The OpenClaw Security Crisis of 2026: A Cybersecurity Expert's Analysis

๐Ÿ“ By Nasser Oumer ๐Ÿ“… March 3, 2026 โฑ๏ธ 12 min read ๐Ÿ”’ AI Agent Security

OpenClaw, the viral open-source AI agent with 191,000+ GitHub stars, is facing the most significant security crisis in the AI agent ecosystem to date. As of March 2026, researchers have confirmed over 820 malicious skills on ClawHub (approximately 20% of the entire registry), multiple critical CVEs including a one-click RCE vulnerability, and more than 135,000 instances exposed to the public internet. This analysis, written by a cybersecurity professional with over 20 years of experience, breaks down every major threat vector and provides practical guidance for protection.

โš ๏ธ Critical Update: If you're running OpenClaw, update to version 2026.2.25 or later immediately. Multiple critical vulnerabilities in earlier versions are being actively exploited.

The Crisis by the Numbers

The scale of the OpenClaw security crisis becomes clear when you look at the data compiled from multiple independent research teams. These aren't theoretical risks โ€” they represent confirmed, documented attacks happening right now.

820+
Confirmed malicious skills
20%
Of ClawHub is malicious
135K+
Exposed instances
9
CVEs since Jan 2026

The research comes from some of the most respected names in cybersecurity. Koi Security discovered the initial ClawHavoc campaign. Kaspersky documented 512 vulnerabilities in their initial audit. Microsoft published deployment guidance. Cisco called OpenClaw "an absolute nightmare" from a security perspective. SecurityScorecard and Bitsight independently confirmed the scale of exposed instances worldwide.

For context, OpenClaw went from launch (November 2025) to 191,000+ GitHub stars in roughly three months โ€” making it one of the fastest-growing open source projects in history. That speed of adoption far outpaced the security maturity of the platform.

The Malicious Skills Epidemic

The most immediate threat to OpenClaw users isn't a bug in the core platform โ€” it's the skills ecosystem. Skills are plugins that extend OpenClaw's capabilities, and anyone can upload one to ClawHub.

The ClawHavoc Campaign

In late January 2026, Koi Security researcher Oren Yomtov audited all 2,857 skills on ClawHub and found 341 malicious entries, with 335 traced to a single coordinated campaign: ClawHavoc. The skills were disguised as high-demand productivity tools, distributing the Atomic macOS Stealer (AMOS) โ€” exfiltrating files, crypto wallets, Keychain data, browser passwords, and cloud credentials.

The Scale Has Grown

Since Yomtov's discovery, the registry grew from 2,857 to over 10,700 skills. Malicious entries rose to over 820 โ€” roughly 20% of the ecosystem. Bitdefender places the figure at approximately 900. Antiy CERT reports even higher at 1,184.

The attack patterns mirror npm and PyPI supply chain attacks: typosquatting (handles like "aslaep123" mimicking "asleep123"), manufactured popularity metrics, and gamed reviews.

What Does a Malicious Skill Look Like?

Cisco demonstrated three attack vectors using a skill called "What Would Elon Do?": AI agents becoming covert data-leak channels bypassing traditional DLP, models becoming execution orchestrators, and manufactured popularity inflating malicious skills to the top of the registry.

Critical Vulnerabilities Explained

Nine CVEs have been disclosed since January 2026. The most critical:

CVE-2026-25253 (CVSS 8.8) โ€” One-Click RCE

The most dangerous vulnerability discovered. If the agent visits an attacker-controlled website, the authentication token is leaked via cross-site WebSocket hijacking. The attacker gains full administrative control. Patched in version 2026.1.29.

CVE-2026-24763 โ€” Docker Sandbox Bypass

Even after the initial RCE fix, the Docker sandbox could still be bypassed. Fixed in version 2026.1.30.

CVE-2026-25157 โ€” Command Injection

Combined with default insecure configuration (no auth, binding to all interfaces), this created a trivially exploitable attack chain. Fixed in version 2026.1.30.

Endor Labs disclosed six additional vulnerabilities in February 2026, including SSRF (CVE-2026-26322, CVSS 7.6), webhook auth bypass (CVE-2026-26319, CVSS 7.5), and path traversal.

135,000 Exposed Instances

SecurityScorecard found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. The root cause: OpenClaw binds to 0.0.0.0:18789 by default, listening on all network interfaces including the public internet.

Over 15,000 instances were vulnerable to RCE specifically, and more than 53,000 correlated with prior breach activity. The US, China, and Singapore had the highest concentrations.

Who Is Affected?

This isn't just a hobbyist problem. Bitdefender confirms employees are deploying OpenClaw on corporate devices with no security review. The Dutch DPA warned organizations not to deploy it in systems handling sensitive data.

You should be concerned if you:

How to Protect Yourself

๐Ÿ›ก๏ธ Essential Hardening Checklist

  1. Update immediately to version 2026.2.25 or later
  2. Enable authentication โ€” disabled by default
  3. Bind to localhost only โ€” change from 0.0.0.0 to 127.0.0.1
  4. Audit every skill before installation โ€” check VirusTotal reports
  5. Run in an isolated environment โ€” dedicated VM, not your workstation
  6. Use dedicated credentials โ€” never your primary accounts
  7. Disable unused plugins โ€” minimize attack surface
  8. Monitor outbound connections โ€” watch for data exfiltration
  9. Review skills periodically โ€” safe today โ‰  safe tomorrow
  10. Consider pre-audited skills โ€” from sources with security review

The Case for Security-Audited Skills

The fundamental problem: there's no trust layer between skill creation and installation. ClawHub accepts uploads from anyone, VirusTotal scanning helps but misses sophisticated attacks, and users are left to review code themselves.

This is why I created OpenClaw Skills Packs. As a cybersecurity professional with over 20 years of experience, I review every skill pack before publishing. The collection includes 25 packs covering OSINT, cybersecurity, marketing, business operations, and more โ€” with 169 rules and 24 agents.

Each skill is reviewed for:

Learn more about the review methodology: Our Security Audit Process.

๐Ÿ›ก๏ธ Skip the Risk. Use Security-Audited Skills.

25 skill packs ยท 169 rules ยท 24 agents ยท Reviewed by a cybersecurity professional with 20+ years of experience.

Explore Skills Packs โ†’

Frequently Asked Questions

Is OpenClaw safe to use in 2026?

It can be used safely but requires significant hardening. Default configuration is insecure. Update to 2026.2.25+, enable authentication, bind to localhost, and vet every skill.

How many malicious skills are on ClawHub?

Over 820 confirmed out of 10,700+ total (roughly 20%). ClawHavoc alone accounted for 335. Antiy CERT reports up to 1,184.

What is the ClawHavoc campaign?

A coordinated supply-chain attack: 335 malicious skills distributing the AMOS infostealer, disguised as productivity tools. Discovered by Koi Security.

Where can I find security-audited OpenClaw skills?

OpenClaw Skills Packs offers 25 pre-audited packs with 169 rules and 24 agents, reviewed by a cybersecurity professional with 20+ years of experience.

What is CVE-2026-25253?

Critical vulnerability (CVSS 8.8) enabling one-click RCE via cross-site WebSocket hijacking. Patched in version 2026.1.29, but many instances remain unpatched.

Nasser Oumer

Nasser Oumer

Cybersecurity professional with 20+ years of experience. Creator of OpenClaw Skills Packs.

LinkedIn ยท Website ยท About

Last updated: March 3, 2026. This article is updated as new information becomes available. Back to blog.