OpenClaw went from 9,000 GitHub stars to over 215,000 in a matter of weeks. It became one of the fastest-growing open-source projects in history, fueled by viral adoption and the promise of a self-hosted AI agent that could manage your email, calendars, and messaging platforms autonomously.

Then the security community got a look at it.

In under a month, OpenClaw has accumulated five security advisories including a one-click RCE, over 1,184 malicious skills on its marketplace, a prompt injection persistence mechanism that turns agents into C2 nodes, and a public warning from the Dutch Data Protection Authority telling people not to use it. Microsoft published an assessment calling it "untrusted code execution with persistent credentials" and said it should not run on any standard workstation.

Here is everything that happened, what it means, and what organizations should take away from it.

What is OpenClaw?

OpenClaw (formerly Clawdbot, originally Moltbot) is an open-source, self-hosted AI agent runtime. It runs as a long-running Node.js service on your machine, connects to various chat platforms (WhatsApp, Discord, Signal, Telegram), and routes messages to LLM backends like Claude, GPT, and DeepSeek to execute real-world tasks autonomously.[1]

The architecture is built around a skills ecosystem. Skills are extensions published to ClawHub, the official marketplace, where anyone with a GitHub account older than one week can upload code. The agent reads SKILL.md files for instructions, HEARTBEAT.md for recurring tasks, and SOUL.md for persistent behavioral directives. All of these files are writable by the agent itself.

On February 14, 2026, the creator announced he would be joining OpenAI and the project would move to an open-source foundation. At that point, the security problems were already well underway.[1]

The critical CVEs

Five security advisories dropped in under a week. Three of them are high-severity command injection and authentication bypass vulnerabilities.

CRITICAL CVE-2026-25253 CVSS 8.8

The OpenClaw Control UI accepted a gatewayUrl parameter from the query string and automatically established a WebSocket connection to it, transmitting the user's authentication token without any confirmation prompt. An attacker could craft a single malicious link that, when clicked, redirected the victim's OpenClaw client to an attacker-controlled WebSocket server. One click: token exfiltration, gateway takeover, remote code execution. Even localhost-bound instances were exploitable via cross-site WebSocket hijacking. Researcher Maor Dayan identified 42,665 exposed instances, with 5,194 actively verified as vulnerable and 93.4% exhibiting authentication bypass conditions.[2][3]

HIGH CVE-2026-25157

The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host.[4]

HIGH CVE-2026-24763

A command injection in OpenClaw's Docker sandbox execution mechanism. Unsafe handling of the PATH environment variable when constructing shell commands allowed an authenticated user to influence command execution within the container context, leading to unauthorized access or complete container compromise.[5]

All three CVEs were disclosed in rapid succession. Censys tracked exposed instance growth from roughly 1,000 to over 21,000 between January 25-31 alone.[3]

ClawHavoc: the supply chain attack that poisoned the marketplace

This is where it gets worse.

Koi Security conducted a comprehensive audit of ClawHub and found 341 malicious skills, with 335 traced to a single coordinated operation they dubbed "ClawHavoc." The campaign was published on February 1, 2026. By February 16, the marketplace had grown from 2,857 to over 10,700 skills, and the malicious count had more than doubled to 824. Later reports linked 1,184 malicious packages to 12 publisher accounts.[6][7]

The attack was not subtle, but it was effective. Malicious skills masqueraded as legitimate tools: solana-wallet-tracker, youtube-summarize-pro, cryptocurrency bots, and productivity integrations. Each one had professional documentation with a "Prerequisites" section instructing users to install a fake "openclaw-agent" utility. That utility was malware.[7][8]

The primary payload: Atomic macOS Stealer (AMOS)

AMOS is a commodity infostealer available as malware-as-a-service for roughly $500 to $1,000 per month. It harvests browser credentials, Apple Keychain passwords, data from over 60 cryptocurrency wallets, SSH keys, and files from standard directories. In AI agent environments, it also steals API keys and auth tokens. The Windows variant delivered a VMProtect-packed executable. Secondary techniques included reverse shell backdoors embedded in functional code and credential exfiltration to external webhook services.[8][9]

Trend Micro's analysis of the SKILL.md-based attack chain found that GPT-4o models could be tricked into silently installing the malware or repeatedly prompting users to install a fake "driver." Claude Opus 4.5 successfully identified the deception and refused.[9]

The root cause was structural. ClawHub was open by default with minimal vetting. The only requirement to publish a skill was a GitHub account older than one week. No code review. No security scanning. No approval process. Just upload and distribute.

