OpenClaw Security Risks: The AI Agent Threat Explained

Updated March 20, 2026: Added ClawHavoc final campaign data (1,184+ malicious skills), six new CVEs from Endor Labs (nine total), Snyk ToxicSkills research, OpenClaw security releases through v2026.2.26, VirusTotal partnership details, and broader AI agent ecosystem context.

OpenClaw is an open-source AI agent framework with over 250,000 GitHub stars that lets users install third-party "skills" from ClawHub to automate tasks on their devices. It is also the subject of one of the most significant AI security incidents of 2026.

Over 1,184 malicious skills have been identified on ClawHub (Antiy CERT, 2026). That is roughly one in five packages in the ecosystem. SecurityScorecard found 135,000 OpenClaw instances exposed to the public internet with insecure defaults (SecurityScorecard, 2026). Nine CVEs have been disclosed across multiple rounds, three with public exploit code enabling one-click remote code execution.

If your organisation has employees running AI agents on corporate devices, and statistically it does, this is not just another registry poisoning story. It is the npm supply chain problem with system-level permissions bolted on.

Get threat intelligence like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

Want to know which handbook is the gold standard for blue team operations - check it out here.

What Is OpenClaw?

OpenClaw (formerly known as Clawdbot and Moltbot) is an open-source AI agent framework that allows users to install "skills" from ClawHub, a community registry, to extend what the agent can do: manage files, run terminal commands, query APIs, automate workflows. The project crossed 215,000 GitHub stars in February 2026, up from 160,000 just three weeks earlier. OpenAI acqui-hired its creator, Peter Steinberger, in February, signalling that agent orchestration infrastructure is where the next competitive battleground sits.

The design philosophy prioritises capability over containment. OpenClaw agents typically operate with broad system permissions, including terminal access and full disk access, so they can execute tasks on the user's behalf. That permission model is the entire point of the tool. It is also the entire problem.

When a malicious skill gets loaded, it inherits those same system-wide permissions. One bad package gives an attacker the same access the agent itself has.

Is OpenClaw Safe to Use?

OpenClaw is not safe to run in its default configuration. Three architectural decisions create what security researcher Simon Willison calls the "lethal trifecta" for AI agents (Palo Alto Networks, 2026):

It has access to private data. OpenClaw can read files, access browser data, and interact with API keys stored in plaintext configuration files at ~/.clawdbot/.env and ~/.openclaw/credentials/.

It processes untrusted content. Skills installed from ClawHub execute with full system permissions. Snyk's ToxicSkills audit found that 36% of all ClawHub skills contain detectable prompt injection (Snyk, 2026). That untrusted content runs with the same privileges as the agent itself.

It can communicate externally. OpenClaw binds to 0.0.0.0:18789 by default in older versions, meaning it listens on all network interfaces including the public internet. SecurityScorecard identified 135,000 instances exposed this way (SecurityScorecard, 2026).

Any one of these would be a concern. Together, they create a tool that is vulnerable by design unless explicitly hardened.

The risk is not theoretical. Bitdefender's telemetry, drawn from business environments, confirms employees are deploying OpenClaw on corporate devices using single-line install commands with no security review and no SOC visibility (Bitdefender, 2026). Over 53,000 exposed instances have been correlated with prior breach activity.

OpenClaw has shipped significant security updates since these issues were identified (see OpenClaw Security Updates and VirusTotal Partnership below). Running the latest version with proper hardening reduces the risk substantially. But the default out-of-box experience remains dangerous for organisations that do not actively configure it.

OpenClaw Security Risks: From npm to AI Agent Supply Chain

If you have followed the npm supply chain attacks over the past year, the ClawHub attack patterns will look painfully familiar.

Typosquatting is already in play. Bitdefender identified the handle "aslaep123" mimicking the legitimate user "asleep123" to trick users into trusting malicious skills. The Shai-Hulud npm attack used the same technique to compromise over 796 packages in September 2025.

