The fastest-growing open-source project in GitHub history is also 2026's most significant cybersecurity incident. Here's what happened, why it matters, and how to protect yourself.
It took OpenClaw roughly three weeks to go from viral sensation to multi-vector enterprise threat. [¹] That timeline alone should make anyone building or deploying agentic AI systems sit up and pay very close attention.
OpenClaw is an open-source, self-hosted AI agent framework created by Austrian developer Peter Steinberger. Originally launched as Clawdbot in November 2025, it was renamed "Moltbot" on January 27, 2026, following trademark complaints by Anthropic, and again to "OpenClaw" three days later. [²] By late January 2026, it had crossed 180,000 GitHub stars — outpacing React's entire growth trajectory — and attracted over two million visitors in a single week. On February 14, 2026, Steinberger announced he was joining OpenAI to lead personal agent development, with the project transitioning to an independent, OpenAI-sponsored foundation. [³]
The appeal is straightforward: a persistent, always-on AI assistant that runs locally on your machine, connects through familiar messaging platforms like WhatsApp, Slack, Telegram, and Discord, and can autonomously execute real-world tasks. [⁴] It manages your email. Runs terminal commands. Browses the web. Controls your calendar. It doesn't just observe — it acts on your behalf. [⁵]
And therein lies the problem. For OpenClaw to do what it does, it needs broad system access — your files, your credentials, your APIs, your connected services. [⁶] Every integration you grant it becomes part of the blast radius if the agent is compromised. As one security expert put it, some have already dubbed OpenClaw "the biggest insider threat of 2026." [⁷]
We've spent years learning that package managers and open-source registries can become supply chain attack vectors. Agent skill registries are the next chapter — except the "package" is often a markdown file, and the execution boundary collapses the moment your agent reads it. [⁸]
OpenClaw's capabilities are extended through "skills" — community-built plugins available through ClawHub, its open marketplace. [⁹] Within weeks of OpenClaw going viral, security researchers uncovered a coordinated campaign now tracked as ClawHavoc: as of the most recent comprehensive count, over 1,184 malicious skills have been identified across the ClawHub registry, representing roughly one in five packages in the entire ecosystem. [¹⁰]
The attack pattern is elegant in its simplicity. You install what appears to be a legitimate skill — maybe a Solana wallet tracker, a YouTube summarizer, or a Polymarket trading bot. The documentation looks professional. But tucked inside a "Prerequisites" section is a request to install a fake dependency called openclaw-core, complete with platform-specific installation instructions. [¹¹] On Windows, it's a password-protected ZIP hosted on GitHub that prevents automated scanners from inspecting the contents. On macOS, users are directed to a pastebin service hosting a base64-encoded command that downloads and executes a script from an attacker-controlled domain. [¹²]
The malware delivered? Primarily Atomic Stealer (AMOS), a macOS information stealer that exfiltrates credentials, browser data, and crypto wallets. [¹³] But the campaign extended well beyond a single payload. Researchers found skills embedding reverse shell backdoors directly into otherwise functional code, triggering compromise during normal use. Others quietly exfiltrated OpenClaw bot credentials from configuration files to external webhook services. In one notable case, a skill masquerading as a Polymarket tool opened an interactive shell to the attacker's server, granting full remote control of the victim's system. [¹⁴]
The categories targeted were chosen with surgical precision: cryptocurrency tools (111 skills), YouTube utilities (57 skills), Polymarket bots (34 skills), ClawHub typosquats (29 skills), and — in a particularly dark bit of irony — auto-updaters (28 skills). [¹⁵] Updated scans have even identified fake security-scanning skills among the malicious entries. [¹⁶]
The most chilling example? When Cisco's AI Defense team tested ClawHub's most popular community skill — one that had been gamed to the #1 ranking — they found nine security vulnerabilities, two of them critical. The skill silently exfiltrated data to attacker-controlled servers and used direct prompt injection to bypass safety guidelines. It had been downloaded thousands of times. [¹⁷]
Running in parallel with the supply chain campaign was the disclosure of CVE-2026-25253 (CVSS 8.8), a vulnerability that researchers described as completing in "milliseconds." [¹⁸] The flaw exploited a design weakness in OpenClaw's Control UI: it accepted a gatewayUrl query parameter from the URL without validation and automatically initiated a WebSocket connection to the specified address, transmitting the user's authentication token as part of the handshake. [¹⁹]
The attack chain was devastatingly simple: [²⁰]
