OpenClaw Security Risks: Malicious Skills, Exposed Instances and Real Exploits

Latest updates (March 2026): NemoClaw announced, CVE count now 60+, and independent analysis using Censys identified 63,070 live instances alongside new critical disclosures.

OpenClaw is an open-source AI agent framework that lets users install third-party skills from ClawHub to automate tasks on their devices. It is also at the centre of one of the most significant AI security incidents of 2026.

Over 1,184 malicious skills have been identified on ClawHub, while independent audits found roughly one in twelve packages carrying malicious payloads as the registry scaled past 13,700 skills.

The February figure of 135,000 exposed instances was accurate at the time. By late March, analysis using Censys application-layer fingerprinting identified 63,070 live instances. This reduction reflects decreased public exposure, not a fix for OpenClaw’s underlying security model.

For a full breakdown of the exposure trend and methodology, see What Censys’s OpenClaw Count Reveals That February’s Headlines Did Not.

More than 60 CVEs and 60 GHSAs have now been disclosed across multiple waves, including critical vulnerabilities with public proof-of-concept code.

If your organisation has employees running AI agents on corporate devices, this is not just another registry poisoning story. It is the supply chain problem combined with system-level permissions, exposed infrastructure, and stored credentials. As Dr Claire Knight puts it, autonomy without accountability quickly becomes operational risk.

If your organisation has employees running AI agents on corporate devices, this is not just another registry poisoning story. It is the supply chain problem combined with system-level permissions, exposed infrastructure, and stored credentials.

OpenClaw Security Status

OpenClaw has shipped significant security updates since the initial disclosures.

Current Status (April 2026)

• Latest stable version: 2026.4.2
• 60+ CVEs and GHSAs disclosed across multiple waves
• Multiple critical vulnerabilities (including RCE and privilege escalation)
• Active hardening improvements (auth, sandboxing, secrets handling)
• Default configurations still unsafe without manual hardening

For official releases and updates, see the OpenClaw GitHub releases page.

What Recent Updates Have Addressed

Recent OpenClaw releases have focused on:

• Authentication and session hardening (mandatory browser authentication, pairing controls)
• Network security improvements (SSRF protections, origin validation, rate limiting)
• Sandbox and execution controls (shell approval fixes, container escape patches)
• Secrets management (removal of plaintext credential storage)
• Multiple high-severity vulnerabilities patched across March and April releases

For example, CVE-2026-32922 (CVSS 9.9) exposed a privilege escalation flaw that allowed full system access through token scope misuse.

VirusTotal Partnership for Skill Scanning

OpenClaw has partnered with VirusTotal to scan all skills uploaded to ClawHub.

The scanning pipeline works as follows:

• Malicious skills are blocked from download
• Suspicious skills display warning labels
• All active skills are re-scanned daily

VirusTotal has analysed over 3,000 OpenClaw skills to date (VirusTotal, 2026).

This is a meaningful improvement, but not a complete solution. Prompt injection payloads and dynamically loaded content can still evade static analysis.

Endor Labs noted that multiple vulnerabilities remain unresolved or unclear in patch coverage. The core architectural issue remains unchanged: OpenClaw requires broad system permissions, which amplifies the impact of any compromise.

What Security Teams Should do Now

1. Discover and inventory. Run an endpoint query to find OpenClaw installations. Bitdefender recommends using osquery:

SELECT pid, name, path, cmdline FROM processes WHERE name LIKE '%openclaw%';

Treat any discovery as a potential incident requiring investigation.

2. Check for internet exposure immediately. If OpenClaw is running in your environment, verify the network binding. If it is set to 0.0.0.0:18789 (the default on older versions), it is listening on all interfaces including the public internet. Change the binding to 127.0.0.1 at minimum. Better yet, place it behind a firewall or VPN (see note at the end)

3. Update to the latest verison. Multiple rounds of CVEs have been disclosed since January, including privilege escalations and three with public exploit code enabling one-click RCE. The latest version can be found on the github repo. added critical security hardening. This is not a "patch when convenient" situation.

4. Run openclaw security audit --deep. If you installed any skills from ClawHub before mid-February 2026, this command checks for known malicious skill indicators. Snyk's mcp-scan tool provides additional coverage for both MCP servers and Agent Skills.

