The OpenClaw Security Crisis: Anatomy of the First AI Agent Meltdown

In the fall of 2025, OpenClaw was everything the AI agent community wanted it to be. An open-source framework for deploying customizable AI agents, a thriving skill marketplace, and a developer community of tens of thousands. Enterprise teams were running it on-premise. Startups were building products on top of it. AI hobbyists were publishing skills to the marketplace daily.

By February 2026, 35 CVEs had been disclosed against the platform. Over 1,100 malicious skills had infiltrated the marketplace and executed on live deployments. A scanning campaign called ClawJacked had identified more than 135,000 exposed OpenClaw instances reachable from the open internet.

Ninety days. That is how long it took for the most celebrated open-source AI agent framework to become the most studied cautionary tale in the industry.

This is the definitive post-mortem.

#What Is OpenClaw

OpenClaw launched in late 2024 as an open-source project with a straightforward promise: give any developer the ability to spin up a capable, extensible AI agent in under an hour. The core architecture was elegant. A central agent runtime handled orchestration, tool routing, and memory management. A REST API exposed agent capabilities to downstream applications. And a skill system -- essentially a plugin architecture -- allowed anyone to extend agent behavior by publishing a skill package to the OpenClaw Skill Marketplace.

The marketplace was the killer feature. Within six months of launch, it had accumulated over 4,000 published skills covering everything from calendar management to database query generation to custom integrations with enterprise SaaS tools. Download counts climbed into the millions. Teams that would never have built AI agent infrastructure from scratch were deploying production OpenClaw instances because the skill ecosystem made it feel turnkey.

That skill ecosystem is where the crisis began.

#The CVE Timeline: 35 Vulnerabilities in 90 Days

The first CVE was filed in November 2025 by a security researcher at a mid-sized consulting firm. It was a moderate-severity authentication issue in the OpenClaw web dashboard -- the kind of bug that gets patched quietly and noted in a changelog. Nobody paid close attention.

By December, the trickle had become a flood.

Remote Code Execution (Critical)

The most severe vulnerabilities in the OpenClaw disclosure set were a cluster of RCE bugs in the skill execution sandbox. Skills in OpenClaw run inside a sandboxed subprocess, but five separate CVEs -- CVE-2025-51103, CVE-2025-51204, CVE-2025-51389, CVE-2026-50012, and CVE-2026-50019 -- demonstrated that the sandbox was misconfigured in ways that allowed skill code to escape containment and execute arbitrary commands on the host system. Three of these were rated CVSS 9.8 or above.

The root cause was consistent across all five: the sandboxed subprocess inherited environment variables and filesystem mounts from the parent process without restriction. A skill that knew what it was looking for could read credentials, write to arbitrary paths, and in some configurations spawn new processes with host-level privileges.

Authentication Bypass

Seven CVEs targeted the OpenClaw API authentication layer. The most significant, CVE-2025-51445, allowed an unauthenticated attacker to generate valid session tokens by exploiting a timing vulnerability in the HMAC verification routine. Two additional bugs -- CVE-2026-50033 and CVE-2026-50041 -- targeted the OAuth integration flow, allowing token replay attacks that persisted even after a user revoked credentials.

A particularly damaging bypass, CVE-2026-50077, affected installations using OpenClaw's built-in LDAP integration. A malformed bind request could cause the authentication check to return success for any username with a blank password, regardless of directory state. This was a textbook authentication logic flaw, but in an AI agent platform it meant an attacker could authenticate as any user and direct the agent to execute tasks with that user's permissions.

Skill Marketplace Injection

Six CVEs addressed the skill marketplace ingestion pipeline. When an administrator installed a skill from the marketplace, OpenClaw would fetch the skill package, verify a SHA-256 checksum, and extract it into the skills directory. The checksum verification was the only integrity check.

CVE-2025-51612 demonstrated that the extraction process was vulnerable to a path traversal attack embedded in the skill archive. A malicious skill package could write files to arbitrary locations outside the skills directory, including the OpenClaw configuration directory and, on some deployments, the system cron directory.

