OpenClaw Looked Like Magic. Your Security Team Should Be Paying Attention.

In late January 2026, an Austrian developer named Peter Steinberger posted a project he'd hacked together over a weekend. It was a self-hosted AI agent that ran locally on your machine, connected to whatever LLM you pointed it at, and let you interact with it through the messaging apps you were already using: WhatsApp, Telegram, Slack, iMessage, and myriad others. You could tell it to clean up your inbox, book a restaurant, check your calendar, run a script. It remembered everything across sessions. It worked while you slept.

Within 24 hours, it had 20,000 GitHub stars. Within two weeks, it had caused a Mac mini shortage in several US states. And within 90 days, it had accumulated 138 documented CVEs.

That arc, from viral magic to documented security crisis, is worth paying attention to, because OpenClaw isn't really a story about one project. It's a preview of what happens when agentic AI meets the gap between what users want and what security teams are prepared for.

What OpenClaw actually is

OpenClaw (renamed twice from Clawdbot and then Moltbot, after trademark pressure from Anthropic) is an open-source framework for running an AI agent locally. It's not a chatbot. It doesn't just answer questions. It takes actions: reading and writing files, executing shell commands, browsing the web, sending emails, managing calendars, controlling connected services. It does all of this through your existing credentials and OAuth tokens, operating continuously, persisting memory across sessions.

The appeal is obvious. The risk surface is equally obvious, once you think about it for a moment. You're giving an AI system full access to your operating system, your email, your calendar, your cloud storage, and your messaging platforms, and then connecting it to the public internet through those messaging channels. Every message it receives is potential input. Every service it's connected to is potential blast radius.

What actually went wrong

The first major vulnerability, CVE-2026-25253, was disclosed in late January at CVSS 8.8. It allowed a malicious webpage to silently hijack a locally running OpenClaw instance through cross-site WebSocket hijacking — no plugins, no extensions, no user interaction required. Visit the wrong URL and an attacker had full control of your agent, including every credential it held. Security researchers confirmed the attack chain took milliseconds. At the time of disclosure, Censys had identified over 21,000 OpenClaw instances exposed directly to the public internet, most of them running without authentication.

By February, researchers had found over 800 malicious skills distributed through ClawHub, OpenClaw's official skills marketplace. Skills with professional documentation and innocuous names like "solana-wallet-tracker," "email-cleaner," tools that looked like useful utilities, were silently executing code that installed keyloggers on Windows or Atomic Stealer malware on macOS, exfiltrating API keys, browser passwords, and cloud credentials. At its peak, roughly one in five skills in the registry was malicious.

The same week, a social platform built for OpenClaw agents called Moltbook was found to have an unsecured database exposing 1.5 million agent API tokens and 35,000 email addresses.

By March, a misconfigured OpenClaw agent had recursively wiped a production database in what became known simply as "the file deletion incident." By April, the CVE tracker maintained by security researcher Jimmy Graham was logging roughly 2.2 new vulnerabilities per day, with 41% rated High or Critical.

The creator, for what it's worth, is no longer running the project. Steinberger joined OpenAI in February to lead personal agent development, and OpenClaw transitioned to an independent foundation with OpenAI sponsorship. The irony of that is left as an exercise for the reader.

Why this matters beyond OpenClaw specifically

Here's the thing: most of what happened to OpenClaw wasn't really about OpenClaw. The same vulnerabilities exist in any agentic system built with the same assumptions.

The core problem is architectural. Traditional software has a clear boundary between data and instructions. An AI agent doesn't. When OpenClaw reads a webpage, receives a message, or opens a document, any of those inputs can contain instructions that the agent will treat as commands. This is prompt injection, and in an agentic context it isn't a theoretical concern — it's a demonstrated, repeatedly exploited attack vector. The agent reads a malicious email, interprets it as instructions from its owner, and acts on them using whatever credentials it has access to.

Combine that with the fact that OpenClaw, to be useful, requires exactly the permissions an attacker would want: full disk access, terminal execution, OAuth tokens for every connected service, persistent memory that survives across sessions. A compromised agent isn't just a compromised chatbot; it's a compromised identity with keys to everything.

The marketplace problem is also structural, not specific to ClawHub. Any plugin or skills ecosystem that allows community contributions, grows fast, and doesn't have robust vetting is a supply chain attack waiting to happen. We've seen this with browser extensions, npm packages, and VS Code plugins. An AI agent marketplace with lower scrutiny than any of those and broader system access is a more dangerous version of the same problem.

What to do with this if you're a security practitioner

In the near term, three things matter.

• First, inventory. OpenClaw can be found on managed endpoints with an osquery process query. If you find it, treat the discovery as a potential incident, not just a policy violation. Check for internet exposure — any instance binding to 0.0.0.0 on port 18789 rather than 127.0.0.1 is reachable from the network. Check what services it's been granted OAuth access to.
• Second, policy. Your AI acceptable use policy almost certainly doesn't address agentic AI tools yet. It needs to. The difference between "using Claude to draft an email" and "giving an autonomous agent persistent OAuth access to your corporate Google Workspace" is significant enough to warrant different treatment.
• Third, and most importantly: use OpenClaw as the forcing function for a broader conversation about agentic AI governance in your organization. The tools that follow OpenClaw — and there will be many — will present the same fundamental trade-off between capability and blast radius. The security teams that have thought through their position before those tools arrive will be in a much better position than the ones reacting after the fact.

OpenClaw is at 347,000 GitHub stars as of this writing and is actively being deployed in production by organizations that should know better. The security story isn't over. It's just getting started.