AI Security Case Study · 2026
Cybersecurity · Incident Response
Client: Open Source Security Foundation
The OpenClaw
Security Crisis
An anatomy of the devastating February 2026 supply chain attack and critical vulnerability cascade that compromised over 40,000 internet-exposed instances of the viral AI agent OpenClaw.
CRITICAL — CVSS 8.8
Supply Chain Attack
Prompt Injection
Remote Code Execution
State-Sponsored Threat Actors
Patched — Feb 2026
01 — Background
A Viral AI Agent, Born in a Weekend
OpenClaw started life as Clawdbot, built by Austrian developer Peter Steinberger and quietly published on GitHub in November 2025. The premise was irresistible: a self-hosted, open-source personal AI agent that runs entirely on your own machine, connects to powerful models like Claude and ChatGPT, and autonomously handles real-world tasks through the apps you already use — WhatsApp, Telegram, Slack, email, your file system, even the terminal.
In early January 2026, it hit Hacker News. Within 24 hours it had 20,000 GitHub stars. Within weeks it was the most starred project on GitHub — surpassing React. Mac mini sales reportedly spiked as developers spun up always-on AI servers. Andrej Karpathy called it “genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently.”
The same autonomy that made OpenClaw extraordinary — file access, terminal execution, OAuth tokens to connected SaaS accounts, browser control — also made it an extraordinarily dangerous attack target. The app had root-level access to everything. And it was shipping without authentication enabled by default.
The naming saga added chaos. Anthropic's legal team sent trademark pressure over the name “Clawdbot” (a clear reference to Claude). On January 27, Steinberger rebranded to Moltbot — and within hours, a crypto scam had hijacked the old Clawdbot handle. Three days later he rebranded again to OpenClaw. The identity confusion would later make patching coordination a nightmare: Hunt.io found 68.9% of exposed instances still identified as “Clawdbot Control” weeks after the rename.
02 — Timeline
The Crisis, Chronologically
Clawdbot launches on GitHub
Peter Steinberger quietly publishes the project. Initial architecture prioritizes speed and features over security. Authentication is disabled by default. Gateway binds to all network interfaces (0.0.0.0:18789).
Goes viral — 20,000 stars in 24 hours
Hacker News discovery triggers explosive growth. Attackers mobilize within hours of the announcement. Honeypot data shows scanning for OpenClaw instances began January 26 — the same day as the HN post.
Renamed to Moltbot — first malicious ClawHub skill published
Trademark dispute with Anthropic forces rename. Within the same day, the first malicious skill appears on ClawHub. A crypto scam hijacks the abandoned Clawdbot handle, adding to user confusion.
Renamed to OpenClaw — CVE-2026-25253 patched (v2026.1.29)
Final naming settled. CVE-2026-25253 — the critical WebSocket hijacking bug — is disclosed and patched. Three high-impact security advisories issued the same day. But the vulnerability is already in the wild.
Malicious skills surge across ClawHub
CrowdStrike finds 341 of 2,857 marketplace skills (~12%) are malicious. By mid-February, the registry has grown to 10,700 skills with 820+ malicious — nearly 20% of the entire marketplace.
Koi Security names “ClawHavoc” — the supply-chain campaign
Researchers identify a coordinated malware distribution campaign using ClawHub. Malicious skills deliver Atomic macOS Stealer (AMOS) and other info-stealers. SecurityScorecard tracks 40,214 exposed internet instances.
Creator joins OpenAI — foundation announced
Steinberger announces he's joining OpenAI to lead personal agent development. Project transitions to an independent, OpenAI-sponsored foundation. He criticizes GitHub's vulnerability reporting infrastructure as “drowning in AI-generated slop.”
OpenClaw partners with VirusTotal — v2026.2.26 released
All ClawHub skills now scanned using SHA-256 hashing and VirusTotal's Code Insight AI. Malicious skills blocked from download, active skills rescanned daily. v2026.2.12 had already fixed 40+ vulnerabilities.
CERT-Bund issues formal advisory WID-SEC-2026-0856
Germany's federal cybersecurity authority confirms exploitation could allow remote code execution, admin privilege escalation, data manipulation, security bypass, information disclosure, and denial of service. China restricts state enterprises from running OpenClaw on office computers.