CVE-2026-50088 and CVE-2026-50091 targeted the skill metadata parser. Skill packages include a manifest file with metadata fields -- name, description, version, required permissions. Both CVEs showed that unsanitized content in these fields could be injected into OpenClaw's internal SQLite database, with one variant achieving SQL injection that allowed exfiltration of the agent's stored conversation history and tool credentials.

Data Exfiltration Vectors

A set of four CVEs described how an attacker with skill execution access could systematically exfiltrate data from the agent's memory and connected tool integrations. OpenClaw maintains an agent memory store -- a structured log of past conversations, retrieved documents, and tool outputs -- that skills can read by design. The intention is to allow skills to build on prior context. The implementation created a channel through which a malicious skill could read the full memory store and transmit it to an external endpoint.

CVE-2026-50102 showed that the memory access control model had no concept of skill isolation. All installed skills shared the same read access to agent memory. A skill positioned as a benign utility could silently harvest every conversation the agent had ever had, including credentials passed through the agent in plaintext.

Privilege Escalation

The remaining CVEs addressed privilege escalation within the OpenClaw permission model. OpenClaw supports a role system for multi-user deployments. Administrator, operator, and viewer roles with different capability sets. CVE-2025-51801 and CVE-2026-50144 both demonstrated paths by which a user with viewer-level access could escalate to operator or administrator through a combination of API parameter manipulation and a missing server-side authorization check.

The Acceleration

What is striking about the timeline is the pace. The first CVE was filed in November 2025. By mid-December there were eight. January 2026 saw fourteen more. The final thirteen came in a compressed six-week window through February. Once the security community identified OpenClaw as a research target, the disclosure rate compounded.

This is a known pattern. Vulnerability discovery is not random. It clusters. When a codebase becomes a target, researchers share techniques, build on each other's findings, and the CVE count can spike faster than any team can ship patches. OpenClaw experienced this at a pace that overwhelmed its maintainer group.

#ClawHavoc: The Supply Chain Attack

While individual CVEs were being filed and patched, a more systematic campaign was already underway. Security researchers at two independent firms later named it ClawHavoc.

Between October 2025 and January 2026, 1,184 malicious skill packages were published to the OpenClaw Skill Marketplace. They were not uploaded in a single burst. They trickled in over weeks, averaging roughly ten to fifteen new packages per day, blending into the legitimate skill publishing volume. Many of the packages were published from newly created accounts with no prior history. Some were published from accounts that had previously published legitimate, well-reviewed skills -- accounts that appeared to have been compromised specifically for this purpose.

How the Skills Masqueraded

The ClawHavoc packages were professionally constructed. They delivered real functionality. A skill that claimed to summarize Slack threads actually summarized Slack threads. A skill that claimed to generate SQL queries from natural language actually generated SQL queries. The malicious behavior was secondary, running alongside the legitimate feature set, and designed to be invisible in casual testing.

The naming strategy was deliberate. Packages targeted popular legitimate skills with names that differed by a single character, a hyphen substitution, or a version number prefix. "productivity-suite-pro" instead of "productivity-suite." "calendar-sync-v2" instead of "calendar-sync." Administrators browsing the marketplace for a known skill could easily install a ClawHavoc variant without noticing the discrepancy.

Embedded Data Exfiltration

The primary payload across the majority of ClawHavoc packages was data exfiltration. On installation and on each invocation, the skill would read from the OpenClaw memory store, collect environment variables, scan for credential files in known locations (including .env files, AWS credential files, and SSH keys in the agent host's home directory), and POST the collected data to a rotating set of exfiltration endpoints hosted on cloud infrastructure in multiple regions.

The exfiltration was slow and deliberate. Not a single large burst that might trigger rate limiting or anomaly detection, but a steady stream of small payloads transmitted on a jittered schedule. Several variants transmitted only during low-traffic hours, using the agent's own calendar integration to identify when the deployment was likely unmonitored.

Cryptomining Secondaries

Roughly 180 of the 1,184 ClawHavoc packages included a secondary payload: a cryptocurrency miner bundled as a compiled binary, extracted during skill installation and executed as a background process. The mining processes were configured to consume CPU resources only up to a configurable ceiling -- defaulting to 30% -- to avoid performance degradation that would prompt investigation.

