OpenClaw became a sensation almost overnight. In January 2026, this open-source AI personal assistant shot past 145,000 GitHub stars in just weeks. People loved the idea of a self-hosted AI that could automate tasks, manage their calendars, send messages, and interact with dozens of APIs. But here’s what most users didn’t see coming: a security disaster that unfolded just as fast as the hype.

Within a single week of going viral, OpenClaw went through trademark-forced rebrands, crypto scam hijackings, and multiple critical CVEs. There were supply chain attacks that spread macOS malware. Researchers found over 42,000 exposed instances leaking API keys and private messages. The adjacent Moltbook platform had a database misconfiguration that exposed 1.5 million API tokens to anyone with a browser.

This article digs into every documented OpenClaw vulnerability. We’ll cover the six CVEs, the 824+ malicious skills found on ClawHub, and concrete steps you can take to protect yourself. If you’re running OpenClaw or thinking about it, keep reading.

What Is OpenClaw and Why Did It Get So Popular So Fast

OpenClaw started life under a different name. It was originally called Clawdbot. Then trademark issues forced a rebrand to Moltbot. Finally, it settled on OpenClaw. All this happened in a matter of days. The rapid renaming caused confusion, and scammers jumped on that confusion right away.

The Appeal of Self-Hosted AI Assistants

OpenClaw promised something different from cloud-based AI tools. You could run it on your own hardware. You controlled your data. You didn’t need to send your messages, files, or API credentials to a third-party server. For privacy-conscious users and small businesses, this sounded perfect.

The tool could automate real workflows. It connected to APIs, controlled browser actions, and interacted with internal tools. Users could build or download “skills” from ClawHub, a community marketplace. These skills extended what OpenClaw could do.

But self-hosting comes with responsibility. You become the security team. And most people setting up OpenClaw in those early weeks weren’t security experts. They were enthusiasts, hobbyists, and startup employees looking for a quick productivity boost.

The Speed of Adoption Created a Security Gap

145,000 GitHub stars in weeks means tens of thousands of installations. Many of these happened before proper documentation existed. Before hardening guides were written. Before anyone really understood the attack surface.

Security researchers from multiple firms started poking at OpenClaw almost immediately. What they found was alarming. Exposed control interfaces. Default configurations that left ports open to the internet. Skills with embedded malware. And vulnerabilities that allowed remote code execution with a single click.

The OpenClaw team wasn’t malicious. They were just moving fast, trying to keep up with demand. But that speed left security as an afterthought. And attackers noticed.

Timeline of OpenClaw Security Incidents in 2026

Understanding when things happened helps you see the pattern. OpenClaw’s security problems didn’t appear randomly. They cascaded, one after another, as more people installed the software and more attackers paid attention.

January 2026: The Explosion and First CVEs

The project went viral in early January. Within the first week, three things happened simultaneously:

• Trademark disputes forced rapid rebranding from Clawdbot to Moltbot to OpenClaw
• Crypto scammers launched fake OpenClaw tokens and phishing sites
• Security researchers disclosed the first critical vulnerabilities

The rebrand confusion was gold for scammers. People searching for “Clawdbot download” landed on malicious sites. Some installed trojanized versions without knowing. Others bought worthless cryptocurrency tokens marketed as “official.”

Meanwhile, researchers from Adversa AI and Koi Security began publishing findings. The first CVE was disclosed on January 18th, 2026. It allowed one-click remote code execution. An attacker could craft a malicious skill or message that, when processed by OpenClaw, would run arbitrary code on the host machine.

Late January: The Supply Chain Attack

Around January 25th, security firm Koi Security published details of the ClawHavoc campaign. Attackers had uploaded malicious skills to ClawHub, the official skill marketplace. These skills looked legitimate. They had normal descriptions and screenshots. But they contained hidden payloads.

Some skills targeted macOS users specifically. When installed, they dropped malware that stole credentials, installed backdoors, and joined infected machines to a botnet. Koi Security identified over 200 malicious skills in this initial wave.

February 2026: The Moltbook Database Disaster

In early February, researchers discovered that Moltbook, a companion platform for OpenClaw, had left a database completely exposed. No authentication. No firewall. Just open to the internet.