Registry poisoning at scale mirrors the npm ecosystem's struggles. A single ClawHub user, "hightower6eu," uploaded 354 malicious packages in an automated blitz (Bitdefender, 2026). VirusTotal has now analysed over 3,000 OpenClaw skills and found hundreds with malicious characteristics (VirusTotal, 2026).

Social engineering through install instructions follows the ClickFix pattern. The dominant campaign, codenamed ClawHavoc, uses fake error messages and verification requirements to trick users into pasting base64-encoded commands into their terminal. The technique is identical to the clipboard hijacking attacks that have been escalating across the broader threat landscape.

The critical difference is privilege. A compromised npm package runs code in the context of a Node.js process. A compromised OpenClaw skill runs code with whatever permissions the AI agent has been granted. In most deployments, that means terminal access, file system access, and stored API keys for services like OpenAI, Anthropic, and AWS.

The ClawHavoc Campaign: 1,184 Malicious Skills on ClawHub

What started as early reports of a few hundred malicious skills has been confirmed as one of the largest coordinated supply chain attacks targeting AI infrastructure.

Repello AI's threat research team traced 335 malicious skills to a single threat actor operating under a structured campaign, formally naming it ClawHavoc (Repello AI, 2026). Antiy CERT classified the associated malware as Trojan/OpenClaw.PolySkill and confirmed a total of 1,184 illicit skills across ClawHub (Antiy CERT, 2026). The campaign kicked off on January 27, 2026, surged on January 31, and malicious skills under variant package names remain discoverable on ClawHub as of publication.

Bitdefender's research identified four distinct attack campaigns:

ClawHavoc (300+ coordinated skills): Social engineering via fake error messages. Users paste a base64-encoded command that downloads Atomic Stealer (AMOS). Exfiltrates credentials, browser data, and crypto wallets.

AuthTool: Payload stays dormant until the user issues a specific prompt. A skill posing as a Polymarket data tool establishes a persistent reverse shell when triggered by a natural language query.

Hidden Backdoor: Executes during skill installation by displaying a fake "Apple Software Update" message while silently establishing an encrypted tunnel to the attacker's infrastructure.

Credential Exfiltration: Targets OpenClaw's own configuration files at ~/.clawdbot/.env, harvesting plain-text API keys for cloud services and AI platforms.

The AuthTool campaign is particularly concerning for enterprise environments. The malware activates only when the user interacts with the agent naturally. Traditional static analysis of the skill's code would not flag it because the malicious function sits inside an otherwise legitimate script.

What Snyk's ToxicSkills Research Found

Snyk's security researchers completed the first comprehensive security audit of the AI Agent Skills ecosystem, scanning 3,984 skills from ClawHub and skills.sh as of February 5, 2026 (Snyk, 2026).

The numbers are stark. 36% of all ClawHub skills contain detectable prompt injection. Snyk confirmed 1,467 malicious payloads through a combination of automated scanning and human review. Of the confirmed malicious samples, 91% combine prompt injection with traditional malware techniques. That convergence matters because it bypasses both AI safety mechanisms and conventional endpoint security tools that are not designed to catch both simultaneously.

Perhaps most concerning: 2.9% of skills dynamically fetch and execute content from external endpoints at runtime. The published skill appears benign during review, but attackers can modify behaviour at any time by updating the hosted content. The attack logic lives on attacker-controlled infrastructure rather than in the skill code itself.

Snyk released mcp-scan, a free tool for scanning both MCP servers and Agent Skills.

OpenClaw CVEs: Exposed Instances and Nine Vulnerabilities

The malicious skills problem was bad enough. The infrastructure vulnerabilities underneath are worse.

135,000 Exposed OpenClaw Instances

SecurityScorecard's STRIKE threat intelligence team published internet-wide scanning data in early February showing over 135,000 OpenClaw instances exposed to the public internet across 82 countries (SecurityScorecard, 2026). Bitsight independently observed over 30,000 exposed instances between January 27 and February 8, 2026 (Bitsight, 2026).

The root cause is a dangerous default: OpenClaw binds to 0.0.0.0:18789 out of the box, meaning it listens on all network interfaces including the public internet. For a tool with system-wide permissions, that default should be 127.0.0.1 (localhost only). It is not.