03 — Technical Breakdown
CVE-2026-25253: The One-Click Takeover
The most severe vulnerability was a WebSocket hijacking bug classified under CWE-669 (Incorrect Resource Transfer Between Spheres), rated CVSS 8.8. Discovered by Mav Levin of the depthfirst research team, the flaw's elegance was what made it devastating.
The Attack Chain: In versions before 2026.1.29, OpenClaw accepted a gatewayUrl value directly from the query string, automatically opened a WebSocket to that URL, and sent its stored authentication token during setup. An attacker simply needed to host a malicious page, lure a user into visiting it, and their token was gone — granting full agent control in milliseconds. No prior access required.
In isolation, a WebSocket hijacking bug is serious but manageable. In OpenClaw's default configuration — with access to local files, credentials, and every connected SaaS account — the same vulnerability enabled complete system takeover. One researcher demonstrated accessing Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, months of chat history, and the ability to execute terminal commands as system administrator.
# What an attacker could access after token theft: anthropic_api_key=“sk-ant-...” # Full Claude API access telegram_bot_token=“7123456789:AAF...” # Send messages as user slack_oauth_token=“xoxb-...” # Access all Slack workspaces gmail_refresh_token=“1//0...” # Read/send all email shell_access=true # Execute arbitrary commands file_system=“full_read_write” # Access all local files
The Full CVE Catalog
WebSocket Hijacking / Remote Code Execution
gatewayUrl query parameter accepted without validation. Triggers token exfiltration and full agent takeover via malicious webpage visit. Exploitable against localhost-bound instances through browser.
Command Injection
Unsanitized user input passed to shell execution context. Allows arbitrary OS command execution with the permissions of the OpenClaw process — typically full administrator access.
Server-Side Request Forgery (SSRF) in Gateway
The gateway component forwards requests to attacker-controlled internal URLs, enabling access to internal network resources, cloud metadata endpoints (AWS/GCP/Azure), and credential theft from instance metadata.
Path Traversal — Local File Read
Browser upload component fails to sanitize file path inputs, allowing traversal outside intended directories. Enables reading of /etc/passwd, SSH keys, .env files, and API credential stores.
Prompt Injection → Code Execution
AI-specific attack: malicious instructions embedded in documents or emails processed by the agent cause it to execute attacker-specified commands. Researchers at Northeastern University demonstrated agents “guilt-tripped” into self-sabotage and data deletion.
The scale of exposure was staggering. SecurityScorecard observed 40,214 internet-exposed instances, 35.4% flagged as vulnerable. Infosecurity Magazine reported 63% of deployments as vulnerable. Hunt.io confirmed 17,500+ instances specifically vulnerable to CVE-2026-25253. SecurityScorecard correlated 549 exposed instances with prior breach activity, with 33.8% of exposed infrastructure tied to known threat actor activity — including North Korean group Kimsuky and Russian APT APT28.
04 — Supply Chain Attack
ClawHavoc: The Marketplace Poisoning Campaign
Parallel to the CVE cascade ran a second, arguably more insidious threat: a coordinated supply-chain attack against ClawHub, the community marketplace for OpenClaw “skills” (third-party plugins). The low barrier to publish — anyone with a GitHub account over a week old could upload — combined with explosive growth created the perfect storm.
| Date | ClawHub Skills (Total) | Malicious Skills Found | % Compromised |
|---|---|---|---|
| Early Feb 2026 | 2,857 | 341 | 12% |
| Mid-Feb 2026 | 10,700 | 820+ | ~20% |
| Late Feb 2026 | 10,700+ | 820+ | Growing |
Malicious skills ranged from the mundane to the sophisticated. Some hardcoded API keys and exfiltrated them on install. Others dynamically fetched and executed arbitrary code at runtime — meaning the malicious payload could change after a security scan. The most dangerous category delivered Atomic macOS Stealer (AMOS), a professional-grade credential-stealing tool targeting macOS keychain data, browser passwords, and crypto wallets.
“Out of 10,700 skills on ClawHub, more than 820 were malicious — a sharp increase from the 324 discovered just a few weeks prior in early February.”
— Koi Security Research Team, February 2026
Security researcher Jamieson O'Reilly demonstrated the marketplace's vulnerability by uploading a malicious skill himself — it became ClawHub's top-ranked entry. He subsequently joined OpenClaw as lead security advisor. In response, OpenClaw partnered with VirusTotal to scan all uploaded skills using SHA-256 hashing, with daily rescanning of active skills and automatic blocking of flagged packages.