Multiple scanning teams identified over 30,000 exposed OpenClaw instances publicly accessible on the internet, many running without authentication. [²¹] Misconfigured instances were found leaking API keys, OAuth tokens, and plaintext credentials. [²²] That same week, Moltbook — a social network built exclusively for OpenClaw agents — was found to have an unsecured database exposing 35,000 email addresses and 1.5 million agent API tokens. [²³]
Making matters worse, versions of the RedLine and Lumma infostealers have already been updated to include OpenClaw file paths in their credential-harvesting routines. [²⁴] The agent's persistent memory means any data it accesses remains available across sessions, compounding the exposure. [²⁵]
A separate vulnerability — a log poisoning flaw — allowed attackers to write malicious content to log files via WebSocket requests. Since the agent reads its own logs to troubleshoot certain tasks, this created a vector for indirect prompt injection that could manipulate the agent's reasoning and guide it to reveal sensitive context or misuse connected integrations. [²⁶]
Traditional software supply chain attacks compromise a library that runs in a sandboxed or limited context. Agent supply chain attacks are fundamentally different because the compromised component inherits the agent's entire permission set — terminal access, file system access, credential stores, connected APIs, and often persistent memory that captures how you think and what you're working on. [²⁷]
Microsoft's security team stated it bluntly: OpenClaw should be treated as "untrusted code execution with persistent credentials." It is not appropriate to run on a standard personal or enterprise workstation. [²⁸]
The implications extend far beyond OpenClaw itself. The Agent Skills format — a SKILL.md file plus optional scripts — is becoming a portable standard across agent ecosystems. A malicious skill isn't just an OpenClaw problem; it's a distribution mechanism that can travel across any platform supporting the same format, including coding agents like Claude Code and Cursor. [²⁹]
Snyk's ToxicSkills research confirmed the breadth of the problem: their audit of 3,984 skills found that 36% were vulnerable to prompt injection, and they confirmed 76 malicious payloads designed for credential theft, backdoor installation, and data exfiltration. [³⁰] Separately, a security analysis found that roughly 7.1% of ClawHub skills expose sensitive credentials in plaintext through the LLM's context window and output logs. [³¹]
If you're running OpenClaw — or any autonomous AI agent — here's how to reduce your exposure.
OpenClaw version 2026.2.26 patches the ClawJacked vulnerability and several command injection bugs. If you're on an older version, you are actively exposed.[³²] Treat agent framework updates with the same urgency as critical OS security patches. [³³]
openclaw update
openclaw --version # confirm 2026.2.26+
Microsoft Defender's recommendation is unambiguous: do not run OpenClaw on a standard personal or enterprise workstation. Deploy it only in a fully isolated environment — a dedicated virtual machine, container, or separate physical system. The agent should use dedicated, non-privileged credentials and access only non-sensitive data.
If you must evaluate it, treat the host as expendable and rebuildable.
ClawHub has no mandatory security review and no permission scope enforcement. The burden of vetting falls entirely on you. [³⁴]
Before installing any skill:
mcp-scan or the community-built validator-agent skill to check for known malicious patterns before installation. [³⁵]Authentication is disabled by default in OpenClaw. Enable it immediately. Ensure the gateway is not exposed to the public internet. If it is, assume it has already been compromised.
Every service you grant OpenClaw access to is compromised if OpenClaw is compromised. [³⁷] Audit what credentials and capabilities each instance has been granted and revoke anything that isn't actively needed.
AI agents authenticate, hold credentials, and take autonomous actions. They need to be governed with the same rigor as human user accounts and service accounts.
This means:
If your agent processes external content — emails, web pages, Slack messages, PDFs — any of that content can contain hidden instructions. [³⁸] An attacker can embed prompt injections in an email that, when processed by your agent, causes it to exfiltrate data or execute commands.
This isn't hypothetical. Researchers demonstrated an indirect prompt injection embedded in a web page that, when summarized by OpenClaw, caused the agent to append attacker-controlled instructions to its own workspace files and silently await further commands from an external server.
If you've been running OpenClaw with skills installed from ClawHub, especially anything crypto-related, assume compromise and investigate:
/tmp or AppData folders.OpenClaw isn't an anomaly — it's a preview. Microsoft's Copilot, Anthropic's Claude, OpenAI's agents, and a growing constellation of enterprise platforms are all moving toward autonomous agents that take action on behalf of users. [³⁹] The question isn't whether this evolution will continue. It's whether we'll have the governance frameworks, security standards, and collective discipline to make it survivable.