STRIKE's data showed over 15,000 instances vulnerable to remote code execution specifically, and more than 53,000 instances correlated with prior breach activity. Separately, Wiz researchers identified a misconfigured Supabase database belonging to Moltbook, the adjacent social network for OpenClaw agents, that exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents (The Hacker News, 2026).

CVE-2026-25253, CVE-2026-25157, and CVE-2026-24763

Three high-severity CVEs disclosed by SecurityScorecard make exposed instances immediately exploitable. All three have public exploit code:

CVE-2026-25253 (CVSS 8.8): One-click remote code execution. An attacker crafts a malicious link that steals the authentication token and grants full control of the AI agent. This works even on instances configured to listen on localhost only because the victim's own browser initiates the connection. Discovered by Mav Levin (depthfirst).

CVE-2026-25157 (CVSS 7.8): SSH command injection in the macOS app via a malicious project path.

CVE-2026-24763 (CVSS 8.8): Docker sandbox escape through PATH manipulation. The sandbox that is supposed to contain the agent's actions can be bypassed entirely.

All three were patched in v2026.1.29 on January 29.

Six Additional CVEs Disclosed in February 2026

On February 18, Endor Labs published details of six additional vulnerabilities across moderate to high severity (Infosecurity Magazine, 2026):

CVE-2026-26322 (CVSS 7.6): Server-Side Request Forgery (SSRF) in OpenClaw's Gateway tool. Enables attackers to use the agent to scan or probe internal networks.

CVE-2026-26319 (CVSS 7.5): Missing Telnyx webhook authentication. Allows unauthenticated access to webhook endpoints.

CVE-2026-26329 (High severity): Path traversal in browser upload functionality.

Three additional vulnerabilities affecting the image tool (SSRF), Urbit authentication (SSRF), and Twilio webhook authentication were also disclosed. Endor Labs noted that traditional static application security testing (SAST) tools designed for web applications cannot identify issues in LLM-to-tool flows, conversation state management, and agent-specific trust boundaries.

Complete OpenClaw CVE Summary

Sources: SecurityScorecard STRIKE Team, Endor Labs (February 2026)

OpenClaw Security Updates and VirusTotal Partnership

OpenClaw has shipped significant security updates since the initial disclosures.

Security Releases

Version 2026.2.12 fixed over 40 vulnerabilities, including mandatory authentication for browser control (previously linked to one-click RCE), strict SSRF deny policies for URL-based requests, and treating all browser and web tool outputs as untrusted data to reduce prompt injection risk.

Version 2026.2.23 added HTTP security headers including HSTS, hardened session management, and critically shifted the browser SSRF policy to "trusted-network" mode by default, requiring explicit configuration for private network access. A new external secrets management workflow (openclaw secrets audit, configure, apply, reload) reduces the risk of plaintext credential storage.

Version 2026.2.26 is the latest release as of March 1, 2026. Onboarding now includes explicit security notices that OpenClaw is "personal-by-default" with a single trusted operator boundary, and that shared or multi-user setups require explicit hardening.

VirusTotal Partnership for Skill Scanning

OpenClaw has partnered with VirusTotal to scan all skills uploaded to ClawHub. Skills are now hashed, checked against VirusTotal's database, and analysed using VirusTotal Code Insight. The scanning pipeline works as follows:

• Malicious skills are blocked from download
• Skills flagged as suspicious display a warning label
• All active skills are re-scanned daily
• VirusTotal has analysed over 3,000 OpenClaw skills to date (VirusTotal, 2026)

OpenClaw's maintainers acknowledged this is not comprehensive. Cleverly concealed prompt injection payloads may still slip through static analysis. The platform has also committed to publishing a full threat model, security roadmap, and formal vulnerability reporting process.

For security teams, the VirusTotal integration and security releases are meaningful progress. But Endor Labs' assessment is worth noting: they disclosed seven vulnerabilities in total and it is unclear whether all have been patched. The fundamental architecture challenge, an agent framework that requires broad system permissions, remains.

