OpenClaw's security crisis: how the world's fastest-growing AI agent became a target

TL : DR / Summary:

In the first three months of 2026, OpenClaw went from a one-person side project to the fastest-growing open-source repository in GitHub history — and then, simultaneously, the most heavily scrutinised AI security incident of the year. By the time security firm Koi Security named the attack campaign against its plugin marketplace "ClawHavoc" in February, the tool already had more than 100,000 stars. By the time CERT-Bund issued a formal advisory in March with a vulnerability score of 9.9 out of 10, the project had passed 346,000 stars and was still climbing. The numbers tell a story that the AI industry has been slow to reckon with: the faster an agentic AI tool spreads, the faster its attack surface grows.

This article covers what OpenClaw is, how it was attacked, what the vulnerabilities mean technically, and what the crisis tells us about the structural risks of open-source AI agents — in one place, from the first malicious skill in January 2026 to the patches still being issued in April.

Ready to break it down? Here's what's covered:

• What is OpenClaw and why it spread so fast
• The attack begins: malicious skills flood the marketplace
• How the vulnerabilities work: a cascade of critical flaws
• The full OpenClaw incident timeline
• Scale of exposure: 135,000 instances across 82 countries
• How developers and the industry have responded
• What the OpenClaw crisis means for the future of AI agent security
• Conclusion
• Frequently asked questions

What is OpenClaw and why it spread so fast

OpenClaw is an open-source personal AI agent created by Austrian developer Peter Steinberger. Unlike a chatbot that answers questions, OpenClaw acts. It can execute shell commands, read and write files on your machine, browse the web, send emails, manage your calendar, and interact with messaging platforms including WhatsApp, Slack, Telegram, Discord, and iMessage. Users deploy it locally; it connects to large language models such as Claude or GPT-4 to handle reasoning, while OpenClaw itself handles execution.

Steinberger first published the tool in November 2025 under the name Clawdbot. It went viral in early January 2026, gaining 20,000 GitHub stars in a single day. A trademark dispute with Anthropic forced two renames — to "Moltbot" on January 27, then to "OpenClaw" three days later — but the attention never faded. Within weeks it was being described as the fastest-growing open-source project GitHub had ever recorded.

The appeal was obvious. OpenClaw put genuinely powerful automation in the hands of individuals — a trend that AI-native platforms like Ruh AI are also pursuing, though with enterprise safety and accountability built into the design from the start. You could ask OpenClaw to monitor your inbox, summarise documents, draft replies, and send them — without writing a single line of code. Steinberger himself explained the philosophy bluntly: "What you have to know about OpenClaw is, like, it couldn't have come from those big companies. Those companies would have worried too much about what could go wrong instead of just, like — I wanted to just show people I've been into the future."

That philosophy — ship fast, show the future, worry about safety later — is precisely what made OpenClaw a target.

The attack begins: malicious skills flood the marketplace

OpenClaw's power is extended through "skills" — plugin-style packages that users install to add capabilities. The skills are published and shared through ClawHub, an open marketplace similar in concept to browser extension stores or package registries. Like those platforms, ClawHub had no verified screening for new submissions at launch.

The first malicious skill appeared on ClawHub on January 27, 2026 — the same day Steinberger was navigating the first trademark rename. The campaign surged four days later on January 31, and by February 1, Koi Security had formally named it "ClawHavoc."

The attack method was straightforward and effective. Threat actors uploaded skills with professional documentation and plausible-sounding names — "solana-wallet-tracker," productivity tools, utility scripts. When users installed these skills, they were presented with fake prerequisite instructions — directions to run an external script that would "set up dependencies." Those scripts installed one of two payloads:

• On Windows: a keylogger designed to capture API keys, credentials, and session tokens.
• On macOS: Atomic macOS Stealer (AMOS), a well-documented infostealer capable of harvesting browser credentials, keychain passwords, cryptocurrency wallet data, SSH keys, and files from common user directories.

