In just three months, an open-source AI agent called OpenClaw became one of the fastest-growing software projects in GitHub history — surpassing React’s star count and triggering a Mac mini shortage in several U.S. stores. It also triggered 2026’s first major AI security crisis.

The agent — which connects to WhatsApp, Telegram, Slack, Discord, and iMessage, then autonomously manages your email, calendar, files, and shell commands on your behalf — has been found riddled with vulnerabilities. A security audit conducted while the project was still called Clawdbot identified 512 vulnerabilities total, eight classified as critical. Since then, dozens more have been disclosed, patched, and in some cases, actively exploited.

Background: Three Names, One Runaway Project

OpenClaw began life as Clawdbot, an open-source autonomous AI agent created by developer Peter Steinberger. It shot to viral fame in late January 2026 after amassing over 20,000 GitHub stars in a single day. Anthropic objected to the name’s similarity to Claude, prompting a swift rebrand to Moltbot. A trademark dispute days later produced the current name: OpenClaw. Its mascot — a space lobster named Molty — explains why the developer community refers to deploying it as “raising lobsters.”

Unlike traditional AI chatbots that merely answer questions, OpenClaw is fully autonomous. It executes shell commands, reads and writes files, browses the web, sends emails, manages calendars, and takes actions across a user’s digital life — all triggered by a casual message sent over WhatsApp or Telegram. It also stores persistent memory, retaining long-term context, preferences, and history across sessions. This is what makes it so capable, and what makes a compromise so devastating.

The Vulnerability Cascade

The most recent and severe flaw, codenamed ClawJacked by researchers at Oasis Security, illustrates how deep the problem runs. The vulnerability requires no installed extension, no marketplace plugin — just the bare OpenClaw gateway running as documented. A developer visits an attacker-controlled webpage; malicious JavaScript silently opens a WebSocket connection to OpenClaw’s localhost gateway. Because the gateway automatically trusts local connections and silently approves new device registrations from localhost, the attacker’s site gains full control of the agent — in milliseconds.

The issue: OpenClaw binds by default to 0.0.0.0:18789, listening on all network interfaces including the public internet, not 127.0.0.1 (localhost only) as security would demand. For a tool with system-wide permissions, that default has real-world consequences. SecurityScorecard’s STRIKE team found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. More than 15,000 of those were directly vulnerable to remote code execution.

• CVE-2026-25253Authentication token theft (gateway)CVSS 8.8
• CVE-2026-24763Command injectionHIGH
• CVE-2026-25157Command injection variantHIGH
• CVE-2026-25475Prompt injection via messagingHIGH
• CVE-2026-26322SSRF in Gateway toolCVSS 7.6
• CVE-2026-26319Missing webhook authentication (Telnyx)CVSS 7.5
• CVE-2026-26329Path traversal in browser uploadHIGH
• ClawJackedWebSocket localhost hijack (patched v2026.2.25)CRITICAL

The Malicious Skills Crisis

Parallel to the infrastructure vulnerabilities, OpenClaw’s plugin marketplace — ClawHub — became a vector for malware distribution at scale. Researchers at Koi Security found that out of 10,700 skills listed, more than 820 were malicious, up sharply from 324 found just weeks earlier. The attack is elegantly simple: malicious skills use professional documentation and innocuous names like “solana-wallet-tracker” to appear legitimate, then silently execute code that installs keyloggers on Windows or Atomic Stealer malware on macOS.

Cisco’s security blog ran a live experiment, pointing OpenClaw at a skill called “What Would Elon Do?” and scanning it with their open-source Skill Scanner tool. The result: nine security findings, including two critical severity issues. The skill was functionally malware — it issued a curl command sending user data to an external server without notification, bypassing traditional data loss prevention entirely.

Making matters worse, one malicious skill had been artificially inflated to rank as the #1 most popular skill in the repository. On February 7, OpenClaw announced a partnership with VirusTotal to scan skills on ClawHub. Over 3,016 samples were analyzed and identified malicious skills removed — however, researchers noted that copies of the malicious skills remained accessible via OpenClaw’s GitHub repository through historical backup mechanisms.

The Enterprise Shadow-AI Problem

Beyond individual developers, OpenClaw has been quietly installed across corporate environments. Employees connect personal AI tools to corporate Slack workspaces, Google Workspace accounts, and internal systems — often without security team awareness. Traditional security tooling is largely blind to this: endpoint security sees processes running but cannot interpret agent behavior; network tools see API calls but cannot distinguish legitimate automation from compromise; identity systems see OAuth grants but do not flag AI agent connections as unusual.

When such an agent is compromised — through a malicious skill, prompt injection, or vulnerability exploit — attackers inherit all of that access, including OAuth tokens that enable lateral movement through the organization. Trend Micro researchers described this as “shadow AI with elevated privileges.”

Timeline of Key Events

• Jan 25, 2026Clawdbot goes viral. 20,000 GitHub stars in 24 hours. Mac mini shortage in U.S.
• Late JanResearcher @fmdz387 finds ~1,000 OpenClaw instances online with zero authentication. Researcher Jamieson O’Reilly gains access to Anthropic API keys, Telegram tokens, and full command execution on exposed instances.
• Late JanKaspersky security audit identifies 512 vulnerabilities, 8 critical. Rebrand to Moltbot, then OpenClaw.
• Jan 29, 2026OpenClaw patches CVE-2026-25253 (CVSS 8.8) before public disclosure in v2026.1.29.
• Early FebSecurityScorecard finds 135,000+ publicly exposed instances across 82 countries; 15,000+ vulnerable to RCE.
• Feb 7OpenClaw partners with VirusTotal to audit ClawHub; malicious skills removed from marketplace.
• Feb 12v2026.2.12 patches 40+ vulnerabilities including mandatory browser authentication, SSRF deny policies.
• Feb 18Endor Labs publishes six more CVEs (moderate to high). Cisco publishes live exploitation of malicious skill.
• Feb 25Oasis Security discloses ClawJacked flaw. OpenClaw patches within 24 hours in v2026.2.25.
• Mar 1, 2026v2026.2.26 released — latest stable version as of press time.

Protecting Yourself and Your Organization

Security researchers across Cisco, Trend Micro, Jamf, and Bitsight are unanimous: the risks are real and manageable, but require deliberate action. The most critical immediate steps are to update to v2026.2.26, restrict OpenClaw to bind to 127.0.0.1 only, enable mandatory authentication, and audit every skill installed from ClawHub. For enterprise security teams, scanning for unauthorized OpenClaw instances via MDM tools or network traffic analysis is advised before any employee integration reaches corporate SaaS systems.

The deeper issue, as Trend Micro notes, is not unique to OpenClaw — it is intrinsic to the agentic AI paradigm itself. Any system that reasons, decides, and acts on your behalf with broad access creates a new attack surface that traditional security tooling was not designed to observe. The challenge going forward is developing security models that match the autonomy of the tools they protect.

OpenClaw’s development team has responded quickly — patching ClawJacked in under 24 hours after disclosure, shipping over 40 vulnerability fixes in a single release, and partnering with VirusTotal to address the marketplace supply chain problem. But with over 135,000 exposed instances and a user base that grew faster than any security culture could accompany, the gap between adoption and safety remains dangerously wide.