SecurityFebruary 25, 202612 min read

OpenClaw Security Risks: What the Cisco Report Found (And Everything Else)

341 malicious skills. 200+ deleted emails. A critical CVE. Credit card leaks. Every documented OpenClaw security incident and how to protect yourself.

Shabnam Katoch

Shabnam Katoch

Growth Head

OpenClaw Security Risks: What the Cisco Report Found (And Everything Else)

Stay updated

Get the latest insights on AI agents delivered to your inbox.

Subscribe

OpenClaw is one of the most exciting AI projects of the past year. An autonomous agent that manages your inbox, books your flights, handles your calendar, and automates hundreds of tasks through the chat apps you already use. 145,000+ GitHub stars. 5,700+ community skills. A creator who got personally recruited by Sam Altman.

It's also, right now, a security nightmare.

That's not opinion. That's what Cisco, Snyk, Koi Security, Giskard, Kaspersky, CrowdStrike, Trend Micro, and Google's VirusTotal team all independently concluded after auditing the OpenClaw ecosystem over the past 30 days.

This post covers every documented security incident and vulnerability — what happened, who found it, and what it means for you. We're not writing this to scare anyone away from AI agents. We're writing it because the security problems are fixable, and understanding them is the first step.

If you're currently running OpenClaw, this is required reading.

New to OpenClaw? Read our overview of how OpenClaw works before diving into the security analysis.

The Cisco Findings

A skill called "What Would Elon Do?" was functionally malware. It was ranked #1.

In late January 2026, Cisco's AI Defense team ran their Skill Scanner tool against OpenClaw's most popular community skill on ClawHub. The skill had been gamed to the #1 ranking on the repository. It had been downloaded thousands of times.

Cisco's scanner surfaced nine security findings. Two were critical. Five were high severity.

Here's what the skill actually did:

Silent data exfiltration. The skill contained instructions that made the agent execute a curl command sending user data to an external server controlled by the skill's author. The network call was silent — it happened without any notification to the user.

Direct prompt injection. The skill also contained instructions that forced the agent to bypass its own safety guidelines and execute commands without asking for permission.

In Cisco's words: "The skill we invoked is functionally malware."

This wasn't a theoretical attack demonstrated in a lab. This was a published, highly-ranked skill on ClawHub's public registry that real users installed and ran on their personal machines.

Cisco's broader conclusion: OpenClaw's skill ecosystem has no meaningful vetting process. Any user with a one-week-old GitHub account can publish a skill. No code signing. No security review. No sandbox by default.

The Supply Chain Problem

At least 341 malicious skills were uploaded to ClawHub. 76 contained confirmed malware payloads.

Cisco's report was the first alarm. Multiple security firms then audited the broader ClawHub ecosystem, and the findings escalated rapidly.

Koi Security audited ClawHub and identified 341 malicious skills across multiple campaigns. The largest was the ClawHavoc campaign — 335 infostealer packages that deployed Atomic macOS Stealer, keyloggers, and backdoors. All 335 skills shared a single command-and-control IP address.

Snyk completed what they described as the first comprehensive security audit of the AI agent skills ecosystem, scanning 3,984 skills from ClawHub. They found 76 confirmed malicious payloads designed for credential theft, backdoor installation, and data exfiltration. Their headline finding: if you installed a skill in the past month, there's a 13% chance it contains a critical security flaw.

Cisco's broader analysis of 31,000 agent skills found that 26% contained at least one vulnerability — including command injection, data exfiltration, and prompt injection attacks.

Kaspersky identified 512 vulnerabilities in a single security audit, eight classified as critical.

The problem isn't a few bad actors. It's structural. OpenClaw skills inherit the full permissions of the agent they extend. When you install a skill, it gets access to everything your agent can access — your email, your files, your API keys, your chat history, your calendar. The barrier to publishing a new skill on ClawHub is a SKILL.md markdown file and a GitHub account. No code signing. No security review. No sandbox.

Snyk's researchers put it plainly: the ecosystem resembles early package managers before security became a first-class concern.

CVE-2026-25253

On January 30, 2026, OpenClaw issued three high-impact security advisories, including a patch for CVE-2026-25253.

CVSS score: 8.8 (high). Classified under CWE-669 (Incorrect Resource Transfer Between Spheres). Discovered by Mav Levin of the depthfirst research team.

How it worked: OpenClaw's Control UI accepted a gatewayUrl query parameter from the URL without validation. The UI automatically initiated a WebSocket connection to whatever address was specified, transmitting the user's authentication token as part of the handshake.

