The OpenClaw Security Crisis: Anatomy of the First AI Agent Meltdown

In the fall of 2025, OpenClaw was everything the AI agent community wanted it to be. An open-source framework for deploying customizable AI agents, a thriving skill marketplace, and a developer community of tens of thousands. Enterprise teams were running it on-premise. Startups were building products on top of it. AI hobbyists were publishing skills to the marketplace daily.

By February 2026, 3 critical CVEs had been disclosed against the platform, with more than a dozen following in subsequent weeks. 341 malicious skills had been found in an audit of the marketplace. A scanning campaign called ClawHavoc had identified 21,639 publicly exposed OpenClaw instances reachable from the open internet.

Ninety days. That is how long it took for the most celebrated open-source AI agent framework to become the most studied cautionary tale in the industry.

This is the definitive post-mortem.

#What Is OpenClaw

OpenClaw launched in late 2024 as an open-source project with a straightforward promise: give any developer the ability to spin up a capable, extensible AI agent in under an hour. The core architecture was elegant. A central agent runtime handled orchestration, tool routing, and memory management. A REST API exposed agent capabilities to downstream applications. And a skill system - essentially a plugin architecture - allowed anyone to extend agent behavior by publishing a skill package to the OpenClaw Skill Marketplace.

The marketplace was the killer feature. Within six months of launch, it had accumulated over 4,000 published skills covering everything from calendar management to database query generation to custom integrations with enterprise SaaS tools. Download counts climbed into the millions. Teams that would never have built AI agent infrastructure from scratch were deploying production OpenClaw instances because the skill ecosystem made it feel turnkey.

That skill ecosystem is where the crisis began.

#The CVEs: 3 Critical Vulnerabilities

Three critical CVEs were disclosed against OpenClaw, all patched in version 2026.1.29. Belgium's Centre for Cybersecurity issued a critical vulnerability warning in response. Each vulnerability represented a distinct attack vector against the platform's core architecture.

CVE-2026-25253: One-Click RCE via Token Exfiltration (CVSS 8.8)

The most immediately exploitable vulnerability. An attacker could craft a malicious link or skill interaction that, when triggered by a user, exfiltrated the user's authentication token. With that token in hand, the attacker could execute arbitrary commands on the OpenClaw instance with the victim's privileges. The one-click nature of this bug made it especially dangerous - it required no prior access to the target system, only that the user interact with a crafted payload.

CVE-2026-25157: macOS Command Injection in SSH Handler (CVSS 7.7)

This vulnerability targeted OpenClaw installations running on macOS. A flaw in the SSH handler allowed command injection through specially crafted SSH connection strings. On affected systems, an attacker could inject arbitrary shell commands that would be executed with the privileges of the OpenClaw process. The attack surface was narrower than CVE-2026-25253 - limited to macOS deployments using SSH integrations - but the impact was severe for those affected.

CVE-2026-24763: Docker Sandbox Escape via PATH Injection (CVSS 8.8)

OpenClaw's Docker-based sandbox, intended to isolate skill execution from the host system, could be escaped through PATH environment variable injection. A malicious skill running inside the sandbox could manipulate the PATH to redirect command execution outside the container boundary, achieving arbitrary code execution on the host. This undermined the fundamental security assumption of containerized skill execution.

The Severity

What made these three CVEs particularly concerning was not the count but the coverage. Together they provided attack paths against the platform's authentication model, its operating system integration layer, and its sandboxing infrastructure. An attacker did not need all three - any one of them was sufficient to compromise an unpatched instance. The combination meant that no layer of OpenClaw's security architecture was unaffected.

#ClawHavoc: The Supply Chain Attack

While individual CVEs were being filed and patched, a more systematic campaign was already underway. Security researchers at two independent firms later named it ClawHavoc.

Researchers audited 2,857 skills on ClawHub and found 341 malicious skill packages - a 12% malware rate. They were not uploaded in a single burst. They trickled in over weeks, blending into the legitimate skill publishing volume. Many of the packages were published from newly created accounts with no prior history. Some were published from accounts that had previously published legitimate, well-reviewed skills - accounts that appeared to have been compromised specifically for this purpose.

How the Skills Masqueraded

The ClawHavoc packages were professionally constructed. They delivered real functionality. A skill that claimed to summarize Slack threads actually summarized Slack threads. A skill that claimed to generate SQL queries from natural language actually generated SQL queries. The malicious behavior was secondary, running alongside the legitimate feature set, and designed to be invisible in casual testing.