Researchers at The Hacker News confirmed 341 malicious skills out of 2,857 in ClawHub — approximately 12% of the entire registry. Updated scans later reported more than 800 malicious skills, approaching 20% of the marketplace. A separate wave identified 1,184 malicious skills in what researchers documented as a continuation of the ClawHavoc campaign.

Moltbook — a social network built by a third party specifically for OpenClaw agent-to-agent communication — compounded the exposure further. Researchers found Moltbook's database was publicly accessible without authentication, exposing 35,000 email addresses and 1.5 million agent API tokens in plaintext.

How the vulnerabilities work: a cascade of critical flaws

While the marketplace campaign was underway, independent security researchers were separately mapping OpenClaw's core attack surface. What they found was not one vulnerability but a structural pattern: OpenClaw was built to execute, not to defend.

Between March 18 and March 21, 2026, nine CVEs were publicly disclosed in four days. One scored 9**.9 on the CVSS 3.1 scale**, the highest possible rating for a practical exploit. Six were classified high severity, two medium. Below are the most significant:

CVE-2026-25253 (CVSS 8.8) — Cross-site WebSocket hijacking OpenClaw's web-based Control UI trusted URL parameters without validation. An attacker who could get a user to click a single malicious link could hijack the agent's WebSocket session. Researchers confirmed the attack chain completes in milliseconds. Critically, the vulnerability worked even against instances configured to listen only on localhost — a setting many users assumed would protect them.

CVE-2026-22179 — macOS command substitution bypass On macOS, embedding command substitution syntax (such as $(...) or backticks) inside double-quoted strings caused OpenClaw to bypass its own command allowlist and execute arbitrary code. The command allowlist — the mechanism meant to restrict what the agent could run — was rendered effectively inert.

CVE-2026-32922 (CVSS 9.9) — Privilege escalation Any attacker who had pairing access to an OpenClaw instance could silently escalate to full administrator control. The vulnerability was published March 29 and applies to all versions before 2026.3.28.

CVE-2026-29607 and CVE-2026-28460 — Command approval bypass OpenClaw includes a confirmation step for high-risk actions. These two CVEs, disclosed on the same day, allowed attackers to bypass that approval mechanism entirely, enabling unsanctioned command execution without user confirmation.

Sandbox escape A separate flaw allowed OpenClaw child processes to escape sandbox confinement. When an agent spawned a child process, it failed to inherit sandbox restrictions, giving a compromised sandboxed agent the ability to achieve arbitrary code execution, data access, and denial of service.

CERT-Bund, Germany's federal cybersecurity authority, issued formal advisory WID-SEC-2026-0856 on March 24, 2026, confirming that exploitation could allow remote attackers to "execute arbitrary code, gain administrator privileges, manipulate data, bypass security measures, disclose confidential information, or cause denial-of-service conditions." For a broader look at how these AI security risks are evolving across the industry, Ruh AI's analysis of emerging AI risks tracks developments like this as they unfold.

The full OpenClaw incident timeline

What follows is a chronological account of the OpenClaw crisis from launch to the most recent disclosures:

• November 2025 — OpenClaw (as Clawdbot) launches on GitHub.
• Early January 2026 — Goes viral; 20,000 GitHub stars in 24 hours.
• January 27, 2026 — Renamed Moltbot (trademark dispute with Anthropic). First malicious ClawHub skill published.
• January 30, 2026 — Renamed OpenClaw.
• January 31, 2026 — Malicious skills surge across ClawHub.
• February 1, 2026 — Koi Security names the campaign "ClawHavoc."
• February 2026 — Endor Labs discloses six vulnerabilities: SSRF (CVE-2026-26322), webhook authentication bypass (CVE-2026-26319), and path traversal flaws.
• February 12, 2026 — Fortune publishes a major feature on security experts alarmed by OpenClaw's permissions model.
• February 14, 2026 — Steinberger announces joining OpenAI. Non-profit foundation announced to steward the OpenClaw project.
• March 18–21, 2026 — Nine CVEs publicly disclosed in four days; highest score is 9.9.
• March 20, 2026 — CVE-2026-22179 (macOS command substitution bypass) published.
• March 24, 2026 — CERT-Bund issues advisory WID-SEC-2026-0856.
• March 26, 2026 — OpenClawd ships verified skill screening for ClawHub.
• March 29, 2026 — CVE-2026-32922 (privilege escalation, CVSS 9.9) published.
• March 31, 2026 — SSRF vulnerability affecting versions ≤2026.3.28 disclosed.
• March 2026 — Chinese authorities restrict state-run enterprises and government agencies from running OpenClaw on office computers.
• Early April 2026 — OpenClaw reaches 346,000 GitHub stars. New CVEs continue to emerge.