05 — The Deeper Issue
Why Agentic AI Security Is Fundamentally Different
The OpenClaw crisis is not primarily a story about one developer's security oversights. It's a story about what happens when a new class of software — one that operates with human-level permissions and human-range autonomy — ships without security frameworks designed for those capabilities.
| Attack Type | Traditional App Risk | Agentic AI Risk |
|---|---|---|
| Token theft | Exposes one service | Exposes all connected SaaS, shell, file system |
| Prompt injection | Not applicable | Agent executes attacker instructions embedded in emails/docs |
| Supply chain | Code execution on install | Agent autonomously installs and runs skill code at OS level |
| Scope of damage | Bounded by app interface | Unbounded — agent can send messages, delete files, place orders |
| CVE tracking | Well-covered by frameworks | Prompt injection has no CVE category — invisible to scanners |
The CVE Framework Gap: The nine CVEs disclosed for OpenClaw are code-level vulnerabilities, addressable by patches. But prompt injection — the ability to embed malicious instructions in a document or email that the agent then executes — has no CVE category. It can't be patched the same way. The security community is still developing frameworks to handle this class of attack, leaving organizations exposed to a threat that doesn't appear in their dashboards or vulnerability scanners.
IBM X-Force noted that as of May 2026, approximately 15,000 vulnerabilities have been disclosed in 2026 alone, with dozens explicitly impacting AI systems. The weaponization of agentic AI became especially visible in late 2025 and has only accelerated since. The industry simply wasn't built for this — and OpenClaw made that undeniable.
“It's a dumpster fire, and I also definitely do not recommend that people run this stuff on their computers.”
— Andrej Karpathy, reversing his initial enthusiasm, February 2026
06 — Key Takeaways
What the Industry Must Learn
The Cloud Security Alliance's February 2026 report captured the core problem: while 40% of organizations already have AI agents in production, only 18% are highly confident their identity and access management systems can handle agentic workloads. 73% of CISOs described themselves as “very or critically concerned” about AI agent risks.
Never ship agents with authentication off by default
OpenClaw's gateway bound to all interfaces with zero auth by default. Every newly spun instance was immediately publicly accessible. This single misconfiguration created the primary exposure vector.
Least-privilege is non-negotiable for agents
An agent that needs to send Telegram messages should not have access to the terminal and the file system. Broad permissions turn ordinary vulnerabilities into catastrophic compromises.
Marketplace security must be built-in, not bolted on
ClawHub grew from 2,857 to 10,700 skills in two weeks — with no meaningful pre-publish review. Supply-chain trust requires verification infrastructure before a marketplace launches, not after it's been poisoned.
Prompt injection is a first-class threat
Any agent that reads external content — emails, documents, web pages — is vulnerable to adversarial instructions embedded in that content. This attack class has no CVE category and won't show up in standard security scans.
Adopt “human in the loop” gates for irreversible actions
Sending an email, deleting a file, executing a shell command — agents operating at speed can cause irreversible harm. Require explicit human confirmation for high-consequence operations.
Viral growth speed requires proportional security investment
OpenClaw went from obscure to most-starred GitHub project in days. Threat actors mobilized within hours of the Hacker News post. Security infrastructure must scale with adoption — or attackers will fill the gap.
07 — Verdict
The Bigger Picture: A Warning Shot for Agentic AI
OpenClaw is not an outlier — it's a preview. As agentic AI frameworks proliferate across enterprise and consumer environments, the incentive for attackers grows proportionally. The tools that make AI agents powerful (autonomous action, persistent access, integration with every system you use) are identical to the properties that make them dangerous when compromised.
The OpenClaw crisis is also a governance inflection point. It has accelerated government action (CERT-Bund, Chinese state restrictions), forced platforms to rethink marketplace security from the ground up, and pushed the security community to grapple with AI-specific threat categories that existing frameworks — CVE tracking, CVSS scoring, patch management — were never designed to handle.
The right response is not to avoid agentic AI. For the right use cases, agents deliver measurable operational leverage that simpler automation cannot match. The right response is to deploy them with the same engineering discipline you would apply to any system that holds credentials and executes actions on behalf of real people — with identity scoping, supply-chain verification, network isolation, audit trails, and prompt-injection defenses built in from day one.
As CrowdStrike noted in its February 2026 briefing: “AI doesn't eliminate the need for security. It increases it.”
Sources & References