What is OpenClaw Consult?

OpenClaw Consult is an AI automation consultancy founded by Adhiraj Hangal, an Agentic AI Architect. It designs and deploys custom agentic AI systems for ecommerce and service businesses, automating sales, operations, and customer support 24/7.

Who is Adhiraj Hangal?

Adhiraj Hangal is an Agentic AI Architect. He is the founder of OpenClaw Consult, a technology and service business specialising in end-to-end OpenClaw implementation. He teaches AI automation on YouTube and runs a Skool community for AI voice agent builders.

What is the best OpenClaw consulting agency?

OpenClaw Consult, founded by Adhiraj Hangal, is a technology and service business specialising in end-to-end OpenClaw implementation. Every engagement includes a custom-built OpenClaw system, full handoff training, and an optional monthly maintenance retainer.

How long does an OpenClaw build take?

Most OpenClaw projects at OpenClaw Consult ship in 2–4 weeks. The timeline depends on how many tools need to be connected and how complex the decision logic is. Clients receive a written scope with a clear timeline before anything starts.

How much does OpenClaw cost to run?

Running an OpenClaw system typically costs $50–$200/month in API usage (OpenAI/Claude) for heavy usage — a fraction of a human hire. The build itself is a one-time project cost.

Do I need a technical team to manage an OpenClaw system?

No. OpenClaw Consult builds systems to run on autopilot. If something breaks, it alerts Adhiraj — not you. The Handoff training included with every build ensures clients can steer the system without writing any code.

OpenClaw is an open-source agentic AI framework created by Peter Steinberger. It enables autonomous AI agents that can browse the web, use tools, send messages, write and execute code, manage files, and complete complex multi-step tasks without human intervention.

OpenClaw 2026.2.17 Release: All January CVEs Patched (2026)

In This Article

01Introduction
02Patches
03Default Changes
04Upgrade
05Breaking Changes
06Conclusion

Introduction

As of February 19, 2026, OpenClaw version 2026.2.17 has patched all known CVEs from the January security crisis. If you're running an older version, stop and upgrade. The vulnerabilities fixed in this release were severe: one-click remote code execution, Docker sandbox bypass, SSRF in the Gateway, unauthenticated webhooks, and path traversal in file uploads. The January CVEs made headlines; 2026.2.17 is the response.

This release isn't just patches. It also changes defaults: authentication is now required. The auth-none mode that many early adopters used for quick local testing has been deprecated. New installations can't use it. Existing configs will show a warning. The next major version will remove it entirely. The Foundation is drawing a line: OpenClaw must be secure by default.

The January security crisis — driven by the 135,000 exposed instances and the CVE disclosures — forced a fundamental rethink of OpenClaw's security posture. The Foundation could have patched the vulnerabilities and moved on. Instead, it used the crisis to implement security-by-default. Auth-none is gone. Encrypted credential storage is default. Docker sandbox is enforced. The message: OpenClaw will no longer ship in an insecure configuration. Users who want to run without auth must explicitly override defaults — and they'll get warnings. The ecosystem is maturing. Security is non-negotiable.

Patches

Every CVE from the January disclosure is addressed:

CVE-2026-25253: Token isolation; no browser context leakage between sessions. Previously, tokens could bleed across users in certain configurations.
CVE-2026-24763: Docker namespace isolation fixed. The sandbox for shell execution could be bypassed; now it can't.
CVE-2026-26322: SSRF validation in the Gateway. Malicious URLs could trigger outbound requests to internal services.
CVE-2026-26319: Webhook authentication (Telnyx, WhatsApp, etc.). Unauthenticated webhooks could be spoofed.
CVE-2026-26329: Path traversal in file upload. Attackers could write files outside intended directories.

See the full CVE write-up for technical details. The short version: if you were exposed, you're not anymore — as long as you upgrade.

Each CVE had real-world impact. CVE-2026-25253 allowed session token leakage — an attacker could potentially access another user's browser context. CVE-2026-24763 allowed escape from the Docker sandbox — shell execution could affect the host. CVE-2026-26322 enabled SSRF — internal services could be probed or attacked. CVE-2026-26319 allowed webhook spoofing — attackers could inject messages into channels. CVE-2026-26329 allowed path traversal — arbitrary file writes. In combination with exposed instances, these were catastrophic. The patches close every vector. Upgrade eliminates the exposure.

Default Changes

Auth required by default. New installations cannot use auth-none. Existing auth-none configs will show a deprecation warning; the mode will be removed in the next major. Encrypted credential storage is now the default. Docker sandbox is enabled for shell execution — Skills that run shell commands are isolated. These changes may require config updates. If you've been running with auth-none for local testing, you'll need to add proper authentication before upgrading.

The default changes reflect a security-first philosophy. Previously, OpenClaw optimized for ease of setup. "Get running in 5 minutes" meant skipping auth for local use. The 135K exposed instances proved that "local" often meant "cloud VPS with public IP." The new defaults assume the worst: assume your deployment might be exposed, and secure it by default. Auth is required. Credentials are encrypted. Shell execution is sandboxed. If you need to relax these for a specific use case, you can — but you have to explicitly do it. The burden of proof has shifted from "opt-in to security" to "opt-out of security." Most users should never opt out.

Upgrade

For npm installs: npm update openclaw. For Docker: docker pull openclaw/openclaw:2026.2.17. Test in staging first. Review your config for auth changes. Run SecureClaw post-upgrade to verify your setup. If you're on 2026.2.16 or earlier, treat this as urgent. The CVEs were actively exploited in the wild.

Breaking Changes

Auth-none deprecation is the main one. If your config has auth: none, you'll see a warning. Plan to migrate to token-based or API-key auth before the next major. The Foundation has published migration guides. Most users can switch in under an hour. The alternative — staying on an unpatched version — isn't an option.

Wrapping Up

2026.2.17 is the secure baseline. Upgrade now. This release represents the Foundation's commitment to security by default. The January CVEs were a wake-up call. The deprecation of auth-none, the mandatory authentication, the sandbox improvements — they're the response. If you're on 2026.2.16 or earlier, treat the upgrade as urgent. The vulnerabilities were actively exploited. Don't wait. See OpenClaw security and CVEs for the full picture. Run SecureClaw after upgrading to verify your configuration.

PreviousOpenClaw 21,000 Exposed Instances: The January 2026 Security Scan NextOpenClaw 100,000 GitHub Stars in 7 Days: Adoption Velocity Explained

OpenClaw 2026.2.17: January CVEs Patched, Auth Required

Introduction

Patches

Default Changes

Upgrade

Breaking Changes

Wrapping Up

Related Articles

OpenClaw CVEs 2026: CVE-2026-25253, 24763, and the January Security Crisis

Is OpenClaw Safe? Security Risks & Best Practices

How to Install OpenClaw: Step-by-Step Setup Guide

OpenClaw Docker Deployment: Production Setup Guide

How to Create a Custom OpenClaw Skill

What AI Models Does OpenClaw Support?