41.7% of popular skills contain security vulnerabilities

ClawSecure conducted an independent audit of 2,890+ OpenClaw skills from the community-curated "awesome-openclaw-skills" list and the official repository. The results are grim.[10]

Snyk's independent "ToxicSkills" study scanned 3,984 skills from ClawHub and skills.sh, finding 36% contain prompt injection, 1,467 malicious payloads, and 91% of malicious ClawHub skills combined prompt injection with traditional malware techniques.[11]

Prompt injection, persistence, and cognitive rootkits

The vulnerability classes in OpenClaw go beyond traditional software bugs. The architecture's reliance on writable memory files creates attack surfaces that have no equivalent in conventional applications.

HEARTBEAT.md as a C2 channel

OpenClaw's architecture includes a "heartbeat checklist" file that the agent reads at regular intervals, defaulting to every 30 minutes. If a HEARTBEAT.md file exists in the workspace, the system prompt tells the agent to read and execute its contents.[12]

VirusTotal documented the cgallic/wake-up skill, which installs a HEARTBEAT.md file and instructs the agent to process it every 4 hours. The file ensures the agent remains connected to a command-and-control server at mydeadinternet.com, receiving new instructions, uploading data, and checking for updates. The skill also operationalizes propagation through gamified infection metrics, tracking "infections" via API endpoints and functioning like a semantic worm.[12]

Cognitive rootkits

The jeffreyling/devinism skill persists by injecting behavioral directives into SOUL.md and AGENTS.md files, permanently modifying agent decision-making. As VirusTotal put it: "If an attacker can append a single line there, they can influence every future decision the agent makes."[12]

This is a new class of attack. Memory files (SOUL.md, HEARTBEAT.md, AGENTS.md) are all writable by the agent itself. If an attacker tricks the agent into writing malicious instructions into these files, the attack persists across restarts and chat resets, becoming part of the agent's permanent operating system. There is no traditional file integrity monitoring or code signing that applies here because the "code" is natural language.

Reverse shells in plain sight

The noreplyboter/better-polymarket skill establishes an interactive bash reverse shell using /dev/tcp sockets to hardcoded infrastructure at 54.91.154.110:13338, persisting via nohup. No obfuscation. No encoding. Just a raw reverse shell in a published skill.[12]

Enterprise exposure is worse than you think

Token Security found that 22% of its enterprise customers have employees running OpenClaw without IT approval. This is shadow AI with elevated system privileges on corporate endpoints.[13]

Security vendor Noma reported that 53% of its enterprise customers gave OpenClaw privileged access over a single weekend. Bitdefender GravityZone telemetry confirmed OpenClaw deployments on corporate endpoints constituting shadow AI. Over 30,000 internet-exposed instances were identified across 52 countries, many without authentication.[13][14]

The compounding risk: unauthorized deployments are running with elevated privileges, connecting to LLM backends with API keys, accessing email and messaging platforms, and executing skills from a marketplace where 41.7% of entries have security vulnerabilities. And nobody in IT knows it's happening.

Institutional responses

Microsoft: "Not appropriate for standard workstations"

Microsoft published a detailed security blog on February 19, 2026, titled "Running OpenClaw safely: identity, isolation, and runtime risk." The assessment is blunt.[15]

OpenClaw includes limited built-in security controls. The runtime can ingest untrusted text, download and execute skills from external sources, and perform actions using assigned credentials. This shifts the execution boundary from static application code to dynamically supplied content without equivalent controls. Microsoft identified three key risks:[15]

  1. Credentials and accessible data may be exposed or exfiltrated
  2. The agent's persistent state can be modified to follow attacker-supplied instructions over time
  3. The host environment can be compromised if the agent is induced to retrieve and execute malicious code

