000+ Exposed Instances — runZero / Cisco ↗ ClawX / ClawHavoc 341+ Skills — Kaspersky ↗ China State Banks Ban OpenClaw — SCMP
Chatsey Architecture
↗ Security Architecture — Zero CVE Design ↗ Identity Engine™ Specification ↗ War Room Multi-Agent Architecture

Ready for agents that
don't compromise your security?

Set up your first Chatsey agent in 5 minutes — no gateway, no Docker, no terminal.

Set Up Your Agent →