OpenClaw Agent Security Crisis: What to Know in 2026
OpenClaw Agent Security: review AI agent security risks, malicious skills, MCP exposure, governance controls, and safer deployment patterns for 2026.
This updated guide reframes OpenClaw Agent Security Crisis: What to Know in 2026 around practical search intent: what readers need to compare, choose, install, secure, or operationalize in 2026. It focuses on decision criteria, workflow fit, and the trade-offs that matter once an AI agent, skill, marketplace, or automation moves from curiosity to daily use.
The article also broadens the semantic coverage around SKILL.md, AI agent skills, agent instructions. That gives readers a clearer path from high-level research to implementation planning, while keeping the content useful for teams evaluating AI agent skill design.
Quick Answer
A useful skill is narrow, repeatable, and explicit about inputs, tools, constraints, and success criteria, so the agent can act consistently instead of guessing.
OpenClaw: 2026’s First Major AI Agent Security Crisis, Explained
OpenClaw: 2026’s First Major AI Agent Security Crisis, Explained
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
OpenClaw: 2026’s First Major AI Agent Security Crisis, Explained
The viral open-source AI assistant that conquered GitHub has also introduced a new category of security risk — one that is difficult to detect, easy to deploy misconfigured, and severe in consequence.
If you are running any version of OpenClaw prior to v2026.2.25, you are vulnerable to the ClawJacked remote takeover flaw (CVE severity 8.8). Patch immediately. Run openclaw update
or download from the official GitHub repository.
In just three months, an open-source AI agent called OpenClaw became one of the fastest-growing software projects in GitHub history — surpassing React’s star count and triggering a Mac mini shortage in several U.S. stores. It also triggered 2026’s first major AI security crisis.
The agent — which connects to WhatsApp, Telegram, Slack, Discord, and iMessage, then autonomously manages your email, calendar, files, and shell commands on your behalf — has been found riddled with vulnerabilities. A security audit conducted while the project was still called Clawdbot identified 512 vulnerabilities total, eight classified as critical. Since then, dozens more have been disclosed, patched, and in some cases, actively exploited.
Background: Three Names, One Runaway Project
OpenClaw began life as Clawdbot, an open-source autonomous AI agent created by developer Peter Steinberger. It shot to viral fame in late January 2026 after amassing over 20,000 GitHub stars in a single day. Anthropic objected to the name’s similarity to Claude, prompting a swift rebrand to Moltbot. A trademark dispute days later produced the current name: OpenClaw. Its mascot — a space lobster named Molty — explains why the developer community refers to deploying it as “raising lobsters.”
Unlike traditional AI chatbots that merely answer questions, OpenClaw is fully autonomous. It executes shell commands, reads and writes files, browses the web, sends emails, manages calendars, and takes actions across a user’s digital life — all triggered by a casual message sent over WhatsApp or Telegram. It also stores persistent memory, retaining long-term context, preferences, and history across sessions. This is what makes it so capable, and what makes a compromise so devastating.
What OpenClaw Can Access
- Slack messages and files
- Email (read & send)
- Calendar entries
- Cloud-stored documents
- OAuth tokens (lateral movement risk)
- Shell / terminal commands
- Browser control
- Persistent memory across sessions
The Vulnerability Cascade
The most recent and severe flaw, codenamed ClawJacked by researchers at Oasis Security, illustrates how deep the problem runs. The vulnerability requires no installed extension, no marketplace plugin — just the bare OpenClaw gateway running as documented. A developer visits an attacker-controlled webpage; malicious JavaScript silently opens a WebSocket connection to OpenClaw’s localhost gateway. Because the gateway automatically trusts local connections and silently approves new device registrations from localhost, the attacker’s site gains full control of the agent — in milliseconds.
The issue: OpenClaw binds by default to 0.0.0.0:18789
, listening on all network interfaces including the public internet, not 127.0.0.1
(localhost only) as security would demand. For a tool with system-wide permissions, that default has real-world consequences. SecurityScorecard’s STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 of those were directly vulnerable to remote code execution.
- CVE-2026-25253Authentication token theft (gateway)CVSS 8.8
- CVE-2026-24763Command injectionHIGH
- CVE-2026-25157Command injection variantHIGH
- CVE-2026-25475Prompt injection via messagingHIGH
- CVE-2026-26322SSRF in Gateway toolCVSS 7.6
- CVE-2026-26319Missing webhook authentication (Telnyx)CVSS 7.5
- CVE-2026-26329Path traversal in browser uploadHIGH
- ClawJackedWebSocket localhost hijack (patched v2026.2.25)CRITICAL
“Security researchers confirmed the attack chain takes milliseconds after a victim visits a single malicious webpage.”
— Oasis Security, February 2026## The Malicious Skills Crisis
Parallel to the infrastructure vulnerabilities, OpenClaw’s plugin marketplace — ClawHub — became a vector for malware distribution at scale. Researchers at Koi Security found that out of 10,700 skills listed, more than 820 were malicious, up sharply from 324 found just weeks earlier. The attack is elegantly simple: malicious skills use professional documentation and innocuous names like “solana-wallet-tracker” to appear legitimate, then silently execute code that installs keyloggers on Windows or Atomic Stealer malware on macOS.