Microsoft's recommendation: if evaluated at all, deploy only in a fully isolated environment (dedicated VM or separate physical system) with dedicated non-privileged credentials, access only to non-sensitive data, continuous monitoring, and a rebuild plan. OpenClaw should be treated as "untrusted code execution with persistent credentials."[15]

Dutch Data Protection Authority: formal warning

The Autoriteit Persoonsgegevens (AP) issued a formal warning describing AI agents like OpenClaw as potential "Trojan horses" that attackers can exploit. The AP urged individuals and organizations to avoid using OpenClaw on devices containing sensitive or confidential information: financial records, customer data, personal documents. Both users and developers remain responsible for GDPR compliance regardless of whether the AI system is open source.[16]

VirusTotal partnership

OpenClaw partnered with VirusTotal to scan all skills published to ClawHub. Every uploaded skill is hashed using SHA-256 and checked against VirusTotal's threat intelligence database. Unknown hashes trigger deeper inspection via Code Insight. Benign verdicts are auto-approved, suspicious skills receive a warning, and malicious skills are blocked. All active skills are re-scanned daily.[17]

OpenClaw maintainers acknowledged that VirusTotal scanning is "not a silver bullet" and that some cleverly concealed prompt injection payloads may slip through. Version 2026.2.12, released February 13, patched over 40 vulnerabilities including SSRF protections, browser/web tool output sanitization, sandbox isolation improvements, and heartbeat logic hardening. Subsequent releases (v2026.2.14, v2026.2.23) continued addressing discovered issues.[17][18]

What this means for AI agent security

OpenClaw is not an isolated case. It is the first high-profile example of what happens when an AI agent runtime achieves mass adoption without security architecture to match. Every vulnerability class exposed here applies to the broader AI agent ecosystem.

The attack surface is architectural

The core issue is not individual bugs. It is the architecture. An AI agent runtime that can ingest untrusted text, download and execute extensions from external sources, write to its own persistent memory, and perform actions using real credentials is, by definition, an execution environment that needs the same security controls as any other runtime. Supply chain verification, code signing, sandboxing, least-privilege access, input validation, output sanitization, and audit logging. OpenClaw launched without most of these.

Supply chain attacks scale differently with AI

Traditional supply chain attacks target package managers and build systems. AI agent supply chain attacks target the agent's decision-making itself. A malicious SKILL.md file does not need to exploit a buffer overflow or inject shellcode. It just needs to convince the agent to do something, and agents are designed to follow instructions. This is a fundamentally different threat model that requires fundamentally different defenses.

Prompt injection is persistence

In traditional security, persistence means writing to the filesystem, registry, or scheduled tasks. In AI agent security, persistence means writing to the agent's memory files. A single successful prompt injection that modifies SOUL.md or HEARTBEAT.md gives the attacker influence over every future decision the agent makes, across restarts, across conversations, indefinitely. There is no antivirus signature for a natural language instruction.

Shadow AI is the new shadow IT

When 22% of enterprise customers have unauthorized OpenClaw instances and 53% granted privileged access over a single weekend, the adoption speed is outpacing every security control. This is shadow IT all over again, except this time the unauthorized tool has credentials, API access, and the ability to execute code autonomously.

What organizations should do right now

  1. Audit for OpenClaw instances. Check corporate endpoints, cloud instances, and network traffic for OpenClaw deployments. Many will be unauthorized.
  2. If running OpenClaw, isolate it immediately. Follow Microsoft's guidance: dedicated VM, non-privileged credentials, no access to sensitive data, continuous monitoring.
  3. Review all installed skills. Use Koi Security's Clawdex scanner or ClawSecure to scan installed skills for known malicious indicators.
  4. Update to the latest version. Version 2026.2.23 or later includes the most recent security patches.
  5. Treat AI agents as attack surfaces. Apply the same security rigor you apply to web applications and APIs: threat modeling, access control reviews, penetration testing, configuration audits.
  6. Establish an AI agent policy. Define which AI tools are approved, what access they can have, and what review process is required before deployment.
  7. Monitor memory files. Implement file integrity monitoring for SOUL.md, HEARTBEAT.md, AGENTS.md, and any other agent-writable configuration files.
  8. Test your AI systems. Prompt injection testing, agent permissions audits, and tool/API reviews are now as necessary as traditional penetration testing.