Want to go deeper on supply chain security? See our npm vulnerability scanning guide for hands-on detection techniques that apply to agent ecosystems too.

Not Just OpenClaw: Claude Code, MCP, and Broader Agent Risks

This is not an OpenClaw-specific problem. The same week these skills were being weaponised, Check Point Research published critical vulnerabilities in Anthropic's Claude Code (CVE-2025-59536, CVSS 8.7 and CVE-2026-21852, CVSS 5.3) that allowed remote code execution and API key theft through malicious repository configuration files. The attack vector is structurally identical: open a repository containing a poisoned configuration file and malicious commands execute before the user sees a trust prompt.

Snyk's research confirmed that the same malicious skills distributed via ClawHub also target Cursor and other agent platforms that support installable skills. The Agent Skills format is increasingly portable across ecosystems, which means a malicious skill is a distribution mechanism that can travel across any agent framework supporting the same standard.

The Coalition for Secure AI (CoSAI) released a comprehensive MCP Security whitepaper in January 2026 identifying 12 core threat categories and nearly 40 distinct threats specific to Model Context Protocol deployments (CoSAI, 2026). Cisco's State of AI Security 2026 found that while most organisations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments (Cisco, 2026).

1Password's security team published an analysis that nailed the core issue: in agent ecosystems, the line between reading instructions and executing them collapses. "Skills" in the Agent Skills format are essentially markdown files that become installers. A SKILL.md with "prerequisites" that ask users to run terminal commands looks like documentation but functions as a malware delivery path.

Shadow AI: Why OpenClaw Is an Enterprise Security Problem

Bitdefender's telemetry, drawn specifically from business environments, confirms what most security teams suspect: employees are deploying OpenClaw on corporate devices using single-line install commands. No approval process. No security review. No visibility for the SOC.

This is Shadow AI in its most dangerous form. The AI Acceptable Use Policy guide covers why governance matters here, but the short version is this: 63% of organisations that experienced AI-related breaches lacked AI governance policies (IBM, 2025). OpenClaw on a managed endpoint with broad permissions and a malicious skill installed is not a hypothetical risk. Bitdefender is seeing it in production.

What Security Teams Should Do Now

1. Discover and inventory. Run an endpoint query to find OpenClaw installations. Bitdefender recommends using osquery:

SELECT pid, name, path, cmdline FROM processes WHERE name LIKE '%openclaw%';

Treat any discovery as a potential incident requiring investigation.

2. Check for internet exposure immediately. If OpenClaw is running in your environment, verify the network binding. If it is set to 0.0.0.0:18789 (the default on older versions), it is listening on all interfaces including the public internet. Change the binding to 127.0.0.1 at minimum. Better yet, place it behind a firewall or VPN (see note at the end)

3. Update to v2026.2.26 or later. Multiple rounds of CVEs have been disclosed since January, including three with public exploit code enabling one-click RCE. Version 2026.2.12 fixed over 40 vulnerabilities. Version 2026.2.23 added critical security hardening. This is not a "patch when convenient" situation.

4. Run openclaw security audit --deep. If you installed any skills from ClawHub before mid-February 2026, this command checks for known malicious skill indicators. Snyk's mcp-scan tool provides additional coverage for both MCP servers and Agent Skills.

5. Update your AI Acceptable Use Policy. If your policy does not explicitly address locally installed AI agent frameworks, it has a gap. OpenClaw is different from browser-based AI tools because it executes code directly on the host operating system. The AI Acceptable Use Policy guide covers the governance fundamentals.

6. Block or monitor ClawHub traffic. Add ClawHub domains to your web proxy monitoring. If outright blocking is too aggressive for your environment, at minimum alert on downloads from the registry so your security team has visibility.

7. Rotate any potentially exposed credentials. If OpenClaw has been running with stored API keys in ~/.clawdbot/.env or ~/.openclaw/credentials/, assume those credentials may be compromised. Rotate API keys for OpenAI, Anthropic, AWS, and any other connected services. OpenClaw's new external secrets management workflow (openclaw secrets audit) can help identify what is exposed.