5. Update your AI Acceptable Use Policy. If your policy does not explicitly address locally installed AI agent frameworks, it has a gap. OpenClaw is different from browser-based AI tools because it executes code directly on the host operating system. The AI Acceptable Use Policy guide covers the governance fundamentals.

6. Block or monitor ClawHub traffic. Add ClawHub domains to your web proxy monitoring. If outright blocking is too aggressive for your environment, at minimum alert on downloads from the registry so your security team has visibility.

7. Rotate any potentially exposed credentials. If OpenClaw has been running with stored API keys in ~/.clawdbot/.env or ~/.openclaw/credentials/, assume those credentials may be compromised. Rotate API keys for OpenAI, Anthropic, AWS, and any other connected services. OpenClaw's new external secrets management workflow (openclaw secrets audit) can help identify what is exposed.

8. Treat this like any supply chain risk. The same principles that protect your npm dependencies apply here: vet packages before installation, monitor for unexpected network connections, and audit what permissions your tools actually need versus what they request.

9. Brief your teams. The social engineering in these campaigns is effective precisely because users trust their AI assistant. A skill that says "run this command to fix a compatibility issue" feels different from a phishing email, but the outcome is identical. The ClickFix attack pattern uses the same psychological lever.

Audit Network Binding and Origin Validation

If OpenClaw is running in your environment, verify the network binding immediately.

• The 0.0.0.0 Risk: If set to 0.0.0.0:18789 (the pre-patch default), the gateway is listening on all interfaces, including the public internet. Change this to 127.0.0.1 immediately.
• The Localhost Fallacy (CVE-2026-25253): Do not assume 127.0.0.1 is a sandbox. This CVE proved that a malicious website can use a victim’s own browser to "hop" onto the local gateway via WebSocket hijacking.
• The True Fix: Binding to localhost is only safe if you also enforce Origin Validation (introduced in v2026.1.29). Ensure ALLOW_ORIGIN is restricted to your specific UI domain and enable Mandatory Pairing Codes to prevent unauthorised browser-to-agent coupling.

Note: For enterprise deployments, loopback binding is a "Level 1" control. True hardening requires placing the agent behind a Zero Trust API Broker or a VPN, ensuring the management port is never reachable by an unauthenticated browser session.

What is OpenClaw?

OpenClaw (formerly known as Clawdbot and Moltbot) is an open-source AI agent framework that allows users to install "skills" from ClawHub, a community registry, to extend what the agent can do: manage files, run terminal commands, query APIs, automate workflows. The project crossed 250,000 GitHub stars within weeks of launch and has since reached 347,000. OpenAI acqui-hired its creator, Peter Steinberger, in February while the project transitioned to an independent foundation.

The design philosophy prioritises capability over containment. OpenClaw agents typically operate with broad system permissions, including terminal access and full disk access, so they can execute tasks on the user's behalf. That permission model is the entire point of the tool. It is also the entire problem.

When a malicious skill gets loaded, it inherits those same system-wide permissions. One bad package gives an attacker the same access the agent itself has.

Is OpenClaw Safe to Use?

OpenClaw is not safe to run in its default configuration. Three architectural decisions create what security researcher Simon Willison calls the "lethal trifecta" for AI agents (Palo Alto Networks, 2026):

It has access to private data. OpenClaw can read files, access browser data, and interact with API keys stored in plaintext configuration files at ~/.clawdbot/.env and ~/.openclaw/credentials/.

It processes untrusted content. Skills installed from ClawHub execute with full system permissions. Snyk's ToxicSkills audit found that 36% of all ClawHub skills contain detectable prompt injection (Snyk, 2026). That untrusted content runs with the same privileges as the agent itself.

It can communicate externally. OpenClaw binds to 0.0.0.0:18789 by default in older versions, meaning it listens on all network interfaces including the public internet. SecurityScorecard identified 135,000 instances exposed this way (SecurityScorecard, 2026).

Any one of these would be a concern. Together, they create a tool that is vulnerable by design unless explicitly hardened.

The risk is not theoretical. Bitdefender's telemetry, drawn from business environments, confirms employees are deploying OpenClaw on corporate devices using single-line install commands with no security review and no SOC visibility (Bitdefender, 2026). Over 53,000 exposed instances have been correlated with prior breach activity.