Bottom line

OpenClaw's security crisis is not a failure of one project. It is a preview of what happens when AI agents ship at startup speed without security architecture to match. The vulnerability classes, supply chain poisoning, prompt injection persistence, credential exposure, shadow adoption, will apply to every AI agent platform that follows.

The organizations that start treating AI agent security with the same rigor as application security will be ahead. The organizations that wait for their own OpenClaw moment will be scrambling.

Sources

  1. OpenClaw Wikipedia page; DigitalOcean, "What is OpenClaw." wikipedia.org
  2. NVD, "CVE-2026-25253." nvd.nist.gov
  3. SOCRadar, "CVE-2026-25253 RCE OpenClaw Auth Token Analysis," February 2026; runZero, "OpenClaw RCE." socradar.io
  4. NVD, "CVE-2026-25157." cvedetails.com
  5. NVD, "CVE-2026-24763." nvd.nist.gov
  6. Koi Security, "ClawHavoc: 341 Malicious Clawdbot Skills Found by the Bot They Were Targeting," February 2026. koi.ai
  7. The Hacker News, "Researchers Find 341 Malicious ClawHub Skills," February 2026; CyberPress, "1,184 Malicious Skills." thehackernews.com
  8. eSecurity Planet, "Hundreds of Malicious Skills Found in OpenClaw's ClawHub," February 2026. esecurityplanet.com
  9. Trend Micro, "Malicious OpenClaw Skills Distribute Atomic macOS Stealer," February 2026. trendmicro.com
  10. eSecurity Planet, "Over 41% of Popular OpenClaw Skills Found to Contain Security Vulnerabilities"; SecurityWeek, "OpenClaw Security Issues Continue." esecurityplanet.com
  11. Snyk, "ToxicSkills: Malicious AI Agent Skills on ClawHub," February 2026. snyk.io
  12. VirusTotal, "From Automation to Infection Part II: Reverse Shells, Semantic Worms, and Cognitive Rootkits," February 2026. blog.virustotal.com
  13. The Biggish, "OpenClaw's Security Flaws Expose Enterprise Risk: 22% of Deployments Unauthorized," February 2026. thebiggish.com
  14. CSO Online, "OpenClaw Integrates VirusTotal as Security Firms Flag Enterprise Risks," February 2026; American Banker, "OpenClaw AI Creates Shadow IT Risks for Banks." csoonline.com
  15. Microsoft Security Blog, "Running OpenClaw Safely: Identity, Isolation, and Runtime Risk," February 19, 2026. microsoft.com
  16. Autoriteit Persoonsgegevens, "AP Warns of Major Security Risks with AI Agents Like OpenClaw," February 2026. autoriteitpersoonsgegevens.nl
  17. OpenClaw Blog, "VirusTotal Partnership"; The Hacker News, "OpenClaw Integrates VirusTotal Scanning," February 2026. thehackernews.com
  18. CyberSecurity News, "OpenClaw 2026.2.12 Released With Fix for 40+ Security Issues," February 2026. cybersecuritynews.com

Deploying AI Agents in Your Organization?

We help organizations assess their AI agent attack surface: permissions audits, prompt injection testing, credential exposure, and supply chain reviews.

Book a Consultation Our Services
-- views
Share
Link copied!
Lorikeet Security

Lorikeet Security Team

Penetration Testing & Cybersecurity Consulting

We've completed 170+ security engagements across web apps, APIs, cloud infrastructure, and AI-generated codebases. Everything we publish here comes from patterns we see in real client work.

You Might Also Like

Assessments

Attack Surface Management: Why You Can't Secure What You Can't See

11 min read
Assessments

Building a Vulnerability Management Program: From Ad-Hoc Scanning to Mature Operations

12 min read
Assessments

Cloud Security Posture Management: What CSPM Tools Miss and Pentesting Finds

11 min read