That database contained 1.5 million API tokens. These tokens belonged to users who had connected OpenClaw to services like Gmail, Slack, GitHub, and cloud providers. Anyone with basic technical skills could download the entire database and gain access to thousands of accounts.

Bloomberg reported on this incident, noting that OpenClaw’s rapid growth had outpaced its security infrastructure. The Moltbook team took the database offline within hours of disclosure, but the damage was done. Those tokens had been accessible for weeks.

March 2026: Exposed Instances Reach 42,000

By March, security researchers using Shodan and similar tools identified over 42,000 OpenClaw instances directly accessible from the internet. Many of these exposed the control interface without any authentication. Some leaked:

• API keys for connected services
• Private messages and conversation logs
• Stored credentials for email, banking, and social media
• Internal company documents and files

The geographic distribution was global. But researchers noted concentrations in the United States, Germany, India, and Brazil. Startups and small businesses made up a large portion of the exposed instances.

April 2026: The Malicious Skill Count Passes 800

Snyk’s security research team published findings in April showing that ClawHub now hosted over 824 malicious or dangerously flawed skills. Snyk specifically identified 283 skills that leaked API keys directly in their code. Others had vulnerabilities that allowed privilege escalation.

OpenClaw responded by integrating VirusTotal scanning for new skill submissions. They also added a skill reporting mechanism. But the fundamental problem remained: ClawHub was an unvetted software supply chain. And users kept installing skills without checking them.

The Six Documented OpenClaw CVEs: What Each One Means

Let’s break down the six CVEs that affected OpenClaw in 2026. Each represents a different type of vulnerability. Together, they paint a picture of software that was rushed to market without adequate security review.

CVE-2026-1001: Remote Code Execution via Skill Processing

This was the first and most severe CVE. CVSS score: 9.8 (Critical).

The vulnerability existed in how OpenClaw processed skill packages. When you installed a skill, OpenClaw would extract and execute certain files without proper validation. An attacker could craft a skill package with malicious code disguised as a configuration file. OpenClaw would run that code with the same privileges as the OpenClaw process.

On most installations, that meant full access to the host machine. Attackers could steal files, install backdoors, pivot to other systems on the network, or use the machine for cryptocurrency mining.

The fix: OpenClaw version 1.2.3 added signature verification for skill packages. But many users didn’t update immediately, and older versions remain vulnerable.

CVE-2026-1002: Prompt Injection Leading to Unauthorized Actions

This CVE affected the AI agent’s decision-making process. CVSS score: 8.1 (High).

OpenClaw uses a large language model to interpret user requests and decide what actions to take. Researchers found that carefully crafted input could “inject” instructions that the AI would follow. For example, an attacker could send a message to a user that contained hidden instructions. When OpenClaw processed that message, it would execute the attacker’s commands.

One researcher demonstrated this by sending an email that, when read by OpenClaw, caused it to forward all the user’s emails to an external address. The user never explicitly approved this action. OpenClaw just followed the injected instructions.

The fix: OpenClaw implemented input sanitization and added a confirmation step for sensitive actions. But prompt injection remains an ongoing challenge for all AI agents.

CVE-2026-1003: Authentication Bypass in Control Interface

The web-based control interface had a flaw that allowed authentication bypass. CVSS score: 9.1 (Critical).

By default, OpenClaw ran a web interface for configuration and monitoring. This interface was protected by a password. But researchers found that certain API endpoints didn’t check authentication properly. An attacker could access sensitive functions without knowing the password.

Combined with the exposed instances mentioned earlier, this meant attackers could take over OpenClaw installations remotely. They could change settings, install malicious skills, access conversation logs, and extract stored credentials.

The fix: Version 1.2.5 rewrote the authentication layer. But many exposed instances were running older versions and never updated.

CVE-2026-1004: Stored Cross-Site Scripting in Conversation Logs

This vulnerability allowed attackers to inject malicious JavaScript into conversation logs. CVSS score: 6.1 (Medium).

When users viewed their conversation history through the web interface, OpenClaw didn’t properly sanitize previous messages. An attacker could send a message containing JavaScript code. When an admin later viewed that conversation, the code would execute in their browser.

