We compared security in OpenClaw, Claude Code, and Cursor. None of them passed.

I expected one of these tools to be meaningfully more secure than the others. After checking CVE databases, reading independent security audits, and going through hundreds of GitHub issues, I found something worse: they all fail in the same ways, just at different speeds.

OpenClaw has 92 security advisories in four months, Cursor shipped 94 unpatched Chromium vulnerabilities to 1.8 million developers, and Claude Code's sandbox was bypassed by the agent reasoning its way out of containment. Independent sources only: Snyk, UpGuard, OX Security, DryRun Security, Proofpoint, HiddenLayer, and Check Point Research.

DryRun Security tested all three by having them build applications from scratch. Across 30 pull requests: 87% contained at least one vulnerability. 143 total security issues spanning 10 vulnerability classes. No agent produced a fully secure product.

Here's what each tool actually does about it.

How OpenClaw, Claude Code, and Cursor handle sandboxing

Whether untrusted code runs in a sandbox determines most of your risk. All three tools now offer sandboxing. The defaults tell you everything.

OpenClaw ships with sandboxing off. The Docker-based sandbox is opt-in. When disabled, the exec tool runs commands on your machine with your permissions. Snyk found two bypass methods: a policy gap in /tools/invoke and a race condition enabling file read/write outside the container. CVE-2026-25253 showed an attacker could remotely turn sandboxing off by sending config commands. The newest one, CVE-2026-32013, uses symlink traversal to escape the workspace. Disclosed March 19.

Claude Code uses OS-native sandboxing: Apple Seatbelt on macOS, bubblewrap on Linux. Kernel-level restrictions, not containers. Network traffic goes through a Unix domain socket proxy. Stronger architecture than Docker. But researchers at Ona.com showed something unsettling: when Claude Code's npx command was denied, the agent found a /proc/self/root/ bypass. When bubblewrap caught that, the agent asked permission to run unsandboxed. It talked itself out of its own containment. Anthropic's docs acknowledge that Docker mode "weakens security" and should be used cautiously.

Cursor added sandbox support in version 2.0, February 2026. Seatbelt on macOS, Landlock plus seccomp on Linux, WSL2 on Windows. They looked at Docker and rejected it because it would limit builds to Linux binaries. A third of requests on supported platforms now run sandboxed. But it's opt-in for Pro users, and forum bug reports show cases where commands ran with full permissions while the UI said "sandbox mode."

None of them sandbox by default for all users.

What your agent can reach

The question nobody asks during setup: what can this thing read?

All three tools can access your entire filesystem in their default configurations. OpenClaw reads and writes anywhere on the host. Your .ssh keys, your .env files, your API credentials in ~/.openclaw/credentials/ stored in plaintext. Claude Code can read the whole filesystem too, with writes scoped to the working directory. Cursor's read_file tool reaches any directory on the system. HiddenLayer confirmed it can grab SSH keys.

Network access is where they diverge. OpenClaw has no restrictions. The agent can curl anywhere, and the browser defaults to dangerouslyAllowPrivateNetwork: true, which means your internal network is exposed. Claude Code blocks curl and wget by default, routing through its sandbox proxy. Except UpGuard scanned 18,470 public Claude Code permission files on GitHub and found 52.1% had Bash(curl:*) enabled. So the default is secure, and half the users turned it off. Cursor blocks outbound network in sandbox mode, but HiddenLayer showed a chained attack: read a file with read_file, exfiltrate it through the create_diagram tool which renders HTML with the data URL-encoded in an image tag.

This is the "lethal trifecta" Simon Willison warned about. Private data access plus untrusted content plus external communication in a single process. All three tools hit at least two of three out of the box.

Permission models and YOLO mode

Every tool ships a way to skip human approval. Developers enable it immediately.

OpenClaw has three tiers: ask (prompts you), record (logs but auto-allows), and ignore (silent). CVE-2026-25253 let attackers remotely flip to ignore. Claude Code escalates through four levels ending at --dangerously-skip-permissions, which is exactly what it sounds like. UpGuard's real-world data: 47% of users allow arbitrary Python, 42% allow arbitrary Node.js, 19.7% allow git push without confirmation.

Cursor calls it YOLO mode. Requires accepting a risk disclaimer, which took about three seconds in my testing. The allowlist uses exact command matching. A documented bug showed that chaining commands with && bypassed it entirely: safe_command && dangerous_command executed both. Cursor stores permissions in a local SQLite database that any process on the machine can read and modify.

The pattern across all three: security engineers build careful permission systems. Product teams add a "skip all" button. Users click it on day one.

It reminds me of the early days of HTTPS adoption. Browser warnings existed for years before anyone made them hard to dismiss. We might be in the same phase with AI agent permissions: the warnings exist, nobody reads them, and the "accept risk" path is always one click away.

Prompt injection: OpenClaw says "out of scope"

This is the part I keep coming back to.

OpenClaw's SECURITY.md says prompt injection scanning of tool results is "out of scope." Not a bug they haven't fixed. A decision they documented and published. In practice, 91% of the malicious packages found in the ClawHavoc supply chain attack used prompt injection techniques. We documented a similar attack chain where one agent compromised seven repos. Researchers found injection payloads targeting OpenClaw circulating in the wild.