NVIDIA acknowledged the structural problem directly at GTC 2026 by announcing NemoClaw, an enterprise security layer for OpenClaw. It addresses sandboxing, policy enforcement, and network egress control at the infrastructure level. It is in early preview and not production-ready, but its existence confirms what security researchers have argued since January: patching individual CVEs does not fix the underlying trust model.

OpenClaw has shipped significant security updates since these issues were identified (see OpenClaw Security Updates and VirusTotal Partnership below). Running the latest version with proper hardening reduces the risk substantially. But the default out-of-box experience remains dangerous for organisations that do not actively configure it.

OpenClaw CVEs: Exposed Instances and Active Vulnerabilities

The malicious skills problem was bad enough. The infrastructure vulnerabilities underneath are worse.

SecurityScorecard's STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries in early February, with 15,000 specifically vulnerable to remote code execution and 53,000 correlated with prior breach activity (SecurityScorecard, 2026). Bitsight independently confirmed over 30,000 exposed instances across the same window (Bitsight, 2026). The root cause is a dangerous default: OpenClaw binds to 0.0.0.0:18789 out of the box, listening on all network interfaces rather than localhost only.

Separately, Wiz researchers identified a misconfigured Supabase database belonging to Moltbook, the adjacent social network for OpenClaw agents, that exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents (The Hacker News, 2026).

More than 60 CVEs and 60 GHSAs have been disclosed across multiple rounds. Endor Labs noted that traditional SAST tools cannot identify issues in LLM-to-tool flows, conversation state management, and agent-specific trust boundaries meaning standard application security testing will miss entire categories of risk in agent deployments. The table below covers named and high-severity entries.

A Shodan banner-match query against OpenClaw's primary ports on 26 March 2026 returned 61 indexed results. Banner matching finds hosts that actively self-identify in their service response, so this figure understates true exposure, it is a floor, not a count.

The map below shows the geographic distribution of indexed instances across that query. For a current exposure picture using Censys application-layer fingerprinting, including a full methodology breakdown and the geographic breakdown by cloud provider, see What Censys's OpenClaw Count Reveals That February's Headlines Did Not.

Complete OpenClaw CVE Summary

← Scroll to see full table

Sources: SecurityScorecard STRIKE Team, Endor Labs, BitNinja Security, ARMO Security, GitHub Advisory Database (February–March 2026). 60+ CVEs and 60+ GHSAs disclosed to date. Table covers named and high-severity entries only.

How OpenClaw Turns Supply Chain Risk Into System Risk

If you have followed the npm supply chain attacks over the past year, the ClawHub attack patterns will look painfully familiar.

Typosquatting is already in play. Bitdefender identified the handle "aslaep123" mimicking the legitimate user "asleep123" to trick users into trusting malicious skills. The Shai-Hulud npm attack used the same technique to compromise over 796 packages in September 2025.

Registry poisoning at scale mirrors the npm ecosystem's struggles. A single ClawHub user, "hightower6eu," uploaded 354 malicious packages in an automated blitz (Bitdefender, 2026). VirusTotal has now analysed over 3,000 OpenClaw skills and found hundreds with malicious characteristics (VirusTotal, 2026).

Social engineering through install instructions follows the ClickFix pattern. The dominant campaign, codenamed ClawHavoc, uses fake error messages and verification requirements to trick users into pasting base64-encoded commands into their terminal. The technique is identical to the clipboard hijacking attacks that have been escalating across the broader threat landscape.

The critical difference is privilege. A compromised npm package runs code in the context of a Node.js process. A compromised OpenClaw skill runs code with whatever permissions the AI agent has been granted. In most deployments, that means terminal access, file system access, and stored API keys for services like OpenAI, Anthropic, and AWS.

Counterfeit installers targeting search results. A threat actor campaign documented in March 2026 operates at a different point in the kill chain entirely: before the user installs a single skill. Malicious installation packages mimicking the official OpenClaw setup process have been published to open-source code repositories and promoted through AI-powered search results. A user searching for "install OpenClaw" or "Clawdbot download" may land on a result pointing to the fake repository. The counterfeit installer delivers a malware packer that disables firewall protections and routes network traffic through compromised systems (OpenClawd AI, 2026).

The researcher who first documented the campaign noted that the initial victim was a technical professional, not a casual user. That observation is consistent with the broader pattern across npm supply chain attacks: the install step feels safe because it follows familiar conventions.