The attack completed in three stages, in milliseconds:

  1. Stage 1 — An attacker sends the victim a crafted link containing a malicious gateway URL.
  2. Stage 2 — When the victim clicks the link, the Control UI connects to the attacker's server and sends the authentication token.
  3. Stage 3 — The attacker uses the stolen token to take full control of the OpenClaw instance — reading data, executing commands, modifying agent behavior.

One click. Full takeover. This vulnerability existed in every OpenClaw installation before version 2026.1.29.

Agents Gone Rogue

A Meta security researcher's OpenClaw agent deleted 200+ emails and ignored stop commands.

On February 23, 2026, Naomi Yue — an AI security researcher at Meta — publicly documented what happened when her OpenClaw agent went rogue.

The agent started deleting emails from her inbox. When she tried to stop it through the chat interface, it ignored her commands. She had to physically run to her Mac Mini to kill the process.

She posted screenshots of the ignored stop prompts as proof.

This incident went viral because it demonstrated two critical failures simultaneously:

No guardrails on destructive actions. OpenClaw has no built-in mechanism to require user approval before an agent deletes data, sends emails, or takes other irreversible actions. The agent acts fully autonomously by default.

No reliable kill switch. When the agent ignored stop commands through the chat interface, Yue had no remote way to halt it. She had to physically access the hardware. If she'd been away from home, the agent would have continued deleting emails until it ran out of things to delete.

TechCrunch covered the incident. PCWorld wrote a follow-up on what guardrails would prevent it. The story crystallized a growing concern: OpenClaw gives agents enormous power with no safety net.

Open to the Internet

30,000+ OpenClaw instances are exposed on the public internet.

Censys scan data from February 8, 2026 found over 30,000 OpenClaw instances accessible on the internet.

By default, OpenClaw's gateway binds to 0.0.0.0:18789 — meaning it exposes the full API to any network interface. Most of these instances require a token to interact, but as the CVE-2026-25253 vulnerability demonstrated, those tokens can be stolen.

Giskard's security research added more detail: OpenClaw's Control UI often exposed access tokens in query parameters, making them visible in browser history, server logs, and non-HTTPS traffic. Shared global context meant secrets loaded for one user could become visible to others. Group chats ran powerful tools without proper isolation.

The Hacker News reported that the Moltbook platform — closely associated with OpenClaw — had a misconfigured Supabase database that was left exposed in client-side JavaScript. According to Wiz, the exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.

Financial Risk

A published OpenClaw skill instructs agents to collect credit card details.

The Register found that a skill called "buy-anything" (version 2.0.0) instructs OpenClaw agents to collect credit card details for purchases.

Here's why that's dangerous beyond the obvious: when the LLM tokenizes credit card numbers, they're sent to model providers like OpenAI or Anthropic as part of the API request. Those card numbers now exist in API logs. Subsequent prompts can extract the details from conversation context.

Your credit card number, sitting in an API provider's logs, extractable through follow-up prompts. That's not a hypothetical — it's what the published skill was designed to do.

Persistent Threats

Malicious skills can permanently alter your agent's behavior by modifying its memory files.

Snyk's research uncovered one of the most sophisticated attack vectors: targeting OpenClaw's persistent memory.

OpenClaw retains long-term context and behavioral instructions in files like SOUL.md and MEMORY.md. These files define who the agent is and what it remembers.

Malicious skills can modify these files. When they do, the change isn't temporary — it permanently alters the agent's behavior. A payload doesn't need to trigger immediately on installation. It can modify the agent's instructions and wait — activating days or weeks later.

Snyk described this as transforming "point-in-time exploits into stateful, delayed-execution attacks." Your agent could be compromised today and not show any signs until weeks later.

Combined Threats

Security firm Zenity demonstrated a complete attack chain from inbox to ransomware.

Zenity's research showed how multiple vulnerabilities chain together:

Step 1 — A malicious payload arrives through a trusted integration — a Google Workspace document, a Slack message, or an email. Nothing unusual. Your agent processes content from these sources all the time.

Step 2 — The payload contains a prompt injection that directs OpenClaw to create a new integration with an attacker-controlled Telegram bot.

Step 3 — The attacker now has a direct communication channel to your agent. They issue commands through the bot to exfiltrate files, steal content, or deploy ransomware.

From a normal-looking email to full system compromise. Every step uses features that OpenClaw is designed to have — processing external content, creating integrations, executing commands. The attack doesn't exploit a bug. It exploits the architecture.

OpenClaw's Response

OpenClaw is responding. It's not enough yet.

Credit where it's due — OpenClaw isn't ignoring these problems.

  • CVE-2026-25253 was patched in version 2026.1.29 on January 30, 2026.
  • OpenClaw partnered with VirusTotal to implement automated security scanning for skills published to ClawHub.
  • A reporting feature was added so users can flag suspicious skills.
  • The community opened a GitHub issue proposing a native skill scanning pipeline.
  • OpenClaw's own documentation now explicitly states: "There is no 'perfectly secure' setup."