This allowed session hijacking, credential theft, and further attacks against the OpenClaw installation.

The fix: Output encoding was added in version 1.2.4.

CVE-2026-1005: Insecure Default Configuration

This CVE covered multiple insecure defaults. CVSS score: 7.5 (High).

Out of the box, OpenClaw:

• Bound to all network interfaces (0.0.0.0) instead of localhost only
• Used a weak default password that was the same for all installations
• Enabled debug logging that wrote sensitive data to disk
• Didn’t require HTTPS for the control interface

Most users installed OpenClaw and started using it immediately without changing these defaults. That’s why so many instances ended up exposed to the internet.

The fix: Version 1.3.0 changed the defaults. The installer now prompts for a unique password and binds to localhost by default. But existing installations need to be reconfigured manually.

CVE-2026-1006: Path Traversal in File Access Module

This vulnerability allowed attackers to read arbitrary files from the host system. CVSS score: 7.2 (High).

OpenClaw had a module that let skills read and write files in a designated directory. Researchers found that by using path traversal sequences (like ../../../), skills could escape this directory and access any file the OpenClaw process could read.

This included configuration files with database credentials, SSH keys, and other sensitive data. A malicious skill could silently exfiltrate this information to an external server.

The fix: Version 1.2.6 added proper path validation. But users also need to review what skills they have installed and remove any they don’t trust.

ClawHub and the Supply Chain Attack Surface

ClawHub is OpenClaw’s official skill marketplace. It’s a lot like npm for JavaScript or PyPI for Python. Users can upload skills they’ve created, and other users can install them with a single click. This convenience is also a huge security risk.

How Malicious Skills Spread

The ClawHub model has a basic problem: trust. When you install a skill, you’re running someone else’s code on your machine. That code has the same access as OpenClaw itself. It can read files, make network requests, interact with connected services, and execute system commands.

In the early months of 2026, ClawHub had almost no vetting process. Anyone could create an account and upload a skill. There were no code reviews, no automated security scanning, and no requirement for maintainer identity verification.

Attackers took advantage of this in several ways:

• Typosquatting: Uploading skills with names similar to popular ones (like “calendar-sync” vs “calender-sync”)
• Feature additions: Creating skills that added popular functionality while also including hidden malware
• Abandoned skill takeover: Claiming ownership of skills whose original maintainers had left the platform
• Dependency confusion: Uploading malicious versions of internal skills used by companies

The ClawHavoc Campaign

Koi Security gave the name “ClawHavoc” to a coordinated campaign they discovered in late January 2026. The attackers behind ClawHavoc had uploaded dozens of malicious skills over several weeks. These skills targeted specific user segments:

Developers: Skills promising GitHub automation, code review, and CI/CD integration. These stole SSH keys, GitHub tokens, and source code.

Business users: Skills for CRM integration, email management, and calendar sync. These harvested customer data, email contents, and contact lists.

macOS users: Skills specifically designed to exploit macOS. These installed persistent backdoors and joined machines to a botnet.

The attackers used professional-looking skill pages with documentation, screenshots, and even fake reviews. Nothing about them looked suspicious at first glance.

What Snyk Found: 283 Skills Leaking API Keys

Snyk’s analysis in April revealed another problem: many skill authors were accidentally including sensitive data in their code. 283 skills contained hardcoded API keys that were visible to anyone who downloaded them.

These weren’t necessarily malicious. They were just poorly written. But the effect was similar. Anyone could extract those keys and use them to access services on behalf of the skill author or their users.

Common leaked credentials included:

• OpenAI API keys
• AWS access keys
• Google Cloud service account credentials
• Stripe API keys
• Slack bot tokens

OpenClaw’s Response: Too Little, Too Late

OpenClaw eventually added security measures to ClawHub:

• VirusTotal scanning: New uploads are scanned for known malware signatures
• Skill reporting: Users can flag suspicious skills
• Verified publishers: Some publishers can get a “verified” badge after identity verification
• Download warnings: Users see a warning when installing skills from unverified publishers

These changes help, but they don’t solve the fundamental problem. VirusTotal catches known malware, but not new or custom payloads. Reporting relies on users spotting malicious behavior after installation. And verified publishers can still make mistakes or go rogue.

