Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
Since pretty much the beginning it wasn't and the documentation explicitly warned not to make it public, exposing it to the internet. It included information on how you can properly forward the gateway port to your machine without opening it up to the internet.
It’s possible, and maybe even trivial, to hit a malicious website that tries to connect to the OpenClaw port on your local machine.
A malicious web page runs JavaScript that makes a fetch() or XMLHttpRequest to http://localhost:CLAWPORT — your browser executes that from your machine, so it bypasses your router/firewall entirely. If OpenClaw is listening on localhost with no auth, the browser just connects to it. Same-origin policy doesn’t save you because the request originates from your own machine.
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...