OpenClaw's explosive growth—250K GitHub stars in 60 days—created the largest AI agent supply chain attack surface in history. CVE-2026-25253 enabled one-click RCE on 17,500+ exposed instances. Bitdefender found 824+ malicious skills on ClawHub (20% of the registry), mostly installing the AMOS infostealer. Defense requires isolation-first deployment (never run on your daily driver), allowlist-only skill installation, network segmentation, and treating every OpenClaw instance as untrusted code execution—exactly as Microsoft recommended.
Last week, I got a message from a client's CTO: "We've got three teams running OpenClaw internally. Should we be worried?" My answer was immediate—yes, and here's why I spent the next two hours on a call walking through their exposure.
OpenClaw went from zero to 250,829 GitHub stars in roughly 60 days, surpassing React's decade-long record on March 3, 2026. It's a genuinely impressive piece of software—a local-first, privacy-focused agentic AI framework that automates real tasks across WhatsApp, Telegram, Slack, Discord, and 20+ other platforms. Peter Steinberger, the Austrian developer behind it, got hired by OpenAI within weeks of launch. Sam Altman called him "a genius with a lot of amazing ideas about the future of very smart agents."
But that meteoric growth created the largest AI agent supply chain attack surface we've ever seen. And the security community's findings have been devastating.
CVE-2026-25253: One-Click Remote Code Execution
The first major crack appeared on January 26, 2026, when researcher Mav Levin publicly disclosed CVE-2026-25253—a one-click remote code execution vulnerability with a CVSS score of 8.8.
The attack was elegant in its simplicity. OpenClaw's Gateway Control UI accepts a gatewayUrl parameter from the query string and automatically establishes a WebSocket connection to it—without prompting the user. An attacker crafts a malicious URL, tricks a victim into clicking it, and the browser silently sends the victim's authentication token to the attacker's server. Full remote code execution follows.
The exposure was staggering:
Independent researchers verified that 93.4% of exposed instances had authentication bypass vulnerabilities. And CVE-2026-25253 wasn't alone—512 total vulnerabilities have been discovered across the platform, with 8 rated critical or severe, including remote command execution (CVE-2026-25157), command injection (CVE-2026-24763), SSRF, Discord privilege escalation, and webhook path traversal.
A patch landed on January 30 in version 2026.1.29. But given the project's viral adoption speed, thousands of instances were already deployed and unpatched.
| Source | Exposed Instances | Date |
|---|---|---|
| Hunt.io | 17,500+ | January 2026 |
| Bitsight | 30,000+ | Jan–Feb 2026 |
| SecurityScorecard STRIKE | 42,900 across 82 countries | February 2026 |
| Censys growth tracking | 1,000 → 21,000+ | January 25–31 alone |
ClawHub: When 20% of Your Plugin Registry Is Malware
If the RCE vulnerability was the crack in the foundation, ClawHub—OpenClaw's community skill registry—was the open door.
Koi Security conducted the first systematic audit and found 341 malicious skills out of 2,857 on the registry. Of those, 335 traced back to a single coordinated campaign they named ClawHavoc. The operation was industrial in scale: one threat actor, "hightower6eu," uploaded 354 malicious packages. Another, "sakaen736jih," submitted 199 skills—one every few minutes, clearly automated.
Every ClawHavoc skill used the same playbook: fake prerequisite installations that silently deployed Atomic macOS Stealer (AMOS), a known infostealer that harvests passwords, browser cookies, crypto wallets, and macOS Keychain data. A Windows variant packed with VMProtect included RAT capabilities.
As the registry grew, so did the problem. By mid-February, ClawHub had expanded to 10,700+ skills, and Bitdefender identified 824+ malicious entries—roughly 20% of the entire registry. Their breakdown of malicious skill categories:
Snyk's separate analysis found an additional 283 skills (7.1%) leaking credentials in plaintext. And a breach of the associated Moltbook platform exposed 35,000 email addresses and 1.5 million agent tokens.
This isn't a theoretical risk. If your team installed an OpenClaw skill from ClawHub without reviewing its source code, there's a meaningful probability it compromised your environment.
| Category | Percentage |
|---|---|
| Crypto-focused (wallet drainers, fake trading tools) | 54% |
| Social media targeting (credential harvesting) | 24% |
| Maintenance/updater tools (persistent access) | 17% |
| Productivity tool impersonation | 5% |
The Industry Response: From Managed Services to Government Bans
The security fallout triggered a rapid cascade of institutional responses.
AWS launched Managed OpenClaw on Lightsail—a one-click blueprint pre-configured with Amazon Bedrock (defaulting to Claude Sonnet 4.6) and automated IAM role creation. It's a direct acknowledgment that self-hosted OpenClaw deployments were too dangerous for most teams to configure securely.
Microsoft published explicit security guidance on February 19, 2026, with a blog post titled "Running OpenClaw Safely: Identity, Isolation, and Runtime Risk." Their key statement was unambiguous: OpenClaw "should be treated as untrusted code execution with persistent credentials" and is "not appropriate to run on a standard personal or enterprise workstation." They recommended full isolation—dedicated VM, non-privileged credentials, access only to non-sensitive data.
Government and corporate restrictions followed:
At Particula Tech, we've been advising clients on securing AI systems handling sensitive data for years. What makes the OpenClaw situation uniquely dangerous is the combination of three factors: explosive adoption velocity, a community registry with no meaningful vetting, and an agent architecture designed to take autonomous actions across critical infrastructure.
