OpenClaw: Hunting Season is Open

‍

What is OpenClaw?

Love it or hate it, there’s no denying that OpenClaw has continued to gain traction. Either for its potential capabilities as an AI assistant, or for the schadenfreude effect following the horror stories of destroyed databases, sending of random messages, or for one unfortunate AI security researcher, watching it ignore instructions and delete every email from a Gmail account. 

If you want a quick overview of OpenClaw, then see our earlier post, OpenClaw: What You Need to Know Before It Claws Its Way Into Your Organization.

https://x.com/summeryue0/status/2025774069124399363

With anything popular, it doesn't take long for the darker side of the internet to rise and seek ways to exploit it for financial gain. And OpenClaw is no different. A wide range of vectors and exploits are being actively used by everyone from capable threat actors to script kiddies. Some are more effective than others, but hunting season appears to be in full swing.

Our general guidance remains the same: organizations should block OpenClaw from running on or accessing corporate systems and data. Developers and the community at large should take a risk-averse approach to using OpenClaw and understand the risks before granting access to data or services. When it works, it arguably works well; when it goes wrong, it goes wrong quickly, with little you can do but watch on as it destroys data. 

‍

Vulnerabilities in OpenClaw's Own Code

Before we get into the supply chain side, it's important to note that OpenClaw itself has had a large number of vulnerabilities reported in its core platform. Some are informational or lack security best practices, and some are significant and can lead to real impact and compromise. A few of these are highlighted below. 

‍

The official GitHub repository lists several hundred vulnerabilities.

CVE-2026-25253: A one-click RCE via WebSocket origin header bypass, where simply visiting a malicious webpage was enough to steal auth tokens and gain operator-level gateway access in milliseconds.

ClawJacked: A separate vuln chain allowing any website to silently hijack a local OpenClaw agent via WebSocket, enumerate connected nodes, read logs, and execute commands.

Auth and Access-related CVEs: SSRF in gateway tools (CVE-2026-26322, CVSS 7.6), missing webhook auth (CVE-2026-26319), path traversal in browser uploads (CVE-2026-26329), plus moderate SSRF and auth bypass issues.

512 Vulnerabilities: During a security audit in January, researchers identified 512 vulnerabilities in OpenClaw and almost 2,000 known CVEs in the underlying Docker containers. 

‍

Patching

The key aspect here, as with any software installation, is to understand how it's deployed and patch as soon as patches are made available. There’s no “automatic update”; it's up to the user to monitor for security releases and deploy them. 

‍

What is a Skill?

If you’ve spent any time around OpenClaw, you know that “skills” are essentially folders containing a SKILL—md file and optionally some scripts. The SKILL.md file is written in Markdown, and it tells the agent how to do something. Sounds harmless enough. It’s just documentation, right?

No. It really isn’t.

In an agent ecosystem, markdown doesn’t just describe behaviour or intent; it actually drives and controls the agent. A SKILL.md can contain links, terminal commands, tool call recipes, and step-by-step instructions that both humans and AI agents will follow without a second thought. The 1Password security team put it best: Markdown isn’t “content” in an agent ecosystem. Markdown is an installer. 

The Agent Skills specification places no restrictions on what can go inside the markdown body. Skills don’t need to use MCP at all. They can include whatever instructions will “help agents perform the task,” including curl commands, base64-encoded payloads, and links to attacker-controlled infrastructure. This is the fundamental problem. We’re treating SKILL.md files like READMEs when they’re functionally equivalent to shell scripts with a nicer font. 

‍

Weaponized Marketplace (ClawHub)

ClawHub is the official marketplace for users to share skills. At the time of writing, over 20,000 skills have been created and shared. The marketplace is open by default, meaning that any user with a GitHub account at least one week old can create and publish a skill. You can probably see where this is going.

The marketplace has been subject to a wide range of techniques to deliver malware or steal tokens and credentials. 