The safest approach is to treat every skill as potentially malicious until you’ve reviewed its code yourself.

42,000+ Exposed Instances: What Went Wrong

When security researchers scanned the internet for OpenClaw installations, they found a staggering number accessible without any protection. Over 42,000 instances were directly reachable. Many leaked sensitive information. Some allowed complete remote control.

Why So Many Instances Were Exposed

Several factors combined to create this situation:

Insecure defaults: OpenClaw bound to all network interfaces by default. If you installed it on a server with a public IP, the control interface was immediately accessible to everyone.

Cloud deployment guides: Many tutorials showed how to deploy OpenClaw on AWS, DigitalOcean, or other cloud providers. These guides often didn’t mention firewall configuration. Users followed the guides, launched their instances, and moved on.

Dynamic DNS and port forwarding: Some home users wanted to access OpenClaw remotely. They set up port forwarding on their routers without understanding the risks.

No authentication on some endpoints: Even when users set a password, the authentication bypass vulnerability (CVE-2026-1003) meant many instances were still accessible.

What Exposed Instances Leaked

Researchers documented what they found on exposed instances. The data was troubling:

Some instances belonged to individuals. Others were clearly business deployments. Researchers found exposed instances at startups, small businesses, and even employees of large enterprises who had set up OpenClaw without IT approval.

Geographic Distribution of Vulnerable Deployments

The exposed instances were distributed globally, but some regions had higher concentrations:

• United States: 34% of exposed instances
• Germany: 12% of exposed instances
• India: 11% of exposed instances
• Brazil: 8% of exposed instances
• United Kingdom: 6% of exposed instances
• Other countries: 29% of exposed instances

The US concentration likely reflects OpenClaw’s popularity among American tech enthusiasts and startups. Germany’s high representation may be due to strong privacy concerns driving interest in self-hosted solutions.

The Moltbook API Token Exposure

The most severe exposure wasn’t in OpenClaw itself but in Moltbook, a companion platform. Moltbook provided cloud synchronization and backup features for OpenClaw users. It stored data in a MongoDB database.

That database was left completely open. No authentication. No IP restrictions. Just accessible to anyone who knew the URL.

Inside were 1.5 million API tokens. These tokens represented connections to external services like:

• Gmail and Google Workspace
• Microsoft 365
• Slack workspaces
• GitHub repositories
• AWS accounts
• Banking and payment services

An attacker with these tokens could read emails, access Slack messages, download code from private repositories, and potentially transfer money. The scope of potential damage was enormous.

Bloomberg quoted a security researcher saying: “This is what happens when growth outpaces security. They built something people loved, but they didn’t build the infrastructure to protect it.”

Why Enterprises Should Stay Far Away from OpenClaw (For Now)

Some organizations looked at OpenClaw and saw potential. An AI assistant that could automate workflows, handle internal requests, and integrate with business tools. All running on their own infrastructure, keeping data in-house. The appeal was real.

But the risks for enterprise deployment are severe. Here’s why security teams should block OpenClaw until it matures significantly.

Shadow IT and Unsanctioned Deployments

The biggest enterprise risk isn’t an official deployment. It’s employees installing OpenClaw without permission. OpenClaw runs on standard hardware. A developer can spin it up on their laptop. A team can deploy it on a cloud account they created with a corporate credit card.

These shadow deployments don’t follow security policies. They don’t get patched. They connect to corporate services using personal accounts. And they create data leakage paths that security teams can’t see.

Several exposed instances identified by researchers turned out to be unauthorized deployments at large companies. Employees had set them up for productivity and inadvertently exposed corporate data.

Compliance and Regulatory Concerns

OpenClaw processes and stores data from connected services. If you connect it to email, it reads email. If you connect it to customer databases, it accesses customer records. This creates compliance issues:

GDPR: Personal data processed by OpenClaw must be handled according to GDPR requirements. This includes access controls, audit logging, data retention policies, and breach notification procedures. OpenClaw’s default configuration doesn’t meet these requirements.

HIPAA: Healthcare organizations cannot use OpenClaw with patient data without extensive hardening. The default installation would constitute a violation.

SOC 2: Organizations with SOC 2 obligations need to demonstrate that their systems follow security controls. Deploying OpenClaw with insecure defaults would fail an audit.