The ClawHavoc Campaign: 1,184 Malicious Skills on ClawHub

What started as early reports of a few hundred malicious skills has been confirmed as one of the largest coordinated supply chain attacks targeting AI infrastructure.

Repello AI's threat research team traced 335 malicious skills to a single threat actor operating under a structured campaign, formally naming it ClawHavoc (Repello AI, 2026). Antiy CERT classified the associated malware as Trojan/OpenClaw.PolySkill and confirmed a total of 1,184 illicit skills across ClawHub (Antiy CERT, 2026). The campaign kicked off on January 27, 2026, surged on January 31, and malicious skills under variant package names remain discoverable on ClawHub as of publication.

Bitdefender's research identified four distinct attack campaigns:

ClawHavoc (300+ coordinated skills): Social engineering via fake error messages. Users paste a base64-encoded command that downloads Atomic Stealer (AMOS). Exfiltrates credentials, browser data, and crypto wallets.

AuthTool: Payload stays dormant until the user issues a specific prompt. A skill posing as a Polymarket data tool establishes a persistent reverse shell when triggered by a natural language query.

Hidden Backdoor: Executes during skill installation by displaying a fake "Apple Software Update" message while silently establishing an encrypted tunnel to the attacker's infrastructure.

Credential Exfiltration: Targets OpenClaw's own configuration files at ~/.clawdbot/.env, harvesting plain-text API keys for cloud services and AI platforms.

The AuthTool campaign is particularly concerning for enterprise environments. The malware activates only when the user interacts with the agent naturally. Traditional static analysis of the skill's code would not flag it because the malicious function sits inside an otherwise legitimate script.

What Snyk's ToxicSkills Research Found

Snyk's security researchers completed the first comprehensive security audit of the AI Agent Skills ecosystem, scanning 3,984 skills from ClawHub and skills.sh as of February 5, 2026 (Snyk, 2026).

The numbers are stark. 36% of all ClawHub skills contain detectable prompt injection. Snyk confirmed 1,467 malicious payloads through a combination of automated scanning and human review. Of the confirmed malicious samples, 91% combine prompt injection with traditional malware techniques. That convergence matters because it bypasses both AI safety mechanisms and conventional endpoint security tools that are not designed to catch both simultaneously.

Perhaps most concerning: 2.9% of skills dynamically fetch and execute content from external endpoints at runtime. The published skill appears benign during review, but attackers can modify behaviour at any time by updating the hosted content. The attack logic lives on attacker-controlled infrastructure rather than in the skill code itself.

Snyk released mcp-scan, a free tool for scanning both MCP servers and Agent Skills.

OpenClaw in the Enterprise: What NemoClaw Solves

On 16 March 2026, NVIDIA announced NemoClaw at GTC 2026. Jensen Huang described OpenClaw as "the operating system for personal AI" and positioned NemoClaw as the missing infrastructure layer that makes it enterprise-viable. That framing matters for security practitioners because it signals the industry has accepted that OpenClaw's security model is structurally broken, not just poorly patched.

NemoClaw installs onto OpenClaw in a single command. The core component is OpenShell, a sandboxed runtime that confines agent actions inside declarative policy. Agents start with zero permissions and request access explicitly. Network egress is blocked by default, with unapproved outbound connections surfaced for human approval. Credentials are injected as environment variables at runtime rather than stored in plaintext config files. That last point alone addresses one of the three lethal trifecta risks identified at the start of this article.

The enterprise partner list is significant: Cisco, CrowdStrike, Google, and Microsoft Security are all building OpenShell compatibility into their tooling. CrowdStrike has already released a Secure-by-Design AI Blueprint embedding Falcon into OpenShell. That is not a sandbox proof-of-concept. It is an indication that agent-aware endpoint detection is being treated as a near-term requirement.

What NemoClaw does not solve is equally important. As of the March 2026 early preview, it provides no multi-tenant governance, no PII detection, no content safety guardrails, no compliance audit trails, and no cost attribution. It addresses the foundation. The governance layer remains an organisational challenge that no platform resolves on its own.

For security teams assessing OpenClaw deployments today, NemoClaw is worth monitoring but not yet a production recommendation. The structural argument is that AI agent security belongs at the infrastructure layer, not at the application layer is a good start.