Why Agent Security Is Fundamentally Different
Traditional software vulnerabilities are serious but bounded. A compromised npm package might exfiltrate environment variables. A malicious browser extension might steal cookies. But a compromised AI agent skill? It inherits the agent's full permission surface—and modern agents are designed to act autonomously across email, messaging, file systems, APIs, and cloud infrastructure.
This is the lesson we keep reinforcing with clients who are building role-based access control for AI applications: the blast radius of a compromised agent is fundamentally larger than a compromised library. An agent doesn't just have access to data—it has the ability to act on that data, send messages, modify files, and execute code.
OpenClaw's architecture amplifies this risk because it's designed for cross-platform automation. A single compromised skill can:
The sandbox escape research is particularly concerning. Academic analysis found that sandbox defenses against malicious skills have only a 17% average defense rate across all AI backends. Even Claude—one of the more robust models—defended against only 33% of sandbox escape attempts.
Defense Patterns That Actually Work
If you're running OpenClaw (or any autonomous agent framework), here's the defense-in-depth architecture we recommend to clients. These patterns apply broadly—we used similar approaches when helping clients protect against prompt injection attacks and during AI penetration testing engagements.
# Deploy OpenClaw in a dedicated, ephemeral container docker run -d \ --name openclaw-isolated \ --network openclaw-net \ --memory 2g \ --cpus 1.5 \ --read-only \ --tmpfs /tmp:size=500m \ --security-opt no-new-privileges \ -e OPENCLAW_GATEWAY_AUTH=true \ -e OPENCLAW_ALLOWED_SKILLS="core-only" \ openclaw/openclaw:2026.3.latest
# Example: restrict OpenClaw's outbound network access # Only allow connections to approved API endpoints iptables -A OUTPUT -p tcp -d api.openai.com --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -d api.anthropic.com --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp -d your-internal-api.com --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j DROP # Block all other HTTPS iptables -A OUTPUT -p tcp --dport 80 -j DROP # Block all HTTP
1. Isolation-First Deployment
Never run an autonomous agent on your daily-driver machine or a standard workstation. Full stop. Key constraints:
- Read-only filesystem with tmpfs for runtime data
- Memory and CPU limits to contain resource abuse
- No privilege escalation via security options
- Dedicated network isolated from your internal systems
2. Skill Allowlisting and Vetting
OpenClaw now integrates VirusTotal scanning for ClawHub skills, but automated scanning catches only known signatures. For production deployments:
- Allowlist mode only: Block all skills by default, explicitly approve each one
- Manual code review: Check every skill for
exec,execSync,child_process, environment variable harvesting, and network requests to unknown endpoints - Pin skill versions: Never auto-update skills without re-reviewing the diff
- Monitor runtime behavior: Log all system calls and network connections from skill processes
3. Network Segmentation
This prevents malicious skills from phoning home to attacker-controlled servers. Legitimate agent operations should go through a controlled proxy with request logging.
4. Credential Isolation
Never give an agent your primary credentials for any service. Create dedicated, scoped service accounts:
- Messaging platforms: Bot accounts with minimal permissions (no admin, no channel management)
- Cloud services: IAM roles with explicit deny rules for destructive operations
- Databases: Read-only connections unless writes are specifically required for the use case
- API keys: Scoped to the minimum required endpoints, with rate limits and spend caps
5. Monitoring and Circuit Breakers
Implement runtime monitoring that can kill agent processes when anomalous behavior is detected: The Cloud Security Alliance's MAESTRO threat model—published February 20, 2026—provides a comprehensive 7-layer framework for this. It's the most thorough treatment of agent security architecture I've seen to date.
- Unusual outbound connections: Any connection to an IP or domain not on the allowlist
- File system access outside workspace: Reads or writes to paths outside the designated workspace root
- Credential access patterns: Any attempt to read
.envfiles, keychains, or browser storage - Rate anomalies: Sudden spikes in API calls, message sends, or file operations
What This Means for the AI Agent Ecosystem
OpenClaw's security crisis isn't an indictment of the project itself—it's a preview of what happens when agent frameworks achieve mass adoption before security infrastructure catches up. The same attack patterns will appear in every popular agent ecosystem. ClawHub is today's target; tomorrow it could be any agent marketplace.
The fundamental problem is that AI agent security requires a different mental model than traditional application security. When we audit AI systems for clients, the attack surface isn't just the code—it's the agent's reasoning, its tool access, its permission boundaries, and every third-party integration in its skill graph.
Three things need to happen industry-wide:
The Bottom Line
OpenClaw is a remarkable piece of software that grew faster than its security posture could keep up. If you're using it—or any agent framework—the defense patterns above aren't optional. Treat every agent deployment as untrusted code execution until you've proven otherwise.
If your organization is deploying autonomous AI agents and needs help building the security architecture to do it safely, reach out to our team. We've been through enough AI penetration testing engagements to know exactly where agent deployments break—and how to make sure yours doesn't.
Frequently Asked Questions
Quick answers to common questions about this topic
CVE-2026-25253 is a critical one-click remote code execution vulnerability (CVSS 8.8) discovered in OpenClaw before version 2026.1.29. An attacker tricks a victim into clicking a malicious URL that redirects to the OpenClaw Gateway Control UI with a manipulated gatewayUrl parameter. The browser silently sends the victim's authentication token to the attacker's server, enabling full remote code execution. Over 17,500 internet-exposed instances were vulnerable before the patch.
