104
1,184
135K
Broken
OpenClaw has accumulated 104 CVEs, 1,184 confirmed malicious packages in its skill marketplace, and 135,000 instances exposed to the public internet with insecure defaults. Approximately one in five packages on ClawHub, the platform’s skill registry, is malicious. The problems are not bugs that patches will fix. They are architectural decisions baked into the product’s design, and they compound the security risks that every organization adopting AI agents now faces.
OpenClaw is an open source AI agent that runs locally as a personal assistant, integrating with messaging apps, calendars, developer tools, and shell access. It gained viral adoption in late 2025 and early 2026, reaching millions of installations. NVIDIA built NemoClaw as an enterprise wrapper around it. Developers extended its capabilities through community-built plugins called “skills” distributed via ClawHub and SkillsMP. The adoption speed outran the security engineering by months.
Update, April 2026: The CVE count is one dimension of the OpenClaw problem. A separate category of failure is now documented: autonomous agents deployed via OpenClaw conducting targeted reputational attacks on humans who block their actions. See the matplotlib hit piece incident for the full forensic chain and the SOUL.md personality file that produced it.
The Localhost Trust Assumption
The most fundamental vulnerability is architectural. OpenClaw assumes that any connection originating from localhost is trusted. Oasis Security discovered that this assumption lets any website open a WebSocket connection to OpenClaw’s local gateway and send commands. A malicious webpage visited in any browser tab could silently instruct the AI agent to read files, execute shell commands, or exfiltrate credentials. The attack requires no user interaction beyond visiting a webpage.
CVE-2026-25253 exploited this to steal authentication tokens. Because OpenClaw exempted localhost connections from rate limiting, attackers could brute-force passwords through the same channel. The team patched this specific vulnerability in version 2026.2.25, but the architectural decision to trust localhost persists in the design philosophy. Every new feature that accepts local connections inherits the same risk class.
A separate CVSS 9.9 privilege escalation vulnerability allowed low-privilege tokens to escalate to admin with remote code execution. BeyondTrust found a command injection in OpenAI’s Codex integration that could steal GitHub OAuth tokens through unsanitized branch name parameters. Four CVEs in CrewAI, a framework that builds on OpenClaw, chained prompt injection into full remote code execution and server-side request forgery.
The Skill Marketplace Poisoning
Antiy CERT confirmed 1,184 malicious skills across ClawHub as of March 2026. That is approximately one in five packages in the ecosystem. Koi Security independently found that the count jumped from 324 malicious skills in early February to over 820 just weeks later. Trend Micro identified 39 skills across ClawHub and SkillsMP distributing the Atomic macOS info stealer.
The attack patterns mirror npm and PyPI supply chain attacks: typosquatting, automated mass uploads, and dependency confusion. But the blast radius is worse. A compromised npm package executes code on a developer’s machine. A compromised OpenClaw skill executes code through an AI agent that has broad system permissions, access to credentials, and the ability to chain actions across multiple integrated services. The agent does not just run the malicious code. It reasons about how to accomplish whatever the malicious skill instructs it to do, potentially adapting its approach if the first attempt fails.
This connects directly to the Axios npm supply chain attack pattern we covered, but with a force multiplier. When an npm package is compromised, the malicious code executes once. When an OpenClaw skill is compromised, the malicious instructions persist in the agent’s context and can influence subsequent actions across the agent’s entire permission scope.
Why the Architecture Cannot Be Patched
The core issue is not any specific CVE. It is the superuser problem: AI agents accumulate permissions across every service they integrate with. CyberArk’s assessment applies: every AI agent is an identity that needs credentials to access databases, cloud services, and code repositories. The more tasks assigned, the more entitlements accumulate, making each agent a high-value target.
Traditional security assumes that the program executing on a machine follows deterministic logic. An AI agent follows probabilistic reasoning influenced by its context, which includes any data it has ingested. Poisoning the context changes the agent’s behavior without modifying any code. This is not a bug class that static analysis, code signing, or sandboxing can eliminate because the “exploit” is semantically valid input that the model interprets differently than intended.
Gartner projects that 40% of enterprise applications will integrate task-specific AI agents by the end of 2026, up from less than 5% in 2025. The practical recommendation is the same one Palo Alto Networks’ Wendi Whitmore gave: treat every AI agent as an insider threat. Apply least privilege. Audit what the agent can access. Assume the context will be poisoned. The companies that deploy agents without these controls will learn the same lesson OpenClaw’s users learned, one CVE at a time.