Several ClawHavoc packages used the path traversal vulnerability (CVE-2025-51612) to install the miner binary outside the OpenClaw directory tree, ensuring it would survive skill uninstallation.

The Detection Gap

The OpenClaw marketplace had no automated security scanning at the time ClawHavoc was active. Skill packages were reviewed for functional compliance with the API specification and checked for checksum integrity. There was no static analysis, no behavioral analysis, no reputation system for publishing accounts, and no sandboxed execution environment for pre-publication testing.

The first ClawHavoc packages were identified not by marketplace monitoring but by an endpoint detection system at a financial services company that flagged unusual outbound traffic from an AI agent host. The company's security team reverse-engineered the installed skills, identified the exfiltration payload, and filed a report with the OpenClaw maintainers in late January 2026. By that point, the campaign had been running for over three months.

#ClawJacked: 135,000 Exposed Instances

Concurrent with the ClawHavoc supply chain campaign, a scanning operation was systematically cataloging exposed OpenClaw deployments. The technique, which the security community named ClawJacked, exploited a combination of OpenClaw's default configuration and its authentication vulnerabilities.

By default, OpenClaw exposes its REST API on port 8765 with no authentication required on the local network interface. The documentation advises administrators to configure authentication before exposing the service externally, but provides no enforcement mechanism and no warning if the service is reachable without authentication.

Using Shodan-style internet scanning targeted at port 8765 with fingerprinting based on OpenClaw's API response headers, researchers -- and, separately, threat actors -- identified over 135,000 OpenClaw instances reachable from the open internet without authentication.

These were not all careless deployments. Some were the result of firewall misconfigurations. Some were intentional decisions by developers who considered their agent non-sensitive and wanted API access from multiple locations. Some were cloud instances where the administrator had assumed the cloud provider's security group rules would restrict access, but had not verified the configuration.

Against instances that required authentication, the authentication bypass CVEs -- particularly CVE-2025-51445 -- provided access. Against the majority of the 135,000 that required no authentication at all, access was immediate.

A fully authenticated or unauthenticated attacker on an OpenClaw instance could direct the agent to execute any installed skill, read the full memory store, enumerate all configured tool integrations and their credentials, and -- on instances running vulnerable versions -- achieve RCE on the host through the sandbox escape CVEs.

The 135,000 figure represents instances that were directly internet-exposed. The number of instances reachable from within compromised networks, or instances that installed ClawHavoc skills, is unknown. Security firms responding to incidents in the wake of the disclosure have described the actual exposure scope as significantly larger than the internet-scanning data suggests.

#The Community Response

The OpenClaw maintainers responded seriously once the scope became clear. In late January 2026, they published a coordinated disclosure notice acknowledging the CVEs, opened a dedicated security mailing list, and began releasing patches on an accelerated schedule.

The marketplace was locked down on January 31st. New skill submissions were suspended indefinitely. The existing marketplace catalog was taken offline while the team conducted a manual review of all 4,000-plus published packages. By mid-February, the marketplace had returned in a reduced form with roughly 2,800 packages that had passed review. The remaining packages, including all identified ClawHavoc variants, were permanently removed.

A new release -- OpenClaw 2.1 -- shipped in February with mandatory authentication enabled by default, a restructured skill sandbox with explicit filesystem and environment isolation, and a marketplace ingestion pipeline that requires static analysis to pass before a skill can be published. The authentication bypass CVEs were patched. The sandbox RCE bugs were patched. A startup configuration wizard was added that surfaces network exposure warnings if the API is configured to listen on a non-loopback interface.

The community response was substantial. Hundreds of contributors submitted patches, security audits, and documentation improvements in the weeks following the disclosure. A new security working group was established with dedicated maintainer capacity. The response demonstrated the genuine strength of the open-source model when a security crisis mobilizes contributor attention.

But the damage was done. Data exfiltrated during the ClawHavoc campaign -- agent memory contents, credentials, API keys, conversation logs -- was not recoverable. Instances that had been accessed through ClawJacked required full forensic investigation to determine the scope of compromise. Enterprises that had deployed OpenClaw in production were spending weeks auditing their exposure.

