ProClaw Logo ProClaw Resources
Security Research February 2026

The OpenClaw Security Crisis

A comprehensive analysis of vulnerabilities, exposed instances, supply chain attacks, and what you need to know to protect yourself.

40,000+
Exposed Instances
3
Critical CVEs
386
Malicious Skills
1.5M
Leaked Tokens
1-Click
RCE Exploits

Executive Summary

OpenClaw (formerly Clawdbot, then Moltbot) has become the most popular open-source AI assistant platform, amassing over 200,000 GitHub stars in a matter of weeks. But its meteoric rise has been accompanied by a catastrophic security situation.

40,000+ exposed instances
Found by SecurityScorecard
3 critical CVEs
With public exploit code
386 malicious skills
Stealing crypto credentials on ClawHub
1.5M tokens leaked
Via the Moltbook platform breach

The Threat Landscape

The "Lethal Trifecta" (Simon Willison)

OpenClaw combines three dangerous properties that make it vulnerable by design:

1. Access to Private Data

Reads emails, files, credentials, browser history, chat messages

2. Untrusted Content

Browses web, processes arbitrary messages, installs third-party skills

3. External Communication

Sends emails, makes API calls, can exfiltrate data

Palo Alto Networks adds a fourth: persistent memory. OpenClaw stores context in SOUL.md and MEMORY.md files, enabling time-shifted attacks where payloads are injected one day and detonated later.

Why Attackers Target OpenClaw

  • Over 100,000 developers trusted it with credentials within weeks of launch
  • Credentials stored in plaintext Markdown and JSON files (~/.openclaw/)
  • Open ClawHub marketplace has minimal vetting (only requires 1-week-old GitHub account)
  • Rapid rebrands created identity confusion exploited by scammers
  • The ~/.clawdbot directory is predicted to become a standard infostealer target

Critical Vulnerabilities (CVEs)

CVE-2026-25253: One-Click RCE

Remote Code Execution via Control UI

CVSS 8.8 CRITICAL

The Kill Chain (discovered by DepthFirst):

  1. 1 Victim visits malicious URL
  2. 2 Control UI accepts gatewayUrl query parameter without validation
  3. 3 Token exfiltrated to attacker in milliseconds
  4. 4 Cross-site WebSocket hijacking (server doesn't validate origin)
  5. 5 Attacker disables sandbox via API (exec.approvals.set = off)
  6. 6 Escapes Docker container (tools.exec.host = gateway)
  7. 7 Full RCE on host machine
Impact

Complete system compromise from a single link click.

Fix

Upgrade to v2026.1.24-1 or later. Rotate all tokens.

CVE-2026-24763 & CVE-2026-25157

HIGH

Command injection vulnerabilities allow attackers to execute arbitrary commands through improperly sanitized input fields in the gateway.

CVE-2026-22708

HIGH

Indirect prompt injection — OpenClaw doesn't sanitize web content before feeding it to the LLM. The web becomes a command-and-control channel.

The 40,000 Exposed Instances Problem

SecurityScorecard's findings paint a grim picture:

MetricValue
Exposed instances40,214+
Unique IP addresses28,663
Instances with prior breach activity549
Instances with known vulnerabilities1,493
Vulnerable deployments63%
Exploitable via RCE12,812
Geographic Distribution

China (most), followed by US, Singapore

Industries Affected

Information services, technology, manufacturing, telecommunications

Common Misconfigurations

Gateway bound to 0.0.0.0:18789 instead of localhost
Control UI publicly accessible without authentication
No gateway.auth.password set
Pairing mode disabled (unauthorized connections auto-approved)
Root filesystem accessible (no workspace scoping)
mDNS broadcasting filesystem paths and SSH availability

Supply Chain Attacks: ClawHub Malware

The ClawHavoc Campaign

Koi Security audited 2,857 skills on ClawHub and found 341 malicious ones (12% of registry).

Attack Methodology
  • • Professional documentation
  • • Legitimate-sounding names
  • • Fake "Prerequisites" section
  • • Social engineering attacks
Malware Delivered
  • Atomic Stealer (AMOS)
  • macOS infostealer (335 skills)
  • Reverse shell backdoors
  • Hidden in functional code (6 skills)
Target Data
  • • Exchange API keys
  • • Wallet private keys
  • • SSH credentials
  • • Browser passwords
  • • SOUL.md / MEMORY.md
C2 Server

All malicious skills shared single C2 IP: 91.92.242[.]30

Credential Exposure in Skills

A separate analysis of 3,984 skills found that 283 skills (7.1%) contain critical security flaws that expose sensitive credentials in plaintext through the LLM's context window and output logs.