On February 17, 2026, NIST launched the AI Agent Standards Initiative through its Center for AI Standards and Innovation (CAISI), aiming to foster industry-led technical standards and protocols that build public trust in AI agents while ensuring they can function securely and interoperate across the digital ecosystem.[⁴⁰] The initiative includes a Request for Information on AI Agent Security and a concept paper on AI Agent Identity and Authorization. [⁴¹]
Singapore's Infocomm Media Development Authority (IMDA) moved even earlier, launching the Model AI Governance Framework for Agentic AI at the World Economic Forum on January 22, 2026 — the world's first governance framework specifically designed for autonomous AI agents. It provides guidance across four dimensions: assessing and bounding risks, making humans meaningfully accountable, implementing technical controls, and enabling end-user responsibility. [⁴²]
China's Ministry of Industry and Information Technology issued a security alert on February 5, 2026, warning that improper deployment of OpenClaw could expose systems to cyberattacks and data leaks, and urging organizations to conduct thorough audits of public network exposure and implement robust authentication and access controls. [⁴³] As recently as today, China's CNCERT/CC issued an additional advisory highlighting prompt injection and misoperation risks specific to OpenClaw. [⁴⁴]
Mastercard is building a framework for agentic commerce designed to ensure agents can safely transact on behalf of users, noting that the danger of autonomous agents being commandeered to redirect and steal money is a real threat that must be addressed through widely recognized and globally harmonized AI security standards. [⁴⁵]
These are necessary efforts. But the OpenClaw crisis has demonstrated with uncomfortable clarity that the gap between what agents can do and what we know how to secure remains dangerously wide. As SOCRadar's CISO Ensar Seker observed, the risk isn't the agent itself — it's exposing autonomous tooling to public networks without hardened identity, access control, and execution boundaries.
For those of us building in this space — especially those of us working on domain-specific languages, governance frameworks, and security architectures for AI systems — the message is clear: the attack surface has fundamentally changed, and our security models need to change with it.
[1] Conscia, "The OpenClaw security crisis," February 2026. https://conscia.com/blog/the-openclaw-security-crisis/
[2] Wikipedia, "OpenClaw," updated March 2026. https://en.wikipedia.org/wiki/OpenClaw
[3] TechCrunch, "OpenClaw creator Peter Steinberger joins OpenAI," February 15, 2026. https://techcrunch.com/2026/02/15/openclaw-creator-peter-steinberger-joins-openai/ — See also Steinberger's personal announcement: https://steipete.me/posts/2026/openclaw
[4] Reco.ai, "OpenClaw: The AI Agent Security Crisis Unfolding Right Now," March 2026. https://www.reco.ai/blog/openclaw-the-ai-agent-security-crisis-unfolding-right-now
[5] Bitsight, "OpenClaw Security: Risks of Exposed AI Agents Explained," February 2026. https://www.bitsight.com/blog/openclaw-ai-security-risks-exposed-instances
[6] Mastercard, "OpenClaw and the urgent need for AI security standards," March 2026. https://www.mastercard.com/us/en/news-and-trends/stories/2026/openclaw-ai-security-standards.html
[7] Kaspersky, "Key OpenClaw risks, Clawdbot, Moltbot," February 2026. https://www.kaspersky.com/blog/moltbot-enterprise-risk-management/55317/
[8] 1Password, "From magic to malware: How OpenClaw's agent skills become an attack surface," February 2, 2026. https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface
[9] Dark Reading, "Critical OpenClaw Vulnerability Exposes AI Agent Risks," March 2026. https://www.darkreading.com/application-security/critical-openclaw-vulnerability-ai-agent-risks
[10] CyberDesserts, "OpenClaw Security Risks: Malicious Skills, Exposed Instances," updated March 1, 2026. https://blog.cyberdesserts.com/openclaw-malicious-skills-security/ — Antiy CERT confirmed 1,184 illicit skills as reported in this comprehensive analysis.
[11] Koi Security, "ClawHavoc: 341 Malicious Clawed Skills Found by the Bot They Were Targeting," February 2026. https://www.koi.ai/blog/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting
[12] Snyk, "How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware," February 2026. https://snyk.io/blog/clawhub-malicious-google-skill-openclaw-malware/
[13] Conscia [1]; see also Trend Micro findings reported in The Hacker News, "ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket," March 2026. https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
[14] eSecurity Planet, "Hundreds of Malicious Skills Found in OpenClaw's ClawHub," February 3, 2026. https://www.esecurityplanet.com/threats/hundreds-of-malicious-skills-found-in-openclaws-clawhub/
[15] Koi Security [11]. Updated category data from the February 16 scan update in the same report.
[16] Koi Security [11], February 16, 2026 update noting approximately 25 new attack categories including fake security-scanning skills.