Cisco’s security blog ran a live experiment, pointing OpenClaw at a skill called “What Would Elon Do?” and scanning it with their open-source Skill Scanner tool. The result: nine security findings, including two critical severity issues. The skill was functionally malware — it issued a curl
command sending user data to an external server without notification, bypassing traditional data loss prevention entirely.
Making matters worse, one malicious skill had been artificially inflated to rank as the #1 most popular skill in the repository. On February 7, OpenClaw announced a partnership with VirusTotal to scan skills on ClawHub. Over 3,016 samples were analyzed and identified malicious skills removed — however, researchers noted that copies of the malicious skills remained accessible via OpenClaw’s GitHub repository through historical backup mechanisms.
The Enterprise Shadow-AI Problem
Beyond individual developers, OpenClaw has been quietly installed across corporate environments. Employees connect personal AI tools to corporate Slack workspaces, Google Workspace accounts, and internal systems — often without security team awareness. Traditional security tooling is largely blind to this: endpoint security sees processes running but cannot interpret agent behavior; network tools see API calls but cannot distinguish legitimate automation from compromise; identity systems see OAuth grants but do not flag AI agent connections as unusual.
When such an agent is compromised — through a malicious skill, prompt injection, or vulnerability exploit — attackers inherit all of that access, including OAuth tokens that enable lateral movement through the organization. Trend Micro researchers described this as “shadow AI with elevated privileges.”
Timeline of Key Events
- Jan 25, 2026Clawdbot goes viral. 20,000 GitHub stars in 24 hours. Mac mini shortage in U.S.
- Late JanResearcher @fmdz387 finds ~1,000 OpenClaw instances online with zero authentication. Researcher Jamieson O’Reilly gains access to Anthropic API keys, Telegram tokens, and full command execution on exposed instances.
- Late JanKaspersky security audit identifies 512 vulnerabilities, 8 critical. Rebrand to Moltbot, then OpenClaw.
- Jan 29, 2026OpenClaw patches CVE-2026-25253(CVSS 8.8) before public disclosure in v2026.1.29. - Early FebSecurityScorecard finds 135,000+ publicly exposed instances across 82 countries; 15,000+ vulnerable to RCE.
- Feb 7OpenClaw partners with VirusTotal to audit ClawHub; malicious skills removed from marketplace.
- Feb 12v2026.2.12 patches 40+ vulnerabilities including mandatory browser authentication, SSRF deny policies.
- Feb 18Endor Labs publishes six more CVEs (moderate to high). Cisco publishes live exploitation of malicious skill.
- Feb 25Oasis Security discloses ClawJackedflaw. OpenClaw patches within 24 hours in v2026.2.25. - Mar 1, 2026v2026.2.26 released — latest stable version as of press time.
Latest stable release: v2026.2.26 (March 1, 2026)
Includes: ClawJacked fix, hardened session management, HTTP security headers (HSTS), browser SSRF policy set to “trusted-network” mode by default, new
openclaw secrets audit
workflow to detect plaintext credential storage. Users on any earlier version should update immediately.
Protecting Yourself and Your Organization
Security researchers across Cisco, Trend Micro, Jamf, and Bitsight are unanimous: the risks are real and manageable, but require deliberate action. The most critical immediate steps are to update to v2026.2.26, restrict OpenClaw to bind to 127.0.0.1
only, enable mandatory authentication, and audit every skill installed from ClawHub. For enterprise security teams, scanning for unauthorized OpenClaw instances via MDM tools or network traffic analysis is advised before any employee integration reaches corporate SaaS systems.
The deeper issue, as Trend Micro notes, is not unique to OpenClaw — it is intrinsic to the agentic AI paradigm itself. Any system that reasons, decides, and acts on your behalf with broad access creates a new attack surface that traditional security tooling was not designed to observe. The challenge going forward is developing security models that match the autonomy of the tools they protect.
“The real challenge is being able to develop a clear understanding of both capabilities and risks, and to make deliberate, informed choices about what agentic systems are allowed to do.”
— Trend Micro Research, February 6, 2026OpenClaw’s development team has responded quickly — patching ClawJacked in under 24 hours after disclosure, shipping over 40 vulnerability fixes in a single release, and partnering with VirusTotal to address the marketplace supply chain problem. But with over 135,000 exposed instances and a user base that grew faster than any security culture could accompany, the gap between adoption and safety remains dangerously wide.
Related Reading
Deploy a production-tested AI skill in 3 minutes
Browse the OpenClaw marketplace for AI Personas & Skills, or create an account and start free — no code required.
More Posts
MCP vs Skills for AI Agents: Connection vs Usage
MCP vs Skills for AI: compare MCP servers, agent tools, security trade-offs, governance patterns, and implementation choices for production AI teams in 2026.
AI tools for IT support ticket triage
AI tools for IT support: compare ticket triage, routing, customer support automation, implementation patterns, and buyer criteria for service teams in 2026.
32 Best OpenClaw Skills for 2026: Ranked by Category
Best OpenClaw Skills for :: learn how OpenClaw skills work, what to install, security risks to check, and how teams can use Skill.md workflows in 2026.