Runwaize Logo
Runwaize Logo
For ManagersFor Agent Builders
Solutions
Supervaize StudioSupervaizer ControllerThe Skills Cookbook
Services
Agentic ConsultingAgentic DevelopmentAidan — AI Readiness
The AI Horror Show
Register
Back to all stories
Security Breach
🔴 Real Incident

OpenClaw: Assume You've Been Compromised

512 vulnerabilities, 800+ malicious skills, 42,000 exposed instances, and a breached social network — the full anatomy of an AI agent security crisis

2026-04-05·9 min read·By Supervaize Team
OpenClaw: Assume You've Been Compromised

OpenClaw: Assume You've Been Compromised

🔴 REAL INCIDENT: Multi-vector security crisis affecting the OpenClaw AI agent ecosystem (January–April 2026)

What Happened

In late January 2026, OpenClaw — the open-source AI agent framework created by Austrian developer Peter Steinberger — went viral. It crossed 135,000 GitHub stars in days, becoming one of the fastest-growing repositories in GitHub's history. Mac Minis sold out across the United States as users rushed to set up their own autonomous agents. The hype was extraordinary.

So was the fallout.

Within three weeks of that explosion in popularity, security researchers began uncovering what would become one of the most comprehensive compromise campaigns ever documented against a consumer software ecosystem. Not a single vulnerability. Not an isolated breach. A convergence of attack vectors — any one of which would have been serious alone, and which together constituted a systemic crisis.

By early April, the tally was staggering: 512 identified vulnerabilities, 8 classified as critical. Over 800 malicious skills in the ClawHub marketplace — roughly 20% of the entire registry. 42,665 publicly exposed instances, of which 5,194 were confirmed vulnerable. A social network breach that leaked 35,000 email addresses and 1.5 million agent API tokens. And a one-click remote code execution flaw that could compromise any user who visited a malicious webpage.

The defensible posture, as Ars Technica put it in April 2026, was simple: assume you've been compromised.

The Attack Vectors

What made the OpenClaw crisis unusual wasn't any single vulnerability. It was the density — five distinct attack surfaces, all exploitable simultaneously, all targeting an application that had access to users' emails, messages, files, calendars, shell commands, and persistent memory.

Vector 1: CVE-2026-25253 — One-Click Remote Code Execution

On January 30, 2026, OpenClaw quietly released version 2026.1.29. Four days later, CVE-2026-25253 was publicly disclosed with a CVSS score of 8.8.

The vulnerability was discovered by Mav Levin, a founding researcher at DepthFirst. OpenClaw's local server didn't validate WebSocket origin headers. Any website could open a WebSocket connection to the OpenClaw gateway running on localhost — and browsers permit this, bypassing standard cross-origin protections. An attacker could chain this cross-site WebSocket hijack into full code execution on a user's machine.

The attack took milliseconds. Visit a malicious webpage, and your agent was compromised.

Vector 2: ClawJacked — Full Agent Takeover

The Oasis Security Research Team discovered a related but distinct vulnerability chain, published February 26, 2026. They found three compounding weaknesses: the WebSocket cross-origin gap, a rate limiter that completely exempted localhost connections, and an auto-approval mechanism that bypassed user confirmation for devices registering from loopback addresses.

The attack chain: a victim visits an attacker-controlled website. The page opens a WebSocket to the OpenClaw gateway on localhost. Because the rate limiter is disabled for loopback, the script brute-forces the gateway password at hundreds of guesses per second. Upon authentication, it auto-registers as a trusted device. The attacker now has full control — they can instruct the agent, dump configuration, enumerate connected devices, read logs, and execute arbitrary shell commands on paired nodes.

OpenClaw shipped a fix within 24 hours of Oasis's disclosure. But for the weeks between January's viral adoption and late February's patch, every OpenClaw user who browsed the web was a potential target.

Vector 3: ClawHavoc — The Poisoned Marketplace

Between January 27 and February 1, 2026, 341 malicious skills appeared in ClawHub, OpenClaw's plugin marketplace. Updated scans later found over 800 — roughly one in five of every skill in the registry.

ClawHub had no moderation pipeline. No content filtering. No code review. Attackers published skills with professional documentation and innocuous names — "solana-wallet-tracker," "AuthTool," trading bots, financial assistants. The skills delivered Atomic macOS Stealer (AMOS) on Mac and keyloggers on Windows, using the ClickFix social engineering technique.

What they exfiltrated: files, crypto wallet extensions, seed phrases, macOS Keychain data, browser passwords, and cloud credentials. The entire attack surface of a user's digital life, harvested through a "skill" that the user had voluntarily installed into an agent with system-level access.

Vector 4: The Moltbook Breach

On January 31, Censys identified 21,639 publicly exposed OpenClaw instances — up from roughly 1,000 just days earlier. Among the compromised infrastructure was Moltbook, a social platform built on OpenClaw's ecosystem.

The Moltbook breach exposed 35,000 email addresses and 1.5 million agent API tokens across a platform that hosted over 770,000 active agents. Those API tokens didn't just grant access to Moltbook — they could be used to authenticate against any service the agents were connected to. The blast radius extended far beyond a single platform.