The naming strategy was deliberate. Packages targeted popular legitimate skills with names that differed by a single character, a hyphen substitution, or a version number prefix. One real malicious skill analyzed by researchers was called "What Would Elon Do?" - packaged as a novelty productivity tool. Administrators browsing the marketplace for a known skill could easily install a ClawHavoc variant without noticing the discrepancy.

Atomic Stealer (AMOS) Deployment

The primary payload across 335 of the 341 ClawHavoc packages was Atomic Stealer (AMOS), deployed through fake prerequisite installs. On installation, the skill would trigger what appeared to be a dependency setup process, but was actually deploying the AMOS infostealer. Once active, AMOS would harvest credentials, browser data, cryptocurrency wallet files, and other sensitive information from the host system.

The deployment mechanism was deliberately designed to appear routine. Users accustomed to skills requiring prerequisite installations would approve the process without scrutiny, making the social engineering layer as important as the technical payload.

The Detection Gap

The OpenClaw marketplace had no automated security scanning at the time ClawHavoc was active. Skill packages were reviewed for functional compliance with the API specification and checked for checksum integrity. There was no static analysis, no behavioral analysis, no reputation system for publishing accounts, and no sandboxed execution environment for pre-publication testing.

The first ClawHavoc packages were identified not by marketplace monitoring but by an endpoint detection system at a financial services company that flagged unusual outbound traffic from an AI agent host. The company's security team reverse-engineered the installed skills, identified the exfiltration payload, and filed a report with the OpenClaw maintainers in late January 2026. By that point, the campaign had been running for over three months.

#21,639 Publicly Exposed Instances

Concurrent with the ClawHavoc supply chain campaign, a scanning operation was systematically cataloging exposed OpenClaw deployments. As of January 31, 2026, researchers had identified 21,639 publicly exposed instances, exploiting a combination of OpenClaw's default configuration and its authentication vulnerabilities.

By default, OpenClaw exposes its REST API on port 8765 with no authentication required on the local network interface. The documentation advises administrators to configure authentication before exposing the service externally, but provides no enforcement mechanism and no warning if the service is reachable without authentication.

Using Shodan-style internet scanning targeted at port 8765 with fingerprinting based on OpenClaw's API response headers, researchers - and, separately, threat actors - identified 21,639 OpenClaw instances reachable from the open internet without authentication. Red-teaming firm Dvuln manually verified 8 fully open instances to confirm the severity of the exposure. Separately, over 175,000 unique Ollama LLM hosts were found publicly exposed across 130 countries, illustrating the broader pattern of unsecured AI infrastructure.

These were not all careless deployments. Some were the result of firewall misconfigurations. Some were intentional decisions by developers who considered their agent non-sensitive and wanted API access from multiple locations. Some were cloud instances where the administrator had assumed the cloud provider's security group rules would restrict access, but had not verified the configuration.

Against instances that required authentication, the disclosed CVEs - particularly CVE-2026-25253's one-click RCE - provided access. Against the majority of the 21,639 that required no authentication at all, access was immediate.

A fully authenticated or unauthenticated attacker on an OpenClaw instance could direct the agent to execute any installed skill, read the full memory store, enumerate all configured tool integrations and their credentials, and - on instances running vulnerable versions - achieve RCE on the host through the sandbox escape CVE (CVE-2026-24763).

The 21,639 figure represents instances that were directly internet-exposed as of January 31, 2026. The number of instances reachable from within compromised networks, or instances that installed ClawHavoc skills, is unknown. Security firms responding to incidents in the wake of the disclosure have described the actual exposure scope as significantly larger than the internet-scanning data suggests.

#The Community Response

The OpenClaw maintainers responded seriously once the scope became clear. In late January 2026, they published a coordinated disclosure notice acknowledging the CVEs, opened a dedicated security mailing list, and began releasing patches on an accelerated schedule.

The marketplace was locked down on January 31st. New skill submissions were suspended indefinitely. The existing marketplace catalog was taken offline while the team conducted a review. Out of 2,857 audited skills, 341 were identified as malicious and permanently removed, along with all identified ClawHavoc variants.

All three CVEs were patched in version 2026.1.29, which shipped with mandatory authentication enabled by default, a restructured skill sandbox with explicit filesystem and environment isolation, and a marketplace ingestion pipeline that requires static analysis to pass before a skill can be published. A startup configuration wizard was added that surfaces network exposure warnings if the API is configured to listen on a non-loopback interface.

The community response was substantial. Hundreds of contributors submitted patches, security audits, and documentation improvements in the weeks following the disclosure. A new security working group was established with dedicated maintainer capacity. The response demonstrated the genuine strength of the open-source model when a security crisis mobilizes contributor attention.