The Moltbook Breach

Moltbook, the AI-agent social network, ran on Supabase with Row Level Security (RLS) disabled. The Supabase API key was visible in client-side JavaScript.

Exposed Data

1.5M
API authentication tokens
35K
Email addresses and Twitter handles
Full read AND write access
Private messages (some containing OpenAI API keys) • Impersonation possible

Hosting Provider Security Failures

Common Failures in Managed Hosting

IssueImpactPrevalence
Gateway bound to 0.0.0.0Internet-accessible controlMost services
No pairing modeUnauthorized connections acceptedMost services
Root filesystem accessAgent can read /etc/passwd, SSH keysMost services
No Tailscale/VPNDirect internet exposureMost services
Default credentialsEasy takeoverCommon

Security Researcher Commentary

"Security checklist: gateway not public, pairing required, filesystem scoped (no /), and access via Tailscale/SSH tunnel. If a provider can't show you 'nmap clean' + no root mounts in 5 min, don't hand them your API keys."

— @ledger_eth

"The amount of 'services' spinning up OpenClaw by just blindly binding to 0.0.0.0:18789 and leaving the Control UI wide open is terrifying. We're seeing literal 1-click RCEs right now because of this lazy infrastructure."

— @__tazz10__

The Security Checklist

Minimum Requirements (Non-Negotiable)

Gateway localhost-only
Bind to 127.0.0.1, not 0.0.0.0 — but silently falls back to 0.0.0.0 on failure
Default
Pairing mode enabled
New connections require approval
Default
Filesystem scoped
Agent limited to ~/workspace, not /
Not Default
Gateway authentication
Token auth required (fail-closed if not configured)
Default
Tunnel access only
Tailscale, SSH, or VPN required
Not Default
Updated to latest version
Patches CVE-2026-25253 etc.
Varies
API spending limits
Prevent runaway costs
Not Default

Additional Hardening

Run in Docker with network restrictions
Disable mDNS broadcasting
Audit all installed skills
Monitor ~/.openclaw/ for changes
Set up alerts for unusual API usage
Rotate tokens regularly

Questions to Ask Hosting Providers

Before signing up with any OpenClaw hosting service:

1. How is the gateway accessed?
Tailscale, SSH tunnel, or VPN only
Direct internet exposure
2. Is pairing mode enabled by default?
Yes, new connections require approval
No, auto-approved
3. What filesystem scope does the agent have?
Dedicated workspace directory only
Root (/) access
4. Can I see an nmap scan of my instance?
Yes, shows only expected ports
No, or shows unexpected services

Timeline of Security Incidents

Nov 2025
Clawdbot launched by Peter Steinberger
Late Jan 2026
Security researchers find exposed Control UIs via Shodan
Jan 23, 2026
@theonejvo documents hundreds of exposed gateways
Jan 27-29, 2026
ClawHavoc campaign: 341 malicious skills uploaded
Jan ~28, 2026
Rebrand to Moltbot after Anthropic trademark request
Jan 31, 2026
Moltbook database exposure discovered
Feb 1, 2026
CVE-2026-25253 (1-click RCE) disclosed
Feb 9, 2026
SecurityScorecard reports 40,000+ exposed instances

ProClaw Security Advantage

This research underscores why security-first managed hosting is critical. ProClaw addresses every issue identified:

IssueHow ProClaw Solves It
Exposed gatewayPrivate networking via Cloudflare Tunnel by default
No pairingPairing mode enabled, explicit approval required
Root filesystemScoped to dedicated workspace directory
No authenticationStrong authentication configured
Malicious skillsSkills audited or disabled by default
Outdated versionsAutomatic security updates
No monitoringAlerts for unusual activity

Our promise: If a provider can't demonstrate secure configuration in 5 minutes, they shouldn't be trusted with your AI agent.

Conclusion

OpenClaw's security situation is dire. The combination of:

  • Viral adoption (200K+ GitHub stars)
  • Minimal security defaults
  • Open marketplace with no vetting
  • Multiple critical CVEs
  • 40,000+ exposed instances

...creates a perfect storm for attackers.

If you're running OpenClaw:

  1. 1 Update immediately to patch known CVEs
  2. 2 Audit your configuration against the checklist above
  3. 3 Rotate all tokens if you suspect exposure
  4. 4 Consider managed hosting with security-first providers

References

Last updated: February 15, 2026

Ready for Security-First Hosting?

ProClaw handles security hardening so you can focus on building. Every item on the checklist? Already done.

Get Started