privacy

OpenClaw: How the Hottest AI Agent Became a Security Nightmare in Three Weeks

135,000+ GitHub stars. Four critical CVEs. 12% of its marketplace poisoned with malware. OpenClaw's rise to fame came with a security crisis that every AI agent user needs to understand.

Golden padlock sitting on top of a computer keyboard

OpenClaw went from zero to 135,000 GitHub stars faster than almost any project in history. The open-source AI agent—capable of executing shell commands, managing files, browsing the web, and controlling your digital life—captured developer imagination with its power and simplicity.

Then it all fell apart.

In the span of three weeks, security researchers uncovered four critical vulnerabilities, documented over 21,000 exposed instances, and discovered that 12% of the entire ClawHub marketplace had been poisoned with malware. The first major AI agent security crisis of 2026 was underway.

The One-Click Takeover: CVE-2026-25253

The most severe vulnerability, CVE-2026-25253, carries a CVSS score of 8.8 and enables complete remote takeover through a single malicious link.

Here’s how the attack works:

  1. A victim visits a webpage containing malicious JavaScript
  2. The script triggers OpenClaw’s Control UI, which blindly trusts a URL parameter called gatewayUrl
  3. OpenClaw automatically connects and sends the user’s authentication token to the attacker’s server
  4. The attacker uses the stolen token to open a direct WebSocket connection to the victim’s local OpenClaw instance—bypassing all firewall and localhost protections
  5. Using the API, the attacker disables security guardrails and forces commands to run on the host machine instead of inside Docker
  6. Full remote code execution achieved

The attack chain takes milliseconds. No user interaction required beyond visiting a single webpage.

By the time public disclosure occurred on February 3, over 40,000 OpenClaw instances had been found exposed on the internet, with 63% assessed as vulnerable to remote exploitation.

Three More Critical Flaws

CVE-2026-25253 wasn’t alone. Three additional high-severity vulnerabilities followed:

CVE-2026-24763 (CVSS 8.8): A command injection flaw in how OpenClaw handles Docker sandbox environment variables. Authenticated attackers can execute arbitrary commands and potentially escape the sandbox isolation that’s supposed to protect the host system.

CVE-2026-27001 (CVSS 8.6): Malicious directories containing Unicode control characters can be injected into agent prompts, enabling prompt injection attacks that hijack agent behavior and break instruction structure. Patched in version 2026.2.15.

ClawJacked: A localhost trust abuse vulnerability exploiting missing rate-limiting on WebSocket connections. Malicious websites can brute-force gateway passwords to take over local OpenClaw instances. Patched in version 2026.2.26.

The minimum safe version is now 2026.2.26 or later. Anything older is vulnerable to at least one of these attacks.

ClawHub: When the Marketplace Becomes the Attack Vector

While the CVEs were being patched, attackers had already moved to a different target: ClawHub, OpenClaw’s official skill marketplace.

Between January 27-29, threat actors uploaded 335 malicious skills to the registry. These weren’t obvious malware—they used professional documentation and innocuous names like “solana-wallet-tracker” to appear legitimate.

Security researchers eventually identified 341 compromised skills out of 2,857 total. That’s roughly 12% of the entire marketplace serving malware.

The malicious skills instructed users to run external code that installed:

  • Keyloggers on Windows systems
  • Atomic Stealer malware on macOS

If you installed any third-party OpenClaw skills between late January and early February 2026, assume compromise and audit your system.

The Moltbook Breach: 1.5 Million API Tokens Exposed

The security failures extended beyond OpenClaw itself. Moltbook, a social network built exclusively for OpenClaw agents, suffered a catastrophic database exposure.

Security researchers found a misconfigured Supabase database with Row Level Security disabled. The REST API exposed every agent’s secret API key, claim tokens, and verification codes. The Supabase URL and publishable key were visible in the website’s client-side JavaScript—anyone with browser developer tools could access the full database.

The result: 35,000 email addresses and 1.5 million agent API tokens left accessible to anyone who looked.

While the Moltbook team fixed the issue within hours of disclosure, the damage window remains unclear. If you connected an OpenClaw agent to Moltbook, rotate all associated API keys immediately.

Why This Matters Beyond OpenClaw

Cisco’s security researchers identified the fundamental problem: AI agents with system-level access create attack surfaces that don’t fit traditional security models.

OpenClaw can run shell commands, read and write files, browse the web, send emails, and manage calendars. This elevated privilege access becomes catastrophic when combined with:

  • Prompt injection via external content: Attackers embed malicious instructions in web pages, emails, or documents that the agent reads
  • Data exfiltration through messaging apps: Integration with WhatsApp and iMessage expands the attack surface
  • Supply chain vulnerabilities: Malicious skills gain popularity through manufactured hype before executing attacks
  • Shadow AI risk: Employees introduce unvetted high-risk agents under productivity pretenses, connecting them to corporate systems without security visibility

OpenClaw’s persistent memory feature makes this worse. The agent retains all accessed data—emails, calendar entries, Slack messages, OAuth tokens—meaning a single compromise can provide lateral access to every integrated service.

What You Should Do

If you’re running OpenClaw:

  1. Update immediately to version 2026.2.26 or later. All prior versions have known critical vulnerabilities.

  2. Audit installed skills. Check every third-party skill against the malicious skill list. When in doubt, remove it.

  3. Rotate credentials. If you ran any vulnerable version, assume credential exposure. Rotate API keys, OAuth tokens, and any secrets the agent could have accessed.

  4. Check Moltbook connection. If you connected to Moltbook at any point, rotate all associated credentials.

  5. Don’t expose to the internet. OpenClaw should never be publicly accessible. Use a VPN or firewall rules to restrict access to local networks only.

If you’re evaluating AI agents:

OpenClaw isn’t uniquely insecure—it’s just the first high-profile case. Every AI agent that can execute commands, access files, or integrate with external services carries similar risks.

Before deploying any AI agent:

  • Run it in an isolated environment without access to production credentials
  • Audit all marketplace extensions before installation
  • Treat agent outputs as untrusted input requiring validation
  • Monitor for unusual behavior like unexpected network connections or file access

Cisco released an open-source Skill Scanner tool that combines static analysis, behavioral inspection, semantic analysis, and VirusTotal checks to identify malicious skills. Use it.

The Broader Lesson

OpenClaw’s security crisis compressed months of lessons into weeks. We learned that:

  • Agentic AI systems create attack surfaces unlike anything in traditional software
  • Speed-to-market pressures lead to predictable security failures
  • Marketplace trust models fail catastrophically when 12% of packages are malware
  • The time between AI agent going viral and attackers targeting it is now measured in days

The Model Context Protocol crossed 97 million installs this month. Enterprise agentic deployments dominated NVIDIA GTC. AI agents are becoming infrastructure.

The security practices need to catch up. OpenClaw showed what happens when they don’t.