Scale of exposure: 135,000 instances across 82 countries

Understanding why the OpenClaw crisis matters at an industry level requires understanding how widely the tool had been deployed before the vulnerabilities were widely known.

Censys, a network intelligence platform, identified 21,639 OpenClaw instances publicly accessible on the open internet. Bitsight's analysis widened that number to more than 30,000. Independent security researcher Maor Dayan identified 42,665 exposed instances, of which 5,194 were actively verified as vulnerable. SecurityScorecard's STRIKE team estimated 135,000+ instances across 82 countries — a figure that has been widely cited across the industry.

Of those, more than 15,000 were directly vulnerable to remote code execution via CVE-2026-25253 at the time of disclosure.

Geographically, the United States held the largest share of deployments initially. China subsequently surpassed the US by approximately 14,000 deployments, with a significant proportion running on Alibaba Cloud infrastructure. It was this concentration that prompted Chinese authorities to issue their restriction on state enterprise use.

The enterprise risk profile is particularly acute. When an OpenClaw instance is connected to corporate SaaS applications — Slack, Google Workspace, or similar — a compromised agent can access not just its local files but also Slack messages, calendar entries, cloud-stored documents, email threads, and the OAuth tokens that grant access to all of those services. As CrowdStrike noted in a security assessment of OpenClaw, traditional security tooling is largely blind to this: "Endpoint security sees processes running but cannot interpret agent behavior; network tools see API calls but cannot distinguish legitimate automation from compromise."

This is precisely why enterprise AI tools — including AI-powered sales automation tools built with compliance and security in mind — take a different architectural approach, scoping agent permissions tightly to the task rather than granting broad system access.

A February 2026 report from the Cloud Security Alliance added important industry context: while 40% of organisations already have AI agents in production, only 18% are highly confident that their identity and access management systems can handle agentic workloads. In the same survey, 73% of CISOs described themselves as "very or critically concerned" about AI agent risks. OpenClaw had arrived in enterprise environments faster than enterprise security had adapted.

How developers and the industry have responded

The response to OpenClaw's crisis has moved on multiple fronts — patches, marketplace reform, government action, and industry-level rethinking.

Patches from the OpenClaw project The project's patch cadence has been described as often same-day or next-day for individual CVEs. OpenClaw v2026.2.12 fixed more than 40 vulnerabilities. Version v2026.3.11 addressed the WebSocket and browser origin validation flaw that enabled cross-site WebSocket hijacking. The project now states that users must be running version 2026.3.12 or later to be protected from every 2026 CVE.

ClawHub marketplace reform OpenClawd, the operator of ClawHub, shipped verified skill screening on March 26, 2026 — roughly eight weeks after the ClawHavoc campaign began. The project has also published an RFC proposing native agent identity and trust verification for sensitive actions including skill installation, payment execution, and inter-agent communication.

Government responses CERT-Bund's formal advisory WID-SEC-2026-0856 is the highest-profile government-level response. Chinese authorities went further, restricting state enterprises from using OpenClaw on office computers due to data exfiltration risks.