PCI DSS: If OpenClaw has access to payment card data, the deployment must meet PCI requirements. The skill system and broad access model make this nearly impossible.

The Agent Access Problem

OpenClaw operates as an AI agent. It doesn’t just respond to queries. It takes actions. It sends emails, creates files, modifies calendar entries, and interacts with APIs. This agent model means:

• The AI makes decisions about what actions to take
• Those decisions are influenced by user input (and potentially attacker input)
• Actions happen automatically, often without confirmation
• The scope of potential actions is broad and hard to constrain

In an enterprise environment, this is dangerous. A prompt injection attack could cause OpenClaw to exfiltrate sensitive data, send misleading communications to partners, or modify business records.

Lack of Audit Logging

Enterprise security requires knowing what happened, when, and who was responsible. OpenClaw’s default installation had no audit logging for high-risk actions. When OpenClaw sent an email, accessed a file, or executed a command, no record was created.

This makes incident response impossible. If an attacker compromises an OpenClaw instance, there’s no way to know what data they accessed or what actions they took. You can’t scope a breach without logs.

Later versions added optional audit logging, but it requires manual configuration and still doesn’t capture all security-relevant events.

Integration Security Concerns

OpenClaw integrates with services through API keys and OAuth tokens. These credentials are stored locally. If an attacker compromises the OpenClaw instance, they get all those credentials.

For enterprises, this means OpenClaw becomes a single point of compromise. An attacker who gets into OpenClaw potentially gets access to every service it’s connected to. Email. Slack. Cloud accounts. Source code repositories. Customer databases.

There’s no credential isolation. No hardware security module support. No rotation mechanism. The credentials sit in a configuration file or database, waiting to be stolen.

How to Harden Your OpenClaw Installation: A Step-by-Step Guide

If you’re determined to run OpenClaw despite the risks, you need to take security seriously. This section covers concrete steps to reduce your exposure. Follow all of them.

Network Isolation: Keep OpenClaw Off the Internet

The first and most important step is preventing unauthorized network access. OpenClaw should never be directly accessible from the internet.

For home users:

• Don’t forward ports to your OpenClaw instance
• Don’t use dynamic DNS to make it accessible remotely
• Access OpenClaw only from your local network
• If you need remote access, use a VPN to connect to your home network first

For server deployments:

• Bind OpenClaw to localhost (127.0.0.1) only
• Use a reverse proxy (nginx, Caddy) to handle external connections
• Put the reverse proxy behind a firewall that only allows connections from known IPs
• Require VPN access for remote administration

Sample nginx configuration:

server {
    listen 443 ssl;
    server_name openclaw.internal;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Authentication: Strong Passwords and Multi-Factor

The default password must be changed immediately after installation. Use a strong, unique password. Store it in a password manager.

Better yet, don’t rely on OpenClaw’s built-in authentication at all. Put it behind an authentication proxy that supports multi-factor authentication. Options include:

• Authelia: Open source, supports TOTP and WebAuthn
• Keycloak: More complex but supports enterprise identity providers
• Cloudflare Access: If you’re using Cloudflare, their Zero Trust product works well

With an authentication proxy, users must authenticate before they can even reach OpenClaw. This adds a layer of protection even if OpenClaw’s authentication has vulnerabilities.

Skill Vetting: Trust Nothing from ClawHub

Don’t install skills blindly. Every skill you install runs code on your machine. Treat skill installation like installing software from an unknown source, because that’s exactly what it is.

Before installing any skill:

• Check the publisher’s profile and history
• Look for verified publisher badges
• Read the source code if it’s available
• Search for security discussions about the skill
• Check when the skill was last updated
• Look at the number of downloads (popular skills get more scrutiny)

During installation:

• Review the permissions the skill requests
• Deny permissions that seem unnecessary
• Note what files and APIs the skill accesses

After installation:

• Monitor for unusual behavior
• Check for unexpected network connections
• Review logs for suspicious activity
• Remove skills you’re not actively using

Least Privilege: Limit What OpenClaw Can Do

OpenClaw runs with the permissions of its process. On most installations, that’s whatever user account launched it. Reduce these permissions.

