OpenClaw, the open-source AI agent built by Austrian developer Peter Steinberger, hit 157,000 GitHub stars and 2 million weekly visitors in early February 2026. It also had a CVSS 8.8 remote code execution vulnerability, 341 malicious skills in its marketplace, and 24,478 internet-exposed instances discoverable via Shodan. CrowdStrike published a dedicated advisory. Belgium’s national cybersecurity center issued a warning. Bitdefender’s top recommendation: “Do not run OpenClaw on a company device.”
This is not a hypothetical scenario from a threat modeling workshop. OpenClaw is a live case study for every AI agent governance and security concern that security teams have been theorizing about for the past two years.
What OpenClaw Actually Is (and Why It Spread So Fast)
OpenClaw is a free, open-source AI agent that runs locally on your machine and executes real-world tasks: sending emails, browsing the web, managing calendars, handling files, interacting with online services. Users talk to it through WhatsApp, Telegram, Discord, Signal, or Slack. The agent connects to external LLMs (Claude, GPT, DeepSeek) for reasoning and uses over 100 preconfigured “AgentSkills” that can be extended via ClawHub, a community marketplace.
The project has a fascinating origin story. Steinberger is a Vienna University of Technology alumnus who previously built PSPDFKit (now Nutrient), a PDF SDK whose tools powered apps used by nearly 1 billion people. After raising $116 million from Insight Partners and selling the company, he “retired” and started building what became OpenClaw as a hobby project. He wrote the first prototype in an hour.
The scale of one-person output is striking: 6,600 commits in January 2026 alone, running 5-10 AI agents simultaneously on different features. As Steinberger himself put it: “I ship code I don’t read.” That sentence encapsulates both the promise and the problem.
The Naming Saga and Anthropic’s Trademark Complaint
The project cycled through four names in two months. It started as “WhatsApp Relay,” became “Clawdbot” (a wordplay on Claude), got hit with a trademark complaint from Anthropic, pivoted to “Moltbot” (a Discord brainstorm referencing lobster molting), and finally settled on “OpenClaw” on January 30, 2026.
The rapid renaming matters for security teams: detection rules written for “clawdbot” process names miss “openclaw” instances, and config directories changed from .clawdbot to .openclaw. CrowdStrike’s removal content pack explicitly checks for all historical names across Windows, macOS, and Linux.
The Security Breakdown: CVEs, Malware, and Exposed Infrastructure
Three overlapping security failures happened simultaneously, each serious on its own, devastating in combination.
CVE-2026-25253: One Click to Full Machine Access
Security researcher Mav Levin at depthfirst discovered a remote code execution vulnerability scoring 8.8 on the CVSS scale. The attack chain is straightforward:
- Victim clicks a crafted link
- Client-side JavaScript steals the auth token (OpenClaw didn’t validate WebSocket origin headers)
- Attacker connects via WebSocket using the stolen token with
operator.adminandoperator.approvalsscopes - Attacker disables user confirmation (
exec.approvals.setto “off”) - Attacker escapes the Docker container (
tools.exec.hostto “gateway”) - Full remote code execution on the host machine
Steinberger described the impact himself: “Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config and invoke privileged actions, achieving 1-click RCE.” A patch shipped in version 2026.1.29, but anyone running an older build remained exposed.
ClawHavoc: 341 Malicious Skills in the Marketplace
Koi Security used an OpenClaw bot named “Alex” to audit the entire ClawHub marketplace. Out of 2,857 skills audited, 341 were malicious, that is 11.9% of the entire marketplace. 335 of them traced back to the same campaign, dubbed “ClawHavoc.”
The primary payload was Atomic Stealer (AMOS), a commodity macOS stealer sold as malware-as-a-service for $500-1,000/month. It steals Keychain credentials, browser data, crypto wallets, Telegram sessions, SSH keys, and files from Desktop and Documents folders. One user alone (Hightower6eu) uploaded 354 malicious packages. Another (Sakaen736jih) submitted skills “every few minutes” via automation.
The attack categories were creative: 100+ posed as cryptocurrency tools (Solana wallets, Phantom wallet utilities), 57 as YouTube utilities, 51 as finance/social media tools. Typosquatting variants of “clawhub” itself appeared (“cllawhub”, “clawhubb”).
Separately, Snyk found that 283 skills (7.1% of approximately 4,000) expose sensitive credentials by instructing AI agents to pass API keys, passwords, and credit card numbers through the LLM’s context window in plaintext.
24,478 Internet-Exposed Instances
Cyera Research Labs ran a Shodan scan and found 24,478 internet-connected OpenClaw servers. 15.31% (3,746 instances) were exposed via mDNS services. Geographic concentration: 65% in the US, China, and Singapore.
CrowdStrike confirmed a growing number of instances accessible over unencrypted HTTP. They also found a wallet-draining prompt injection embedded in a Moltbook social post, real evidence of active exploitation in the wild.
The Moltbook Breach: 1.5 Million API Tokens Exposed
Moltbook, a social network built exclusively for OpenClaw agents (“Reddit for bots”), launched January 28, 2026. Within days it had 1.5 million registered agents behind approximately 17,000 human accounts, an 88:1 bot-to-human ratio.
Cloud security firm Wiz discovered a catastrophic misconfiguration: a Supabase API key was hardcoded in client-side JavaScript, and the platform lacked Row Level Security policies. That publicly exposed key granted full read/write access to every table. Researchers gained full database access in under 3 minutes.