#Lessons for the Industry

The OpenClaw crisis was not a failure unique to OpenClaw. It was a preview of what happens when software architecture patterns built for low-stakes environments are deployed in high-stakes contexts without the security infrastructure those contexts require. Every lesson here applies to the broader AI agent ecosystem.

Agent marketplaces require security review before publishing.

The app store model works, imperfectly, because major app stores conduct review before publishing. That review is not perfect and not comprehensive, but it raises the cost of malicious publishing significantly. OpenClaw's marketplace had none of this. The path of least resistance for a malicious actor was to publish a functional-looking skill, and 1,184 actors took that path.

Any platform that allows third-party code to execute inside an AI agent needs pre-publication security review: static analysis, behavioral sandboxing, reputation scoring for publishing accounts, and a rapid takedown process when malicious packages are identified. This is not optional infrastructure. It is baseline security for a software distribution system.

Default-open configurations are existentially dangerous for agents.

An AI agent is not a web server. When an exposed web server is compromised, the attacker gets access to the web application. When an exposed AI agent is compromised, the attacker gets access to every tool the agent is integrated with, every piece of memory the agent has accumulated, and -- through the agent's action-taking capabilities -- the ability to impersonate the agent to every connected system.

The blast radius of a compromised AI agent is categorically larger than the blast radius of a compromised traditional application. Default-open configurations that might be tolerable for a simple API service are not tolerable for an AI agent. OpenClaw's default port-8765-no-auth configuration made sense for a developer testing locally. It made no sense as the default shipped to production deployments. The distinction was never enforced.

Agent platforms need security scanning from day one.

The OpenClaw CVE cluster happened over a compressed timeline in part because security scrutiny arrived late. When the platform was being built, security was not a primary design constraint. When it achieved significant adoption and became a target, the security debt accumulated over a year of development had to be paid in a matter of weeks under public pressure.

AI agent platforms are infrastructure. They sit beneath applications, handle credentials, accumulate sensitive memory, and take actions on behalf of users. Platforms at this layer need security-first architecture, penetration testing before major releases, and ongoing vulnerability management programs. Retrofitting security onto a widely deployed agent platform is far harder than building it in from the start.

The supply chain of skills, tools, and integrations is the attack surface.

The core OpenClaw runtime was arguably less vulnerable than its ecosystem. The most severe attacks came through the skill marketplace -- third-party code executing inside the agent's trust boundary. This is the defining security challenge of the agent ecosystem. Every integration, every plugin, every third-party skill is a potential supply chain attack vector. The question is not whether your agent platform has vulnerabilities, but whether you have the visibility to detect when those vulnerabilities are being exploited.

For a deeper treatment of supply chain risk in the AI agent ecosystem, see AI Agent Supply Chain Security.

#Scanning for OpenClaw Exposure with g0

Guard0's g0 tool now includes OpenClaw-specific scanning rules covering the full CVE set and ClawHavoc detection signatures. If you are running OpenClaw in any environment, running a g0 scan is the fastest way to assess your exposure.

npx @guard0/g0 scan

The OpenClaw ruleset checks for:

• Unauthenticated API exposure on port 8765 and adjacent ports
• Version fingerprinting against the affected version range (all versions prior to 2.1.0)
• Known ClawHavoc skill package hashes in installed skill directories
• Sandbox configuration misconfigurations associated with the RCE CVEs
• Presence of cryptominer binaries associated with ClawHavoc secondary payloads
• LDAP authentication configuration patterns associated with CVE-2026-50077
• Marketplace-installed skills flagged in the ClawHavoc disclosure set

Scans run locally and produce a structured report with severity ratings and remediation guidance for each finding. No data leaves your environment.

For details on g0's full capability set and the scanner architecture, see Introducing g0.

#Scan Your Agents. Now.

If you are running AI agents in production -- OpenClaw, any other framework, or custom-built -- the OpenClaw crisis is the clearest available signal of what the threat landscape looks like.

Run a g0 scan against your OpenClaw deployments:

github.com/guard0/g0

Talk to us about your agent security posture:

Book a Demo

The 135,000 exposed instances were not all careless. Many were deployed by competent teams who simply had no tooling to tell them they had a problem. That tooling exists now. Use it.