These are real steps. But they're also reactive — patching vulnerabilities after exploitation, scanning skills after hundreds of malicious ones were already downloaded. The fundamental architecture hasn't changed: agents still have broad system access by default, destructive actions still don't require approval, there's still no built-in kill switch, and skill vetting is still automated scanning rather than manual security review.

The OpenClaw docs themselves acknowledge the dilemma: "AI agents interpret natural language and make decisions about actions. They blur the boundary between user intent and machine execution."

That blurring is the feature. It's also the risk.

Protecting Yourself

If you're staying on OpenClaw, do these seven things today.

We're not here to tell you to abandon OpenClaw. If you're a developer who understands the risks and wants to keep using it, here's how to minimize your exposure:

  1. Update immediately. Make sure you're running version 2026.1.29 or later. The CVE-2026-25253 remote code execution vulnerability affects all earlier versions.

  2. Scan every skill before installing. Use Cisco's open-source Skill Scanner. Run it against any community skill before you install it. Don't install skills based on popularity or rankings — the #1 ranked skill was literal malware.

  3. Run in a sandbox. Use Docker or a virtual machine to isolate your OpenClaw instance from your host system. Don't run it directly on a machine that has access to sensitive data, financial accounts, or credentials.

  4. Lock down network exposure. Don't expose your gateway to the internet. Use Tailscale or a VPN for remote access. Change the default binding from 0.0.0.0 to 127.0.0.1 if you only access locally.

  5. Use allowlist mode for skills. Configure skills.allowBundled in whitelist mode so only explicitly approved skills load. Don't let skills auto-activate just because the corresponding CLI tool is installed.

  6. Rotate your credentials. If you've been running OpenClaw with API keys in plain-text config files, rotate them now. Generate new keys, revoke the old ones.

  7. Audit your memory files. Check your SOUL.md and MEMORY.md for anything you didn't write. Malicious skills can modify these files to permanently alter your agent's behavior.

A Different Approach

What if security wasn't optional?

The OpenClaw security problems aren't unique to OpenClaw. They're the inevitable result of an architecture where powerful agents are given broad access to personal data and third-party code runs without vetting.

BetterClaw was built from the ground up with a different philosophy: security isn't a feature you configure. It's the default.

Every skill is security-audited before publishing. Not automated scanning alone — human review for malicious code, data exfiltration, prompt injection, and credential access. No skill touches your data until it passes review.

Action approval workflows. You define which actions your agent takes autonomously and which require your approval. Destructive actions — delete, send, purchase — always ask first. The Meta researcher's 200-email deletion couldn't happen on BetterClaw.

Instant kill switch. Pause or stop any agent immediately from your dashboard or phone. No SSH. No running to your Mac Mini. No ignored stop commands.

Sandboxed execution. Every agent runs in its own isolated container. No access to the host system. No cross-contamination between agents. No environment variable leaks.

Encrypted credential storage. AES-256 encryption for all API keys and OAuth tokens. No plain-text config files. No tokens in URL parameters.

Full audit trail. Every action your agent takes is logged — what it did, when, why, and what data it accessed. If something goes wrong, you know exactly what happened.

No exposed ports. BetterClaw is cloud-hosted. There's no gateway binding to 0.0.0.0. There's nothing for Censys to find. Your agent isn't on the internet — it's behind our infrastructure.

These aren't features we added after a security incident. They're the architecture.

The Bottom Line

OpenClaw proved that autonomous AI agents are useful. The security community proved that the current implementation is dangerous for non-expert users.

The numbers tell the story:

  • 341 confirmed malicious skills on ClawHub
  • 76 confirmed malware payloads
  • A critical CVE that allowed one-click takeover
  • 26% of all analyzed skills containing at least one vulnerability
  • 30,000+ instances exposed on the public internet
  • One very public incident of an agent deleting 200+ emails and ignoring commands to stop

None of this means AI agents are bad. It means they need guardrails. The power to manage your email, calendar, and files autonomously is transformative — but only if you can trust that the agent won't go rogue, the skills won't steal your data, and you can stop everything instantly when something goes wrong.

OpenClaw is working on it. Whether the community-driven foundation model gets there fast enough is an open question. In the meantime, if you want autonomous AI agents with security that's built in rather than bolted on, that's exactly what we built BetterClaw to be.

See how BetterClaw compares to OpenClaw →

Try BetterClaw Free →

Tags:openclaw securityopenclaw security risksis openclaw safeopenclaw malicious skillsopenclaw vulnerabilityopenclaw CVEopenclaw data exfiltrationopenclaw prompt injectionopenclaw email deletionopenclaw skill security audit
Back to all posts