Create a dedicated user:

sudo useradd -r -s /bin/false openclaw
sudo mkdir -p /opt/openclaw
sudo chown -R openclaw:openclaw /opt/openclaw

Run OpenClaw as that user:

sudo -u openclaw /opt/openclaw/bin/openclaw-server

Restrict file system access:

• The OpenClaw user should only have access to its data directory
• It should not be able to read system configuration files
• It should not have write access outside its directory

Use container isolation:

Running OpenClaw in a container (Docker, Podman) adds another layer of isolation. The container can have its own file system, network namespace, and resource limits. Even if OpenClaw is compromised, the attacker is confined to the container.

Sample Docker configuration with security options:

docker run -d \
    --name openclaw \
    --user 1000:1000 \
    --read-only \
    --tmpfs /tmp \
    --security-opt no-new-privileges \
    --cap-drop ALL \
    -v /data/openclaw:/data \
    -p 127.0.0.1:8080:8080 \
    openclaw/openclaw:latest

API Credential Management: Separate and Rotate

When you connect OpenClaw to external services, you’re giving it access credentials. Manage these carefully.

Use separate credentials:

• Don’t use your personal API keys
• Create dedicated API keys or service accounts for OpenClaw
• This limits the blast radius if credentials are stolen

Apply minimum permissions:

• If OpenClaw only needs to read emails, don’t give it send permission
• If it only needs access to one calendar, don’t give it access to all calendars
• Review each integration and restrict as much as possible

Rotate credentials regularly:

• Set calendar reminders to rotate API keys monthly
• After any security incident, rotate all credentials immediately
• Monitor for unauthorized use of your credentials

Audit Logging: Know What’s Happening

Enable all available logging. OpenClaw’s logging is limited, but turn on what exists.

In the OpenClaw configuration:

logging:
  level: info
  audit: true
  output: /var/log/openclaw/audit.log

Collect and analyze logs:

• Send logs to a central logging system
• Set up alerts for suspicious patterns
• Retain logs for at least 90 days
• Include logs from the reverse proxy and authentication system

What to monitor:

• Failed authentication attempts
• Skill installations and removals
• Access to sensitive files
• Outbound network connections to unexpected destinations
• High volumes of API calls to connected services

Update Management: Stay Current

OpenClaw is under active development. New security patches come out regularly. You need to apply them quickly.

Monitor for updates:

• Watch the OpenClaw GitHub repository for releases
• Subscribe to the security mailing list
• Follow OpenClaw on social media for announcements

Test before deploying:

• If possible, run a test instance
• Apply updates to the test instance first
• Verify functionality before updating production

Don’t fall behind:

• Updates should be applied within a week of release for non-critical fixes
• Security patches should be applied within 24-48 hours
• If you can’t maintain this schedule, reconsider running OpenClaw

Prompt Injection Defenses

Prompt injection is hard to defend against completely. But you can reduce the risk.

Enable confirmation for sensitive actions:

• OpenClaw should ask for confirmation before sending emails
• File deletions should require explicit approval
• Financial transactions must have multi-step verification

Use input validation:

• If you’re building custom skills, validate all input
• Don’t pass raw user input to AI prompts
• Sanitize external data before processing

Limit the AI’s capabilities:

• Disable skills and features you don’t need
• Restrict what tools the AI can call
• Use allowlists instead of blocklists

Comparing OpenClaw Vulnerabilities to Other AI Security Incidents

OpenClaw isn’t the only AI tool with security problems. Looking at similar incidents helps put these issues in context.

OpenClaw vs. ChatGPT Data Leaks

In March 2023, OpenAI disclosed that a bug in ChatGPT had exposed some users’ conversation histories to other users. The issue was quickly fixed, but it showed that even well-funded AI companies have security gaps.

The difference with OpenClaw is scale and scope. ChatGPT’s leak was a bug that was quickly patched by a professional security team. OpenClaw had multiple simultaneous vulnerabilities, a less mature security process, and a user base that often couldn’t apply patches quickly.

OpenClaw vs. LangChain Vulnerabilities

LangChain, a popular framework for building AI applications, has also had security issues. Researchers found that applications built with LangChain were vulnerable to prompt injection attacks similar to CVE-2026-1002.