ClawHavoc campaign: Initially, Koi Security identified 341 malicious skills; later, as the marketplace expanded from ~2,800 to 10,700+ skills, the total grew to 824+. Antiy CERT independently counted 1,184. Classified as Trojan/OpenClaw.PolySkill.

Typosquatting at Scale: Names mimicking legitimate packages (clawhub, clawhubb, auto-updater-xxxxx variants, solana-wallet-tracker, youtube-summarize-pro).

Credential-Stealing Skills: Snyk scanned ~4,000 skills, found 7.1% (283) exposed sensitive credentials. 76 contained outright malicious payloads. A single user "hightower6eu" published 314+ malicious skills (VirusTotal analysis).

Primary Payload - Atomic Stealer (AMOS): Targeting macOS Keychain, browser creds, crypto wallets, SSH keys. Also reverse shells, .env exfiltration, and webhook-based data theft.

No Meaningful Moderation: The only control is a community reporting feature that auto-hides skills after three unique reports.

Once the skill is listed in the marketplace, a certain amount of social engineering is required to convince a user to install it, but this is easier than it sounds, as installing a skill is as simple as a single command or, in some instances, just asking OpenClaw to read a file and follow its instructions. 

More worryingly, is that skills don't even need to be listed in the Marketplace to be installed. 

‍

Review Skills

From within OpenClaw, you can list all installed Skills. Before installing any Skill, read the instructions and any included files, not just the “description.” Periodically review the installed Skills for any that look out of place. 

‍

‍

ClickFix-Style Attacks (Copy-Paste Malware Installation)

Before we get into this one, I want to be clear about something. The attacks I’ve described so far, the CVEs, the marketplace poisoning, those are technical problems with technical solutions. Patch your installations to block access at the gateway. Audit your skills, review your soul file. Job done. But this section is different. This is social engineering, and it’s working. No exploit required. No zero-day. Just a well-crafted SKILL.md file and a user who trusts the ecosystem enough to follow the instructions, or, in some cases, letting the agent unquestioningly trust the instructions. 

‍

Avoid Copy-Paste

The advice here is similar to the Skills marketplace: don't mindlessly copy instructions into OpenClaw without first understanding what the command does and which resources it pulls in. 

‍

Clones / Trojan installers

The newest observed exploit mechanism focuses on the installation method itself. There’s still a certain level of technical knowledge required to install and configure OpenClaw, and for less-savvy non-technical users, they will often look for tools or scripts to automate the installation and any post-install steps. While there are helpful tools available, we also see threat actors capitalizing on this space, with some notable techniques described below. 

GhostClaw (JFrog, March 2026): A malicious npm package @openclaw-ai/openclawai posing as an OpenClaw installer. Multi-stage: postinstall hook → global install → fake CLI with progress bars → fake Keychain prompt → encrypted second-stage RAT. Steals everything: Keychain, browser data, crypto, SSH keys, iMessage, cloud creds. Includes SOCKS5 proxy and live browser session cloning. 178 downloads before removal.

Fake GitHub repositories (Huntress, Feb 2026): A GitHub org called "openclaw-installer" hosted malicious releases containing Vidar stealer, GhostSocks proxy malware, and AMOS. Used legitimate Cloudflare moltworker code as a facade. Became the top Bing AI search result for "OpenClaw Windows."

AI search poisoning: Huntress confirmed that simply hosting malware on GitHub was enough to poison Bing AI results. Previously, attackers also poisoned ChatGPT and Grok shared chat features.

‍

Trusted sources

Just as we install software, we should only follow the official documentation or guides from trusted sources; one person sharing a “new installer” in Discord should be approached with caution and reviewed before being unquestioningly trusted.

‍

Getting Hands-On

If you want to try your hand at identifying malicious skills and installations, then Immersive One customers can find the newly released OpenClaw investigation lab on the platform. And for a limited time, we’re making this lab available to anyone; it can be accessed here.