8. Treat this like any supply chain risk. The same principles that protect your npm dependencies apply here: vet packages before installation, monitor for unexpected network connections, and audit what permissions your tools actually need versus what they request.

9. Brief your teams. The social engineering in these campaigns is effective precisely because users trust their AI assistant. A skill that says "run this command to fix a compatibility issue" feels different from a phishing email, but the outcome is identical. The ClickFix attack pattern uses the same psychological lever.

Audit Network Binding and Origin Validation.

If OpenClaw is running in your environment, verify the network binding immediately.

• The 0.0.0.0 Risk: If set to 0.0.0.0:18789 (the pre-patch default), the gateway is listening on all interfaces, including the public internet. Change this to 127.0.0.1 immediately.
• The Localhost Fallacy (CVE-2026-25253): Do not assume 127.0.0.1 is a sandbox. This CVE proved that a malicious website can use a victim’s own browser to "hop" onto the local gateway via WebSocket hijacking.
• The True Fix: Binding to localhost is only safe if you also enforce Origin Validation (introduced in v2026.1.29). Ensure ALLOW_ORIGIN is restricted to your specific UI domain and enable Mandatory Pairing Codes to prevent unauthorised browser-to-agent coupling.

Note: For enterprise deployments, loopback binding is a "Level 1" control. True hardening requires placing the agent behind a Zero Trust API Broker or a VPN, ensuring the management port is never reachable by an unauthenticated browser session.

Frequently Asked Questions

Is OpenClaw dangerous?

OpenClaw poses significant security risks in its default configuration. Over 1,184 malicious skills have been found on ClawHub, 135,000 instances were found exposed to the public internet, and nine CVEs have been disclosed including three with public exploit code enabling remote code execution. With proper hardening and the latest updates (v2026.2.26+), the risk is substantially reduced.

What is ClawHavoc?

ClawHavoc is a coordinated supply chain attack campaign that planted over 1,184 malicious skills across the ClawHub marketplace targeting OpenClaw users. The campaign uses three primary techniques: prompt injection embedded in skill descriptor files, hidden reverse shell scripts, and credential exfiltration from configuration files. Antiy CERT classified the associated malware as Trojan/OpenClaw.PolySkill.

How many OpenClaw instances are exposed to the internet?

SecurityScorecard's STRIKE team identified over 135,000 OpenClaw instances exposed to the public internet as of February 2026, with over 15,000 specifically vulnerable to remote code execution. Bitsight independently observed over 30,000 exposed instances. The root cause is OpenClaw's default binding to 0.0.0.0:18789, which listens on all network interfaces.

How do I check if my OpenClaw instance is exposed?

Run netstat -tlnp | grep 18789 on the host. If the binding shows 0.0.0.0:18789, the instance is listening on all interfaces including the public internet. Change this to 127.0.0.1:18789 immediately.

What version of OpenClaw should I be running?

Version 2026.2.26 is the latest as of March 1, 2026. At minimum, update to 2026.2.12 which fixed over 40 vulnerabilities, or ideally 2026.2.23 which added critical security hardening including HSTS headers, SSRF policy changes, and external secrets management.

What is the lethal trifecta for AI agents?

A framework coined by security researcher Simon Willison describing when an AI agent has access to private data, processes untrusted content, and can communicate externally. Any tool with all three characteristics is vulnerable by design. OpenClaw has all three in its default configuration.

Are the malicious skills still on ClawHub?

As of late February 2026, Repello AI confirmed that ClawHavoc skills remain discoverable on ClawHub under variant package names and that the core campaign infrastructure is still active. Eight malicious skills from Snyk's confirmed dataset were also still publicly available at time of their publication. The VirusTotal partnership has blocked many known malicious skills from download.

The Bigger Picture

The OpenClaw security story is one thread in a much larger shift happening right now across AI security. In the same two-week window, Claude Code had critical RCE vulnerabilities through repository config files, over 8,000 MCP servers were found exposed on the public internet, Kali Linux shipped an official MCP integration for AI-assisted pentesting, and the Coalition for Secure AI published its first comprehensive threat model for agent deployments.