[17] AuthMind, "OpenClaw's 230 Malicious Skills: What Agentic AI Supply Chains Teach Us," February 2026. https://www.authmind.com/blogs/openclaw-malicious-skills-agentic-ai-supply-chain — Citing Cisco AI Defense team findings.
[18] Reco.ai [4], reporting that security researchers confirmed the attack chain completes in "milliseconds."
[19] Conscia [1], detailing CVE-2026-25253 (CWE-669, CVSS 8.8) and the gatewayUrl parameter exploitation.
[20] Oasis Security, "ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover," March 2026. https://www.oasis.security/blog/openclaw-vulnerability
[21] Bitsight [5] (30,000+ instances); see also Conscia [1] citing Censys, Bitsight, and Hunt.io scanning data.
[22] Reco.ai [4], noting misconfigured instances leaking API keys, OAuth tokens, and plaintext credentials.
[23] Reco.ai [4], reporting the Moltbook unsecured database exposure.
[24] Kaspersky [7], detailing default configuration weaknesses including disabled authentication, Guest Mode risks, mDNS leakage, and plaintext credential storage. See also note regarding RedLine and Lumma infostealers targeting OpenClaw file paths.
[25] Reco.ai [4], noting that the agent's persistent memory means accessed data remains available across sessions.
[26] The Hacker News [13], reporting on the log poisoning vulnerability (patched in v2026.2.13) and the Eye Security analysis of indirect prompt injection through agent log reading.
[27] 1Password [8]; see also AuthMind [17] on the distinction between traditional package compromise and agent skill compromise with autonomous execution capability.
[28] Microsoft Security Blog, "Running OpenClaw safely: identity, isolation, and runtime risk," February 19, 2026. https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/
[29] 1Password [8], noting the portability of the Agent Skills format including SKILL.md; Snyk ToxicSkills [30] confirming the cross-ecosystem risk.
[30] Snyk, "ToxicSkills Study of Agent Skills Supply Chain Compromise," February 5, 2026. https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/
[31] The Hacker News, "OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills," February 2026. https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html — Reporting on the indirect prompt injection via HEARTBEAT.md, the 7.1% credential exposure finding, and the Ensar Seker quote.
[32] DEV Community (up2itnow), "71 Malicious Skills Found on ClawHub. Here's How to Protect Your Agent," March 2026. https://dev.to/up2itnow0822/71-malicious-skills-found-on-clawhub-heres-how-to-protect-your-agent-509g
[33] Oasis Security [20], providing update, audit, and governance recommendations.
[34] DEV Community [32], noting the absence of mandatory security review on ClawHub.
[35] Snyk [12], recommending mcp-scan for scanning SKILL.md files; DEV Community [32] on the validator-agent skill.
[36] Snyk [12], reporting ClawHub's new controls: one-week account age requirement, community reporting, and automatic hiding of skills with 3+ reports.
[37] Bitsight [5], detailing the cascading compromise risk across connected services including mailboxes, GitHub repositories, and smart home devices.
[38] Mastercard [6], describing prompt injection as a "uniquely problematic and increasingly common AI security threat" for agentic systems.
[39] AuthMind [17], noting the broader industry trajectory toward autonomous agents across Microsoft, Anthropic, OpenAI, and enterprise platforms.
[40] NIST, "Announcing the AI Agent Standards Initiative for Interoperable and Secure Innovation," February 17, 2026. https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure
[41] NIST CAISI, "AI Agent Standards Initiative," updated February 18, 2026. https://www.nist.gov/caisi/ai-agent-standards-initiative — See also Federal Register RFI (NIST-2025-0035): https://www.federalregister.gov/documents/2026/01/08/2026-00206/request-for-information-regarding-security-considerations-for-artificial-intelligence-agents
[42] Singapore IMDA, "Singapore Launches New Model AI Governance Framework for Agentic AI," January 22, 2026. https://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2026/new-model-ai-governance-framework-for-agentic-ai
[43] Reuters, "China warns of security risks linked to OpenClaw open-source AI agent," February 5, 2026. https://www.investing.com/news/economy-news/china-warns-of-security-risks-linked-to-openclaw-opensource-ai-agent-4486808
[44] CGTN, "China's internet emergency center issues OpenClaw security alert," March 10, 2026. https://news.cgtn.com/news/2026-03-10/China-s-internet-emergency-center-issues-OpenClaw-security-alert-1Lp96HIJQyY/p.html
[45] Mastercard [6], describing the framework for agentic commerce and the need for globally harmonized AI security standards.
