The OpenClaw Security Crisis:
What Every User Needs to Know
OpenClaw has become the most popular open-source AI assistant, with 50+ integrations and thousands of community-built skills. But its rapid growth has outpaced its security. In January 2026, an independent audit uncovered 512 vulnerabilities — including 8 critical ones. Researchers have found over 1,000 malicious skills on ClawHub. And 21,639 OpenClaw instances are publicly exposed with leaked API keys. This is what you need to know.
The scale of the problem
The January 2026 security audit of OpenClaw's core codebase revealed 512 vulnerabilities across the platform. Of these, 8 were rated critical, 47 high severity, and the rest medium or low. The audit covered the gateway server, plugin system, skill execution engine, and all built-in integrations.
512
Vulnerabilities
8
Critical
47
High severity
50+
Integrations affected
CVE-2026-25253: Remote Code Execution
The most severe finding is CVE-2026-25253, a remote code execution vulnerability in OpenClaw's URL parameter validation. An attacker can craft a malicious URL that, when processed by the browser_navigate tool, bypasses input sanitization and executes arbitrary shell commands on the host machine.
The vulnerability exists because OpenClaw passes URL parameters through a template engine before validation. A specially crafted URL containing shell metacharacters can escape the template context and execute commands with the same permissions as the OpenClaw process — which typically runs as the current user with full file system access.
Any OpenClaw instance that processes external URLs (via WhatsApp links, email content, web browsing skills, or user-shared URLs) is vulnerable. The attacker needs no authentication — just the ability to send a message containing the malicious URL to any channel the OpenClaw agent monitors.
The ClawHub malware epidemic
ClawHub, the community marketplace for OpenClaw skills, has become a vector for malware distribution. Security researchers have identified over 1,000 malicious skills published to the platform, with techniques ranging from info-stealers to persistent backdoors.
The most significant incident was the ClawHavoc campaign, which planted 1,184 coordinated malicious skills across multiple categories. These skills appeared legitimate — productivity tools, email helpers, calendar integrations — but contained hidden instructions that directed the agent to exfiltrate sensitive data.
Skills that instruct the agent to read SSH keys, API tokens, browser cookies, and environment variables, then exfiltrate them via HTTP requests or email forwarding.
Skills that use the cron_add tool to schedule recurring tasks that maintain access even after the malicious skill is removed. These cron jobs can download and execute updated payloads.
Skills that leverage OpenClaw's messaging integrations to spread malicious instructions to other OpenClaw agents in the same organization via Slack, Teams, or email.
21,639 publicly exposed instances
A Shodan scan in February 2026 found 21,639 OpenClaw instances accessible from the public internet. Of these, over 3,000 had API keys visible in their configuration endpoints. These exposed instances give attackers direct access to agents with full system permissions — shell execution, file system access, and messaging capabilities.
Many of these instances run on personal machines and development servers where OpenClaw has access to SSH keys, git credentials, cloud provider tokens, and email accounts. An attacker who discovers an exposed instance can silently read any file, execute commands, and exfiltrate data without the user ever knowing.
Why this matters for you
Unlike most AI assistants, OpenClaw agents have real-world capabilities. They can execute shell commands, read and write files, browse the web, send emails, post messages to Slack and WhatsApp, create calendar events, and manage cron jobs. A compromised OpenClaw agent isn't just a chatbot giving bad answers — it's an autonomous system with access to your digital life.
How to protect your OpenClaw agent
Rune's OpenClaw plugin hooks into the native hook system to scan every tool call and message before execution. It takes two minutes to set up and requires no changes to your OpenClaw configuration.
# Install the Rune security plugin
openclaw plugins install @runesec/openclaw
# Set your API key
export RUNE_API_KEY="rune_live_..."
# That's it — every tool call is now scanned
# View events at https://runesec.dev/dashboardOnce installed, the plugin registers three hooks:
before_tool_callScans tool arguments before execution. Catches command injection, path traversal, and malicious parameters. Returns { block: true } to stop dangerous calls.
after_tool_callScans tool results after execution. Detects data exfiltration, credential exposure, and sensitive data in responses.
message_sendingScans messages before they're sent. Catches prompt injection from any channel — WhatsApp, Telegram, Slack, email, or direct input. Returns { cancel: true } to block.
You can further customize protection with YAML policies that control tool access, parameter patterns, and rate limits. Pre-built templates are included for common use cases.
Protect your OpenClaw agent now
Runtime scanning for every tool call and message. Malicious skills, prompt injection, and data exfiltration caught before they cause damage. Free plan includes 10K events/mo.