OpenClaw Has 200,000+ GitHub Stars and a Massive Security Problem
One in eight skills on OpenClaw's marketplace will steal your data. That's not a theoretical risk assessment or a projected attack surface. It's what Koi Security researcher Oren Yomtov found when he audited all 2,857 skills on ClawHub: 341 were actively malicious, with 335 belonging to a single coordinated campaign called ClawHavoc.
OpenClaw, the open-source AI agent that's racked up over 200,000 GitHub stars, connects to your email, your files, your browser, and your terminal. It runs shell commands on your behalf. It remembers everything across sessions. And right now, every major cybersecurity firm is sounding alarms about it.
If you or anyone on your team has installed it, you need to understand what's actually happening.
The Attack Surface Is Enormous
The core problem isn't a single bug. It's a design philosophy that prioritizes capability over containment. OpenClaw runs locally with expansive file system, terminal, and often root-level privileges. Its own documentation admits: "There is no 'perfectly secure' setup." Security features are optional, not defaults.
Here's what that looks like in practice:
The marketplace is poisoned. The ClawHavoc campaign planted 335 malicious skills disguised as cryptocurrency wallets, YouTube utilities, and Google Workspace integrations. Each skill instructed users to install fake prerequisites that delivered Atomic Stealer (AMOS), a macOS infostealer that harvests API keys, wallet private keys, SSH credentials, and browser passwords. All 335 skills shared command-and-control infrastructure at a single IP address. On Windows, users downloaded a trojanized "openclaw-agent.zip" from GitHub; macOS users received obfuscated shell commands via glot.io. Cisco's independent testing of another skill, "What Would Elon Do?", found two critical and five high-severity security issues, including a curl command that silently exfiltrated data to an external server.
Thousands of instances are wide open. Censys researcher Silas Cutler tracked exposed OpenClaw instances growing from roughly 1,000 to 21,639 in under a week during late January 2026. By February, BitSight counted over 30,000. Security researcher Maor Dayan independently identified 42,665 exposed instances, with 93.4% of the 5,194 actively verified ones exhibiting authentication bypass. OpenClaw listens on TCP port 18789 by default, intended for local use only, but users are exposing it directly to the internet instead of using the recommended SSH or Cloudflare tunnels. The largest concentrations are in the United States, China, and Singapore, with at least 30% running on Alibaba Cloud.
A single stolen token is the keys to your digital life. Hudson Rock researchers discovered an infostealer (likely a Vidar variant) specifically targeting three OpenClaw configuration files: openclaw.json (containing gateway tokens and email addresses), device.json (cryptographic keys), and soul.md (the agent's behavioral guidelines). Stolen gateway tokens let attackers connect remotely to victims' OpenClaw instances or impersonate them in authenticated API requests. As Hudson Rock put it, this represents "the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents."
The Formal Audit Was Brutal
When the Argus Security Platform ran a formal audit on January 25, 2026, it found 512 vulnerabilities, eight of them critical, spanning authentication, secrets management, dependencies, and application security. OAuth credentials were stored in plaintext JSON files without encryption.
The most severe individual vulnerability, CVE-2026-25253 (CVSS 8.8), was discovered by Mav Levin of DepthFirst. It enabled one-click remote code execution through a cross-site WebSocket hijacking attack. Clicking a malicious link while OpenClaw was running was enough for an attacker to execute arbitrary commands on your machine. The team patched it in version 2026.1.29, published January 31, but that's one fix among hundreds of issues.
Six GitHub Security Advisories dropped in just three weeks.
The Moltbook Disaster
Then there's Moltbook, the "social network for AI agents" created by Octane AI CEO Matt Schlicht. It launched January 28, 2026 and went viral immediately. Wiz researchers found its Supabase database was completely misconfigured: no authentication controls, no Row Level Security. Anyone who knew where to look had full read and write access.
The exposed data: 35,000 email addresses and 1.5 million API authentication tokens. Wiz disclosed the issue and the Moltbook team secured it within hours, but the damage window was open from launch. The exposed database also revealed that Moltbook's 1.5 million "registered agents" were controlled by just 17,000 human owners, an 88:1 ratio.
CrowdStrike found a wallet-drain prompt injection payload embedded in a public Moltbook post, targeting any AI agent that read it. That's indirect prompt injection in the wild, not in a research paper.
The Broader Pattern
This isn't just an OpenClaw story. Gravitee's State of AI Agent Security 2026 report, surveying over 900 executives and practitioners, found that 81% of teams are past the planning phase with AI agents, but only 14.4% report their agents going live with full security or IT approval. Meanwhile, 88% of organizations confirmed or suspected security incidents related to AI agents this year.
OpenClaw is the canary. It happens to be the most visible case because it's open-source, wildly popular, and its security failures are public. But every AI agent that gets email access, file system permissions, and API credentials carries identical structural risks. Closed-source agents with the same permission model just haven't been audited as publicly.
What to Do Right Now
If you're running OpenClaw or managing a team where someone might be:
1. Find every instance. Search your network for anything listening on TCP 18789. Check for processes named openclaw, clawdbot, or moltbot. CrowdStrike published a Falcon for IT content pack specifically for enterprise-wide detection.
2. Revoke and rotate tokens immediately. Any API keys, OAuth tokens, or credentials that OpenClaw has accessed should be considered potentially compromised. This includes email tokens, cloud provider keys, and any service integrations.
3. Audit installed skills. Check every skill against Koi Security's ClawHavoc indicators. OpenClaw has since integrated VirusTotal scanning for uploaded skills, but anything installed before that integration needs manual review. Look for skills that request installation of "prerequisites" or contain curl commands to external servers.
4. Never expose the port. If you need remote access, use SSH tunnels or Cloudflare Tunnels. Direct internet exposure is the single biggest risk amplifier.
5. Patch to the latest version. Version 2026.2.17 includes Anthropic model support and security fixes. CVE-2026-25253 was patched in 2026.1.29, but newer versions address additional issues.
6. Apply least-privilege principles. Don't run OpenClaw as root. Restrict file system access to specific directories. Limit which shell commands it can execute. Treat it like any other application with network access and system permissions, because that's exactly what it is.
The Real Lesson
The instinct with AI agents is to give them maximum access so they can be maximally useful. It's worth noting: Peter Steinberger, OpenClaw's creator, joined OpenAI in February 2026 to lead personal agent development, with OpenClaw transitioning to an independent open-source foundation — a significant structural change that may affect how security governance evolves. OpenClaw's crisis shows where that instinct leads. The 512 vulnerabilities, the poisoned marketplace, the exposed instances, and the infostealers targeting config files all stem from the same root cause: an agent with broad permissions and insufficient guardrails.
This applies to every agent framework, not just OpenClaw. Before granting any AI agent access to your email, files, or APIs, ask a simple question: if this agent were compromised, what could an attacker do with these permissions? If the answer makes you uncomfortable, reduce the permissions until it doesn't.
Sources: CrowdStrike, Cisco, The Hacker News (infostealer), The Hacker News (ClawHavoc), Censys, BitSight, Wiz (Moltbook), Gravitee, CyberSecurity News