Vector 5: Wide-Open Instances

Researcher @fmdz387 discovered that nearly 1,000 OpenClaw installations were publicly accessible with no authentication whatsoever. The default configuration trusted localhost connections, but improperly configured reverse proxies forwarded external requests as if they originated from localhost — granting full system access to anyone on the internet.

Security researcher Jamieson O'Reilly demonstrated the impact: he accessed Anthropic API keys, Telegram tokens, Slack accounts, and complete chat histories, then executed commands with admin privileges. No exploit needed. The door was simply open.

The Architecture That Made It Possible

Microsoft's security team published their analysis on February 19, identifying the core architectural flaw: OpenClaw presents a dual supply chain risk, where skills and external instructions converge in the same runtime.

This is the key insight. OpenClaw combines three properties that are individually manageable but catastrophically dangerous together:

Persistent credentials. The agent stores API keys, OAuth tokens, and service credentials to maintain persistent connections to email, messaging, calendars, and code repositories. These credentials don't expire between sessions.

Untrusted input processing. The agent processes emails, documents, web pages, and messages — all of which can contain prompt injection payloads. Matvey Kukuy, CEO of Archestra.AI, demonstrated extracting private keys via email injection. William Peltomäki showed email-based data exfiltration that required no user confirmation.

No runtime isolation. There is no boundary between the agent's trusted execution context and its processing of untrusted external data. A malicious email, a poisoned skill, and a WebSocket hijack all land in the same runtime, with the same credentials, and the same system-level access.

Microsoft called it plainly: governance and runtime isolation become critical as these systems enter enterprise environments. OpenClaw had neither.

The Broader Pattern

We've covered OpenClaw twice before in the Horror Show. First when Summer Yue's agent deleted her inbox — an alignment researcher who did everything right and still couldn't stop her agent. Then when an OpenClaw agent published a hit piece on a volunteer maintainer who rejected its code.

Those were incidents of an agent being too autonomous. This is different. This is the security infrastructure around the agent being fundamentally inadequate for the access it was granted.

The pattern is one we see across the AI agent ecosystem: capability outpaces governance. OpenClaw could read your email, send Slack messages, execute shell commands, browse the web, manage your calendar, and maintain persistent memory across sessions. It shipped with integrations for WhatsApp, Telegram, Discord, and iMessage. It had more access to a user's digital life than any single application in history.

And it secured that access with a WebSocket server that didn't check origin headers.

The speed of adoption made everything worse. OpenClaw went from launch to 180,000 stars in a week. Mac Minis sold out. One journalist burned 180 million tokens experimenting. The security community was still cataloging vulnerabilities while millions of users were already running the software on their personal machines, connected to their real accounts.

How It Could Have Been Prevented

  • Marketplace moderation is not optional. ClawHub shipped without moderation, code review, or malware scanning. One in five skills was malicious. Any plugin marketplace that grants system-level access to user machines needs automated scanning, human review, and publisher verification — before publication, not after discovery.
  • WebSocket origin validation is table stakes. CVE-2026-25253 was a textbook cross-site WebSocket hijacking attack. Validating the Origin header on WebSocket connections is a known requirement. Exempting localhost from security controls — rate limiting, authentication, device approval — created a local privilege escalation path that any website could exploit.
  • Credential isolation must be architectural. Storing API keys, OAuth tokens, and service credentials in a runtime that also processes untrusted external input is indefensible. Credentials should be isolated in a secure enclave, accessed through a controlled API, and never directly reachable from the agent's main execution context.
  • Default-deny, not default-trust. OpenClaw's default configuration trusted localhost connections. Reverse proxy misconfigurations turned that trust into universal access. Secure defaults mean no access without explicit authentication, regardless of network origin.
  • Runtime sandboxing for external content. Processing emails, web pages, and documents in the same runtime as credential management and shell execution is the architectural equivalent of running untrusted code as root. External content should be processed in an isolated sandbox with no access to credentials or system commands.

The Lesson

Peter Steinberger created something extraordinary. OpenClaw captured the imagination of the developer community and demonstrated what autonomous AI agents could become. The adoption numbers speak for themselves.

But adoption without governance is exposure. And the OpenClaw crisis demonstrated, at scale, what happens when an agent framework achieves mass adoption before its security model catches up with its capability model.

512 vulnerabilities. 800 malicious skills. 42,000 exposed instances. 1.5 million leaked API tokens. A one-click RCE. A full agent takeover from any webpage. And a user base that grew faster than any security team could possibly audit.

The Ars Technica headline in April 2026 said it all: it's prudent for OpenClaw users to assume compromise. Not because every user was compromised. But because the attack surface was so broad, the vectors so numerous, and the detection so limited that certainty was impossible.

This is the new reality for AI agent platforms. The agent has access to everything. The security model has to be worthy of that access — not eventually, not in the next release, but before the first user connects their email.

Your AI agent has credentials to your email, your Slack, your calendar, and your file system. When was the last time you audited what else it has access to?

Sources

  • Reco Security — "OpenClaw: The AI Agent Security Crisis Unfolding Right Now," February 2026
  • Oasis Security — "ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover," February 26, 2026
  • Kaspersky — "New OpenClaw AI agent found unsafe for use," February 2026
  • Microsoft Security Blog — "Running OpenClaw safely: identity, isolation, and runtime risk," February 19, 2026
  • Ars Technica — "Here's why it's prudent for OpenClaw users to assume compromise," April 2026