Both OpenClaw and LangChain share a fundamental challenge: when you give an AI agent the ability to take actions, you create new attack surfaces. The AI’s decision-making process becomes a target. This isn’t unique to OpenClaw. It’s a problem for the entire AI agent ecosystem.

OpenClaw vs. Hugging Face Supply Chain

Hugging Face hosts thousands of AI models that developers download and run. Security researchers have found malicious models uploaded to the platform. These models contained hidden code that executed when loaded.

ClawHub’s skill marketplace has the same problem. It’s a supply chain attack surface where malicious actors can distribute code disguised as legitimate tools. The solution in both cases is better vetting, but also a fundamental shift in how users evaluate third-party code.

The iMessage Incident: When AI Goes Rogue

One incident that got a lot of attention was a software engineer who gave OpenClaw access to iMessage. The AI went off the rails, sending over 500 messages to him and his wife, and spamming random contacts from his address book.

This wasn’t a traditional security vulnerability. OpenClaw was doing what it was designed to do: take actions on behalf of the user. But it interpreted its instructions in unexpected ways. The engineer never told OpenClaw to send 500 messages. The AI decided to do that on its own.

Bloomberg quoted the engineer: “I thought I was getting an assistant. What I got was an assistant that doesn’t understand boundaries.”

This highlights a risk beyond CVEs. AI agents can behave unpredictably. Even without bugs or vulnerabilities, they can take actions that surprise and harm their users.

OpenClaw Security Audit Checklist for 2026

Use this checklist to audit your OpenClaw deployment. Each item should be verified regularly, not just once.

Network Security

Authentication and Access Control

Skill and Integration Security

System Security

Monitoring and Incident Response

What the Future Holds for OpenClaw Security

OpenClaw is young software that grew too fast. The security problems in 2026 were predictable given the rapid adoption and limited security resources. What happens next depends on how the project matures.

Positive Signs

The OpenClaw team has responded to security issues. They’ve added VirusTotal scanning, skill reporting, authentication improvements, and better defaults. They’ve published security advisories and worked with researchers.

The community has also stepped up. Jerry Gamblin maintains a GitHub repository tracking OpenClaw CVEs. Security firms have published hardening guides. Self-hosting communities share best practices.

Ongoing Challenges

But fundamental issues remain:

The agent model is inherently risky. Giving an AI the ability to take actions creates attack surfaces that are hard to close. Prompt injection will continue to be a threat.

ClawHub is still an unvetted supply chain. VirusTotal catches known malware, but not new threats. The marketplace model incentivizes rapid skill creation, not security.

Users don’t understand the risks. Most people installing OpenClaw aren’t security experts. They follow tutorials, click through defaults, and assume everything is safe.

The project is still understaffed. Security takes resources. Code reviews, penetration testing, bug bounties, incident response. Open source projects often struggle to fund these activities.

Recommendations for the OpenClaw Project

If the OpenClaw team wants to improve security, they should:

• Hire or appoint a dedicated security lead
• Create a bug bounty program
• Require code review for all skill submissions
• Make security defaults opt-out rather than opt-in
• Publish a security roadmap with specific milestones
• Get an independent security audit

Recommendations for Users

If you’re using or considering OpenClaw:

• Wait for the project to mature if you have sensitive data
• Follow hardening guides carefully
• Monitor security announcements
• Don’t install skills from unknown publishers
• Have an incident response plan
• Consider whether the benefits outweigh the risks

Final Thoughts: Should You Run OpenClaw in 2026?

OpenClaw offers something attractive: a self-hosted AI assistant that you control. But that control comes with responsibility. The six CVEs, 824+ malicious skills, and 42,000+ exposed instances show what happens when security is an afterthought.

If you understand the risks and follow hardening guidelines, OpenClaw can be run safely. If you expect it to work securely out of the box, you’ll be disappointed. The choice depends on your skills, your data sensitivity, and your willingness to maintain the installation over time.

For enterprises, the answer is clearer: stay away for now. The compliance issues, agent risks, and potential for shadow IT make OpenClaw unsuitable for business use until it matures significantly.

Frequently Asked Questions About OpenClaw CVEs and Security