The creator's transition Peter Steinberger announced on February 14 that he was joining OpenAI, stating: "I'm joining OpenAI to work on bringing agents to everyone." A non-profit foundation was announced for ongoing stewardship of the project. Steinberger himself acknowledged the tension, later criticising GitHub's vulnerability reporting infrastructure as "a mess" and describing it as drowning in "AI-generated slop that takes me hours to sift through" — an indication of the scale of security research activity the project has attracted.

What the OpenClaw crisis means for the future of AI agent security

The OpenClaw incident is not primarily a story about one developer's security oversights. It is a preview of a structural challenge that the entire AI agent ecosystem will have to navigate.

The core problem is that autonomous AI agents operate differently from the tools security frameworks were designed to protect. An agent that can browse, read files, call APIs, send messages, write code, trigger webhooks, and act across multiple steps with minimal supervision does not behave like a traditional application. It behaves like a user — one with legitimate credentials, legitimate access, and actions that look intentional whether they are or not. When such an agent is compromised — through a malicious skill, a prompt injection attack, or a software vulnerability — the attacker inherits all of that access: files, emails, cloud services, OAuth tokens enabling lateral movement across an organisation's entire SaaS stack.

The same dynamic applies to AI sales agents like Sarah, which operate in customer-facing and CRM contexts where data sensitivity is high. The OpenClaw crisis makes clear why agents designed for enterprise use need permission scoping, trust verification, and audit trails built in by design — not bolted on after the fact.

The OpenClaw crisis demonstrated three specific failure modes that security architects will need to address in any agentic deployment:

Open marketplaces without trust verification create a reliable supply chain vector. ClawHub's poisoning followed the same pattern as malicious packages in npm, PyPI, and browser extension stores. The difference is that an agent that installs a malicious skill does not just execute code on one machine — it can propagate that compromise across every system it has been granted access to. Trust-on-install is not a workable model for agents with broad permissions.

Broad system permissions without segmentation turn every vulnerability into a catastrophic one. CVE-2026-25253 is a WebSocket hijacking bug — not inherently devastating in a sandboxed context. In OpenClaw's default configuration, where the agent has access to local files, credentials, and connected SaaS accounts, the same vulnerability enables full account takeover.

AI-specific attack vectors — particularly prompt injection — are not covered by standard CVE frameworks. The nine CVEs disclosed for OpenClaw are code-level vulnerabilities, addressable by patches. Prompt injection — embedding instructions in an email or document that the agent then executes — is harder to categorise and harder to patch. The security community is still developing frameworks to handle both.

The path forward, as outlined by security experts across CrowdStrike, ReversingLabs, and Sophos, involves: identity scoping (strict least-privilege access for agents), supply-chain verification for any marketplace or plugin ecosystem, high-risk action approval gates, egress control to limit external data transmission, secret isolation, robust telemetry, and repeated adversarial testing.

The Cloud Security Alliance's February 2026 findings — that only 18% of organisations are confident in their IAM systems' ability to handle agents — suggest the industry has significant ground to cover before any of this is standard practice.

OpenClaw's security crisis is in one sense specific to a single project. But the vulnerabilities it exposed — in marketplaces, in permissions models, in the assumptions baked into agentic design — apply to every AI agent being built today. The question the crisis raises is not whether the next OpenClaw-scale incident will happen, but whether the frameworks to handle it will exist when it does.

Conclusion

OpenClaw arrived faster than security could follow. Within weeks of going viral, it had been installed on 135,000+ publicly accessible servers across 82 countries, had a marketplace compromised with malicious plugins delivering credential-stealing malware, and was accumulating CVEs at the rate of nine in four days — including a CVSS 9.9 privilege escalation that gave any attacker with pairing access full administrator control.

The patches are real. The response from the project, from CERT-Bund, and from the broader security research community has been substantive. But the underlying conditions — open agent marketplaces without trust verification, agentic systems with broad permissions and minimal segmentation, enterprise deployments outpacing enterprise security readiness — remain as true for every other AI agent project in development as they were for OpenClaw.