Beyond OpenClaw: Claude Code, MCP and Broader Agent Risks

This is not an OpenClaw-specific problem. The same week these skills were being weaponised, Check Point Research published critical vulnerabilities in Anthropic's Claude Code (CVE-2025-59536, CVSS 8.7 and CVE-2026-21852, CVSS 5.3) that allowed remote code execution and API key theft through malicious repository configuration files. The attack vector is structurally identical: open a repository containing a poisoned configuration file and malicious commands execute before the user sees a trust prompt.

Snyk's research confirmed that the same malicious skills distributed via ClawHub also target Cursor and other agent platforms that support installable skills. The Agent Skills format is increasingly portable across ecosystems, which means a malicious skill is a distribution mechanism that can travel across any agent framework supporting the same standard.

The Coalition for Secure AI (CoSAI) released a comprehensive MCP Security whitepaper in January 2026 identifying 12 core threat categories and nearly 40 distinct threats specific to Model Context Protocol deployments (CoSAI, 2026). Cisco's State of AI Security 2026 found that while most organisations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments (Cisco, 2026).

1Password's security team published an analysis that nailed the core issue: in agent ecosystems, the line between reading instructions and executing them collapses. "Skills" in the Agent Skills format are essentially markdown files that become installers. A SKILL.md with "prerequisites" that ask users to run terminal commands looks like documentation but functions as a malware delivery path.

OpenClaw and the Enterprise Shadow AI Risk

Bitdefender's telemetry, drawn specifically from business environments, confirms what security teams already suspect: employees are deploying OpenClaw on corporate devices using single-line install commands with no approval process, no security review, and no SOC visibility. IBM's Cost of a Data Breach Report 2025 found that Shadow AI featured in 20% of breaches and added an average of $670,000 to breach costs. OpenClaw represents Shadow AI at its most dangerous: not a browser tab, but an autonomous agent executing code on the host OS with stored credentials.

This is Shadow AI in its most dangerous form. The AI Acceptable Use Policy guide covers why governance matters and would be a viable first step in educating users.

The Bigger Picture

The OpenClaw security story is one part of a broader shift across AI security that is accelerating rapidly. In the same two-week window, Claude Code had critical RCE vulnerabilities through repository config files, over 8,000 MCP servers were found exposed on the public internet, Kali Linux shipped an official MCP integration for AI-assisted pentesting, and the Coalition for Secure AI published its first comprehensive threat model for agent deployments.

The common thread is the trust model that AI agent frameworks create. We covered the full picture in a follow up article on securing AI agents and MCP. This space is evolving quickly, and new attack patterns are emerging just as fast.

Cybersecurity Career Guide 2026, Free 58-Page PDF

A free 58-page cybersecurity career guide covering the AI effect on your career, four role tracks, lab builds and the skills AI cannot replace.

CyberDessertsShakel Ahmed

AI agent security is evolving weekly. Subscribers get notified when new threats emerge, plus practical security content covering tools, frameworks, and hands-on techniques. No sales pitches, no fluff.

Frequently Asked Questions

Is OpenClaw dangerous?

OpenClaw poses significant security risks in its default configuration. Over 1,184 malicious skills have been identified on ClawHub, and more than 60 CVEs and 60 GHSAs have been disclosed. Early 2026 scans found over 135,000 instances exposed to the public internet. While exposure has decreased over time, the underlying security risks remain. With proper hardening and up-to-date versions, risk can be reduced but not eliminated.

What is ClawHavoc?

ClawHavoc is a coordinated supply chain attack campaign that planted over 1,184 malicious skills across the ClawHub marketplace targeting OpenClaw users. The campaign combines prompt injection, hidden reverse shells, and credential exfiltration from configuration files. Antiy CERT classified the malware as Trojan/OpenClaw.PolySkill.

How many OpenClaw instances are exposed to the internet?

Exposure varies by timeframe and methodology. SecurityScorecard identified over 135,000 exposed instances in February 2026, while later independent analysis using Censys identified 63,070 live instances in late March. The reduction reflects decreased public exposure, not a resolution of underlying security issues.

How do I check if my OpenClaw instance is exposed?

Run netstat -tlnp | grep 18789 on the host. If the binding shows 0.0.0.0:18789, the instance is listening on all interfaces, including the public internet. Change this to 127.0.0.1:18789 and restrict access behind a firewall or VPN.

What version of OpenClaw should I be running?

Run the latest stable version (currently 2026.4.2 as of April 2026). Multiple critical vulnerabilities have been patched across recent releases. Running outdated versions should be treated as exposed attack surface, not a low-priority update.