The common thread is the trust model that AI agent frameworks create. We are covering the full picture in an upcoming article on securing AI agents, MCP, and what the February 2026 security crisis means for practitioners.

AI agent security is evolving weekly. Subscribers get notified when new threats emerge, plus practical security content covering tools, frameworks, and hands-on techniques. No sales pitches, no fluff.

Last updated: March 1, 2026

References and Sources

1. Antiy CERT. (2026). ClawHavoc Campaign Analysis. Classification of Trojan/OpenClaw.PolySkill. Confirmed 1,184 malicious skills across ClawHub with three primary attack vectors.
2. Bitdefender Labs (Zugec, M.). (2026). Technical Advisory: OpenClaw Exploitation in Enterprise Networks. Analysis of ~400 malicious ClawHub packages across four attack campaigns. Nearly 900 malicious skills identified via AI Skills Checker.
3. Koi Security (Yomtov, O.). (2026). ClawHub Malicious Skills Audit. Security audit of 2,857 ClawHub skills identified 341 malicious entries, 335 tied to the ClawHavoc campaign delivering Atomic Stealer.
4. Repello AI. (2026). ClawHavoc: Inside the Supply Chain Attack That Targeted 300,000 AI Agent Users. Formal campaign analysis tracing 335 coordinated skills to a single threat actor.
5. Snyk. (2026). ToxicSkills: Malicious AI Agent Skills Supply Chain Compromise. Comprehensive audit of 3,984 skills from ClawHub and skills.sh. 36% prompt injection rate. 1,467 malicious payloads confirmed. 91% of malicious samples combine prompt injection with traditional malware.
6. VirusTotal. (2026). From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized. Analysis of 3,016+ OpenClaw skills. Single user "hightower6eu" linked to 314+ malicious packages.
7. SecurityScorecard STRIKE Team. (2026). Beyond the Hype: Moltbot's Real Risk Is Exposed Infrastructure, Not AI Superintelligence. Internet-wide scanning identified 135,000+ exposed OpenClaw instances across 82 countries, 15,200+ vulnerable to RCE. Three high-severity CVEs with public exploit code. Live tracking at declawed.io.
8. Bitsight. (2026). OpenClaw Security: Risks of Exposed AI Agents Explained. Independent observation of 30,000+ exposed instances between January 27 and February 8, 2026. 63% of observed deployments flagged as vulnerable.
9. Endor Labs. (2026). Six New OpenClaw Vulnerabilities. Disclosure of CVE-2026-26322 (SSRF, CVSS 7.6), CVE-2026-26319 (webhook auth bypass, CVSS 7.5), CVE-2026-26329 (path traversal), plus three additional vulnerabilities. Published February 18, 2026.
10. Check Point Research (Donenfeld, A. & Vanunu, O.). (2026). Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files. CVE-2025-59536 (CVSS 8.7) and CVE-2026-21852 (CVSS 5.3) in Anthropic's Claude Code.
11. 1Password. (2026). From Magic to Malware: How OpenClaw's Agent Skills Become an Attack Surface. Analysis of agent skills as markdown-based installers.
12. Coalition for Secure AI (CoSAI). (2026). Model Context Protocol (MCP) Security White Paper. 12 core threat categories and nearly 40 distinct threats. Released January 27, 2026.
13. Cisco. (2026). State of AI Security 2026. 29% of organisations reported being prepared to secure agentic AI deployments.
14. Palo Alto Networks. (2026). OpenClaw threat analysis referencing "lethal trifecta" of AI agent risks: private data access, untrusted content exposure, and external communication capability.
15. IBM Security. (2025). Cost of a Data Breach Report 2025. 63% of breached organisations lacked AI governance policies. Shadow AI in 20% of breaches added $670,000 to costs.
16. Infosecurity Magazine. (2026). Researchers Reveal Six New OpenClaw Vulnerabilities. Coverage of Endor Labs findings. Published February 27, 2026.
17. The Hacker News (Lakshmanan, R.). (2026). OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills. VirusTotal partnership details. Moltbook Supabase database exposure of 1.5M API tokens and 35K email addresses (Wiz research).