The fastest-growing open-source project in GitHub history became the year's first major AI security crisis not because of unusual carelessness, but because the agentic AI ecosystem as a whole has not yet established the safety norms that match its ambitions.

Frequently asked questions

What is OpenClaw and what makes it different from a regular AI chatbot?

Ans: OpenClaw is an open-source autonomous AI agent that executes actions on your behalf — it runs shell commands, reads and writes files, browses the web, sends emails, and manages calendars. This separates it fundamentally from chatbots like ChatGPT, which only generate text within a conversation window. OpenClaw uses large language models for reasoning but then acts on the results directly on your local machine or connected SaaS accounts. That execution capability is what made it so compelling — and what makes its security vulnerabilities so consequential compared to a standard AI assistant.

How did attackers compromise OpenClaw's ClawHub plugin marketplace?

Ans: The ClawHavoc campaign exploited ClawHub's absence of submission screening at launch. Attackers uploaded skills — OpenClaw's plugin-style packages — with professional documentation and plausible names such as "solana-wallet-tracker." Once a user installed one, fake prerequisite instructions prompted them to run an external setup script. That script silently delivered either a keylogger on Windows or Atomic macOS Stealer (AMOS) on macOS, harvesting passwords, API keys, cryptocurrency wallet data, and OAuth tokens. Researchers confirmed 341 malicious skills — about 12% of the entire registry — before OpenClawd implemented verified screening in late March 2026, roughly eight weeks after the campaign began.

How many OpenClaw instances are exposed to the public internet?

Ans: Estimates vary by source and measurement window. Censys identified 21,639 publicly accessible instances; Bitsight reported more than 30,000; SecurityScorecard's STRIKE team put the figure at 135,000+ instances across 82 countries. Of those, more than 15,000 were directly vulnerable to remote code execution via CVE-2026-25253 at the time of initial disclosure. China overtook the United States as the country with the highest number of active deployments, with approximately 14,000 more instances — a concentration that contributed to Chinese authorities restricting government and state enterprise use.

Is OpenClaw safe to use in 2026?

Ans: OpenClaw can be used more safely if you are running version 2026.3.12 or later, which addresses every CVE disclosed in 2026. However, "safe" depends heavily on how you deploy it. Instances left publicly accessible, connected to corporate SaaS accounts without permission scoping, or using unverified ClawHub skills remain at risk even after patching — because not all attack surfaces are fixed by software updates alone. The project's own developer acknowledged that security requires architectural decisions, not just patches. For enterprise deployments, security experts recommend strict least-privilege access, secret isolation, egress control, and high-risk action approval gates as baseline requirements before putting any version of OpenClaw into a sensitive environment.

What is a prompt injection attack and why can't it be patched like a normal vulnerability?

Ans: A prompt injection attack embeds instructions inside content an AI agent is expected to read — an email, a document, or a web page — causing the agent to execute those instructions as if they came from the legitimate user. For an agent like OpenClaw, which reads emails and browses the web as part of normal operation, a malicious sender could craft a message that instructs the agent to forward files, exfiltrate credentials, or delete data without the user ever seeing it happen. Unlike CVE-class software vulnerabilities, prompt injection cannot be fully resolved with a software patch — it is a fundamental challenge of building agents that process untrusted input and then act on it, and the security community is still developing the frameworks to handle it systematically.

Why did China restrict OpenClaw for government and enterprise use?

Ans: Chinese authorities restricted state-run enterprises and government agencies from running OpenClaw on office computers in March 2026, citing data exfiltration risks. The concern was grounded in real exposure: China had become the world's largest OpenClaw deployment area, with approximately 14,000 more instances than the United States, many running on Alibaba Cloud infrastructure. An autonomous agent with broad file access, network access, and credential access running inside sensitive government or enterprise environments represented an unacceptable risk given the severity of the vulnerabilities disclosed — particularly the CVSS 9.9 privilege escalation (CVE-2026-32922) and the one-click remote code execution flaw (CVE-2026-25253).