What is the “lethal trifecta” for AI agents?

A concept describing when an AI agent has access to private data, processes untrusted content, and can communicate externally. Any system with all three characteristics is vulnerable by design. OpenClaw meets all three conditions in its default configuration.

Are malicious skills still present on ClawHub?

Yes. Research has confirmed that malicious skills remain discoverable under variant names, even after takedowns. While the VirusTotal integration blocks many known threats, prompt injection and dynamically loaded payloads can still evade detection.

Last updated: April 4, 2026

References and Sources

1. Antiy CERT. (2026). ClawHavoc Campaign Analysis. Classification of Trojan/OpenClaw.PolySkill. Confirmed 1,184 malicious skills across ClawHub with three primary attack vectors.
2. Bitdefender Labs (Zugec, M.). (2026). Technical Advisory: OpenClaw Exploitation in Enterprise Networks. Analysis of ~400 malicious ClawHub packages across four attack campaigns. Nearly 900 malicious skills identified via AI Skills Checker.
3. Koi Security (Yomtov, O.). (2026). ClawHub Malicious Skills Audit. Security audit of 2,857 ClawHub skills identified 341 malicious entries, 335 tied to the ClawHavoc campaign delivering Atomic Stealer.
4. Repello AI. (2026). ClawHavoc: Inside the Supply Chain Attack That Targeted 300,000 AI Agent Users. Formal campaign analysis tracing 335 coordinated skills to a single threat actor.
5. Snyk. (2026). ToxicSkills: Malicious AI Agent Skills Supply Chain Compromise. Comprehensive audit of 3,984 skills from ClawHub and skills.sh. 36% prompt injection rate. 1,467 malicious payloads confirmed. 91% of malicious samples combine prompt injection with traditional malware.
6. VirusTotal. (2026). From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized. Analysis of 3,016+ OpenClaw skills. Single user "hightower6eu" linked to 314+ malicious packages.
7. SecurityScorecard STRIKE Team. (2026). Beyond the Hype: Moltbot's Real Risk Is Exposed Infrastructure, Not AI Superintelligence. Internet-wide scanning identified 135,000+ exposed OpenClaw instances across 82 countries, 15,200+ vulnerable to RCE. Three high-severity CVEs with public exploit code. Live tracking at declawed.io.
8. Bitsight. (2026). OpenClaw Security: Risks of Exposed AI Agents Explained. Independent observation of 30,000+ exposed instances between January 27 and February 8, 2026. 63% of observed deployments flagged as vulnerable.
9. Endor Labs. (2026). Six New OpenClaw Vulnerabilities. Disclosure of CVE-2026-26322 (SSRF, CVSS 7.6), CVE-2026-26319 (webhook auth bypass, CVSS 7.5), CVE-2026-26329 (path traversal), plus three additional vulnerabilities. Published February 18, 2026.
10. Check Point Research (Donenfeld, A. & Vanunu, O.). (2026). Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files. CVE-2025-59536 (CVSS 8.7) and CVE-2026-21852 (CVSS 5.3) in Anthropic's Claude Code.
11. 1Password. (2026). From Magic to Malware: How OpenClaw's Agent Skills Become an Attack Surface. Analysis of agent skills as markdown-based installers.
12. Coalition for Secure AI (CoSAI). (2026). Model Context Protocol (MCP) Security White Paper. 12 core threat categories and nearly 40 distinct threats. Released January 27, 2026.
13. Cisco. (2026). State of AI Security 2026. 29% of organisations reported being prepared to secure agentic AI deployments.
14. Palo Alto Networks. (2026). OpenClaw threat analysis referencing "lethal trifecta" of AI agent risks: private data access, untrusted content exposure, and external communication capability.
15. IBM Security. (2025). Cost of a Data Breach Report 2025. 63% of breached organisations lacked AI governance policies. Shadow AI in 20% of breaches added $670,000 to costs.
16. Infosecurity Magazine. (2026). Researchers Reveal Six New OpenClaw Vulnerabilities. Coverage of Endor Labs findings. Published February 27, 2026.
17. The Hacker News (Lakshmanan, R.). (2026). OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills. VirusTotal partnership details. Moltbook Supabase database exposure of 1.5M API tokens and 35K email addresses (Wiz research).