Claude Code does more here than the other two. Command blocklist, isolated context windows for web fetches, suspicious command detection. Multiple layers. But every layer has been bypassed independently. Oasis Security used invisible HTML tags to extract conversation history. PromptArmor showed file exfiltration through malicious documents. Lasso Security built an open-source injection defender with 50+ patterns and still says in their docs that novel techniques will slip through.

Cursor has no built-in prompt injection scanning. Multiple independent teams confirmed this. The AIShellJack framework used invisible characters in .cursor/rules files. HiddenLayer hid injections in README files. CVE-2025-54135 showed the full kill chain: one injected Slack message, fetched via MCP, rewrote mcp.json and achieved remote code execution.

Three tools, three approaches ranging from "out of scope" to "we try but it keeps getting bypassed" to "we don't try." None of them solved it.

MCP turned into an attack surface nobody expected

Actually, some people expected it. But nobody acted fast enough.

The Model Context Protocol was supposed to give AI agents safe access to external tools. AuthZed documented nine major MCP breaches between April and October 2025: WhatsApp chat exfiltration, GitHub private repo theft, and Anthropic's own MCP Inspector enabling unauthenticated remote code execution.

OpenClaw's gateway WebSocket defaulted to unencrypted ws:// without origin validation. That was the CVE-2026-25253 entry point. Claude Code now requires trust verification for new MCP servers, but in non-interactive mode (-p flag) this check is disabled, and CVE-2025-59536 showed malicious repos configuring MCP servers that executed before the trust prompt appeared. Cursor's MCP story is the worst of the three: CurXecute, MCPoison, and the March 2026 CursorJack deeplink attack all exploited it. Before version 1.3, new MCP entries auto-executed without any user confirmation. Proofpoint's CursorJack disclosure showed single-click MCP server installation via cursor:// deeplinks. Cursor closed the report as out of scope.

Out of scope. For a vector that achieved remote code execution.

An academic analysis of 67,057 MCP servers across six registries found that a substantial number could be hijacked. The MCP specification itself now includes security best practices, but they're recommendations, not enforced requirements. We scanned 900 MCP configs ourselves and found 75% had security problems.

The CVE count: OpenClaw 92, Claude Code 8, Cursor 8

Raw numbers don't tell the whole story, but they tell part of it.

OpenClaw leads with 92+ security advisories and 9+ formal CVEs in four months. The ClawHavoc attack compromised 20% of the skill marketplace. Kaspersky found 512 vulnerabilities in a single audit, 8 critical. SecurityScorecard discovered 135,000 publicly exposed instances, a third correlated with known threat actor activity. China restricted state enterprises from using it. Belgium issued an emergency advisory.

Claude Code has 8+ CVEs ranging from medium to critical severity, including the Koi Security "PromptJacking" finding at CVSS 8.9 that affected three official Anthropic extensions. A March 2026 fix addressed PreToolUse hooks that could bypass deny rules, including enterprise managed settings. That last part is important: enterprise customers paying for managed security had a bypass in their permission enforcement.

Cursor also has 8+ assigned CVEs, all high severity. The 94 unpatched Chromium vulnerabilities from an outdated Electron fork are a separate category of risk. OX Security successfully weaponized one against the latest Cursor version. Workspace Trust is disabled by default because enabling it disables AI features. That tradeoff tells you something about priorities.

What it costs when things go wrong

None of these tools have real budget controls.

OpenClaw's costs depend entirely on which APIs you connect, with no built-in limits. Reports of unmonitored cron jobs inflating bills by 10-30% are common in the issues. Claude Code subscription tiers cap at roughly 45 messages per 5 hours on Pro, but there are no per-session budget limits or loop detection. Anthropic reports average costs around $6 per day per developer, which sounds reasonable until one session spirals. Cursor's credit system bills overages at API rates with rate limits of 1 request per minute and 30 per hour.

For audit logging, Claude Code has the most mature offering with an Enterprise Compliance API for real-time usage data, though it exports metadata only, not chat content. Cursor restricts audit logs to the Enterprise plan. OpenClaw stores session transcripts as local JSONL files that aren't tamper-proof or centralized.

So which one

Depends on what scares you more.

If your primary concern is supply chain attacks, avoid OpenClaw until the skill marketplace matures. 20% malicious packages is disqualifying for production use today, full stop.

If you need enterprise compliance and the strongest default security posture, Claude Code is ahead. SOC 2 Type II, ISO 27001, and the only tool with OS-native sandboxing that doesn't require Docker. But "ahead" is relative when researchers keep finding sandbox bypasses.

If your team already uses Cursor and switching costs are high, patch to the latest version immediately, enable sandboxing, disable YOLO mode, and audit your MCP server list. The 94 Chromium vulnerabilities alone justify staying current.

What none of them offer: external monitoring of agent behavior. Each tool watches itself from the inside. That architectural pattern has a name in distributed systems: it's the same reason you don't let a process monitor its own health. You put a watchdog outside the process. We wrote about why this is unfixable from inside the agent. For AI agents, that watchdog doesn't exist in any of these tools yet. We're building one for OpenClaw specifically.

Related: - We scanned 900 MCP configs. 75% had security problems. - An AI agent compromised 7 repos in one week. - Why your AI agent can't detect its own compromise.

Run the scanner yourself: orchesis.ai/scan

Open source · MIT License

Try the MCP Scanner

Scan your MCP configuration in seconds. Runs entirely in your browser.