What was exposed: 1.5 million API authentication tokens, 35,000 email addresses, thousands of private messages (some containing plaintext OpenAI API keys), and 29,631 early-access signup emails. CPO Magazine reported the full scope of the leak. Moltbook patched within hours of disclosure, but anyone who scraped the data during the exposure window had everything.
What This Means for Enterprise Security Teams
OpenClaw is not just another vulnerable open-source tool. It is the first real-world stress test of enterprise AI agent security at scale, and the results are grim.
Shadow AI Is Already Here
Trend Micro research found that one in five organizations deployed OpenClaw without IT approval. An IBM/Censuswide study from late 2025 puts the broader shadow AI figure at 80% of employees at organizations with 500+ employees using AI tools not sanctioned by their employer.
Detection is non-trivial. Lasso Security documented the indicators: config directories (.openclaw, .clawdbot, .clawhub), local gateway ports TCP 18789 and 18793, specific process signatures. CrowdStrike’s Falcon platform uses DNS monitoring for openclaw.ai requests, package inventory scans via Homebrew/NPM, and external attack surface management to find publicly exposed instances.
The Skills Supply Chain Is Unvetted
Cisco’s analysis released an open-source Skill Scanner that performs static analysis, behavioral analysis, LLM-assisted semantic inspection, and VirusTotal integration. Their finding: a skill called “What Would Elon Do?” ranked #1 in the repository despite containing nine security findings including two critical command injection vulnerabilities.
OpenClaw’s own documentation acknowledges: “There is no ‘perfectly secure’ setup.” That’s honest. It’s also a red flag for any organization running it on machines with access to corporate resources.
Cyera’s audit of 1,937 ClawHub skills found 336 requesting Google Workspace access, 170 requesting Microsoft 365 access, 127+ requesting raw secrets instead of OAuth, and 179 downloading unsigned binaries. Unlike ChatGPT Agent, OpenClaw does not enforce mandatory human-in-the-loop approval for sensitive actions including financial transactions.
Prompt Injection Creates Persistent C2 Channels
Zenity research demonstrated that a malicious document containing a prompt injection payload could direct OpenClaw to establish a Telegram bot integration, granting attackers persistent command-and-control access for data exfiltration, ransomware deployment, and lateral movement. The attack surface includes any data source the agent consumes: emails, calendar invites, shared documents, chat messages.
How to Respond: Practical Steps
CrowdStrike’s removal content pack for Falcon for IT covers the full detection and removal lifecycle. But the broader response should include:
Inventory first. Scan for .openclaw, .clawdbot, and .clawhub config directories. Check for openclaw.ai DNS queries. Monitor TCP ports 18789 and 18793. Use Bitdefender’s Osquery rule: SELECT pid, name, path, cmdline FROM processes WHERE name LIKE '%openclaw%'.
Block the marketplace. Add ClawHub domains to your web filter. Unsigned skills from community marketplaces should be treated like unsigned npm packages from an unknown registry: not allowed on corporate machines.
Update your AI agent policy. If you don’t have one, OpenClaw is the reason to write it. Gravitee’s 2026 survey found that only 14.4% of organizations have full security and IT approval for all AI agents going live. That number needs to be higher.
Audit skills before deployment. Cisco’s open-source Skill Scanner is a starting point. Any skill requesting Google Workspace, Microsoft 365, or raw API credentials should go through manual security review.
OpenClaw itself is not malicious. It’s an impressive piece of engineering from a skilled developer. The security problems stem from the speed of adoption outrunning the speed of security review, which is exactly the pattern that played out with Docker containers, Kubernetes deployments, and npm packages before it. The difference is that AI agents don’t just store data or run code. They act autonomously, and they act fast.
Frequently Asked Questions
What is OpenClaw and why is it a security risk?
OpenClaw is a free, open-source AI agent with 157,000+ GitHub stars that runs locally and executes real-world tasks like sending emails, browsing the web, and managing files. It became a security risk because of a CVSS 8.8 remote code execution vulnerability (CVE-2026-25253), 341 malicious skills discovered in its ClawHub marketplace, and 24,478 internet-exposed instances found via Shodan scans.
What is the ClawHavoc malware campaign?
ClawHavoc is a malware campaign that planted 341 malicious skills (11.9% of the marketplace) in OpenClaw’s ClawHub skills marketplace. The primary payload was Atomic Stealer (AMOS), a macOS stealer that exfiltrates Keychain credentials, browser data, crypto wallets, and SSH keys. One attacker uploaded 354 malicious packages alone.
How do I detect OpenClaw on corporate devices?
Look for config directories (.openclaw, .clawdbot, .clawhub), monitor TCP ports 18789 and 18793, check for openclaw.ai DNS queries, and scan for process names containing “openclaw”. CrowdStrike offers a dedicated detection and removal content pack for Falcon for IT. Bitdefender provides an Osquery rule for process detection.
What was the Moltbook data breach?
Moltbook, a social network for OpenClaw AI agents, exposed 1.5 million API authentication tokens, 35,000 email addresses, and thousands of private messages due to a hardcoded Supabase API key in client-side JavaScript and missing Row Level Security policies. Security firm Wiz gained full database access in under 3 minutes.
Who created OpenClaw?
Peter Steinberger, an Austrian developer and Vienna University of Technology alumnus, created OpenClaw as a hobby project after selling his previous company PSPDFKit (now Nutrient) following a $116 million funding round from Insight Partners. He built the first prototype in an hour and made 6,600 commits in January 2026 alone.