The Unlocked Door: Ryan Eade on What OpenClaw Users Need to Secure Right Now cover art

The Unlocked Door: Ryan Eade on What OpenClaw Users Need to Secure Right Now

The Unlocked Door: Ryan Eade on What OpenClaw Users Need to Secure Right Now

Listen for free

View show details

Ryan Eade, Chief Product and Technology Officer at PtEverywhere, gave this talk at the June 10th TweenerClaw meetup, and it covers something most practitioners skip: how to actually keep your OpenClaw instance secure. Ryan walks through the three main ways OpenClaw instances get compromised: an open port that older versions left fully exposed, third-party skills that can carry malicious code (36% of early store listings had prompt injection), and prompt injection delivered through external content like X posts or README files. He also covers the upgrade windows that matter most; the March 12th and April 5th releases each contained critical security patches, and what to do right now: curl port 18789 on your OpenClaw and see if you get a response back. The practical framework Ryan closes with is worth listening to by itself. He calls it "staff not software" with the idea that every access decision for your OpenClaw should mirror how you'd onboard a new employee: scoped API keys with minimum permissions, a purpose-built email account, one-time credit cards for purchasing tasks, and human approval gates before any destructive action runs. If you've been meaning to lock down your setup but kept putting it off, Ryan gives you everything you need to do it in under 20 minutes.

Timestamps
00:00 Intro bumper

00:16 Sponsor recognition

01:22 Scot's intro

01:56 Introducing Ryan Eade

02:05 Ryan's topic: cybersecurity for OpenClaw

02:50 Ryan Eade

03:28 "Nobody starts with security"

04:10 Why OpenClaw isn't just a chatbot

05:26 The threat landscape

06:09 Early OpenClaw exposure stats

06:40 Threat 1: The open port

07:28 Docker's dirty secret: it bypasses your local firewall

08:07 Fix: bind to localhost and use Tailscale

09:19 What Tailscale is and why it works

09:26 Threat 2: Third-party skills

10:18 How to vet skills: pull the GitHub and read the code

10:58 Threat 3: Prompt injection from the web

11:39 How prompt injection poisons an OpenClaw session

11:47 Real examples

12:51 The full attack chain: README → backdoor → breach

13:52 System prompts vs. session instructions

14:17 The upgrade reality

15:37 Critical release windows: January, March 12, April 5

16:21 "Staff, not software"

16:44 One-time credit cards for purchasing tasks

17:19 Keep your personal email separate

17:57 Least-privilege API keys

19:10 Build in approval gates

19:52 Summary: vet skills, keep it on a leash, have a no-no plan

20:16 The port 18789 check

20:32 Closing remarks


-----


Where to Find Ryan Eade
LinkedIn: https://www.linkedin.com/in/ryaneade/
PtEverywhere: https://www.pteverywhere.com/

Where to Find Scot Wingo:
LinkedIn: https://www.linkedin.com/in/thescotwingo/
Tweener Times: https://www.tweenertimes.com/
X: https://x.com/scotwingo

---

This episode of Triangle Tweener Talks is hosted by Scot Wingo, presented and produced by NC Tweener Fund, with creative assets and design support from Walk West.

We couldn’t share posts like this without our amazing sponsors:

Platinum:
NC IDEA: https://ncidea.org

Gold Sponsors:
- Balentine: https://www.balentine.com/triangle-entrepreneurs
- EisnerAmpner: https://www.eisneramper.com
- Robinson Bradshaw: https://www.robinsonbradshaw.com

Silver Sponsors:
- Automated Consulting Group: https://automated.co
- Bank of America: https://business.bofa.com/en-us/content/technology-industry-group.html


------
Triangle Tweener Talks is sponsored by:

  • Atomic Object: https://atomicobject.com/
adbl_web_anon_alc_button_suppression_t1
No reviews yet