But the damage was done. Data exfiltrated during the ClawHavoc campaign - agent memory contents, credentials, API keys, conversation logs - was not recoverable. Exposed instances required full forensic investigation to determine the scope of compromise. Enterprises that had deployed OpenClaw in production were spending weeks auditing their exposure.

#Lessons for the Industry

The OpenClaw crisis was not a failure unique to OpenClaw. It was a preview of what happens when software architecture patterns built for low-stakes environments are deployed in high-stakes contexts without the security infrastructure those contexts require. Every lesson here applies to the broader AI agent ecosystem.

Agent marketplaces require security review before publishing.

The app store model works, imperfectly, because major app stores conduct review before publishing. That review is not perfect and not comprehensive, but it raises the cost of malicious publishing significantly. OpenClaw's marketplace had none of this. The path of least resistance for a malicious actor was to publish a functional-looking skill, and 341 malicious skills out of 2,857 audited - a 12% malware rate - showed how thoroughly that path was exploited.

Any platform that allows third-party code to execute inside an AI agent needs pre-publication security review: static analysis, behavioral sandboxing, reputation scoring for publishing accounts, and a rapid takedown process when malicious packages are identified. This is not optional infrastructure. It is baseline security for a software distribution system.

Default-open configurations are existentially dangerous for agents.

An AI agent is not a web server. When an exposed web server is compromised, the attacker gets access to the web application. When an exposed AI agent is compromised, the attacker gets access to every tool the agent is integrated with, every piece of memory the agent has accumulated, and - through the agent's action-taking capabilities - the ability to impersonate the agent to every connected system.

The blast radius of a compromised AI agent is categorically larger than the blast radius of a compromised traditional application. Default-open configurations that might be tolerable for a simple API service are not tolerable for an AI agent. OpenClaw's default port-8765-no-auth configuration made sense for a developer testing locally. It made no sense as the default shipped to production deployments. The distinction was never enforced.

Agent platforms need security scanning from day one.

The OpenClaw CVE cluster happened over a compressed timeline in part because security scrutiny arrived late. When the platform was being built, security was not a primary design constraint. When it achieved significant adoption and became a target, the security debt accumulated over a year of development had to be paid in a matter of weeks under public pressure.

AI agent platforms are infrastructure. They sit beneath applications, handle credentials, accumulate sensitive memory, and take actions on behalf of users. Platforms at this layer need security-first architecture, penetration testing before major releases, and ongoing vulnerability management programs. Retrofitting security onto a widely deployed agent platform is far harder than building it in from the start.

The supply chain of skills, tools, and integrations is the attack surface.

The core OpenClaw runtime was arguably less vulnerable than its ecosystem. The most severe attacks came through the skill marketplace - third-party code executing inside the agent's trust boundary. This is the defining security challenge of the agent ecosystem. Every integration, every plugin, every third-party skill is a potential supply chain attack vector. The question is not whether your agent platform has vulnerabilities, but whether you have the visibility to detect when those vulnerabilities are being exploited.

For a deeper treatment of supply chain risk in the AI agent ecosystem, see AI Agent Supply Chain Security.

#Scanning for OpenClaw Exposure with g0

Guard0's g0 tool now includes OpenClaw-specific scanning rules covering the full CVE set and ClawHavoc detection signatures. If you are running OpenClaw in any environment, running a g0 scan is the fastest way to assess your exposure.

npx @guard0/g0 scan

The OpenClaw ruleset checks for:

• Unauthenticated API exposure on port 8765 and adjacent ports
• Version fingerprinting against the affected version range (all versions prior to 2026.1.29)
• Known ClawHavoc skill package hashes in installed skill directories
• Sandbox configuration misconfigurations associated with CVE-2026-24763 (Docker sandbox escape)
• Presence of Atomic Stealer (AMOS) artifacts associated with ClawHavoc payloads
• SSH handler configuration patterns associated with CVE-2026-25157
• Marketplace-installed skills flagged in the ClawHavoc disclosure set

Scans run locally and produce a structured report with severity ratings and remediation guidance for each finding. No data leaves your environment.

For details on g0's full capability set and the scanner architecture, see Introducing g0.

#Scan Your Agents. Now.

If you are running AI agents in production - OpenClaw, any other framework, or custom-built - the OpenClaw crisis is the clearest available signal of what the threat landscape looks like.

Run a g0 scan against your OpenClaw deployments:

github.com/guard0/g0

Talk to us about your agent security posture:

Book a Demo

The 21,639 exposed instances were not all careless. Many were deployed by competent teams who simply had no tooling to tell them they had a problem. That tooling exists now. Use it.