OpenClaw: 135,000 Exposed AI Agents, 341 Malicious Skills, Zero Governance

In January 2026, an open-source AI agent called OpenClaw became one of the fastest-growing GitHub repositories in history, crossing 135,000 stars within weeks. By February, it had triggered the first major AI agent security crisis of 2026. The timeline: three weeks from viral adoption to critical CVE, supply chain attack, and mass data exposure. If your employees installed OpenClaw — and statistically, some of them did — here's what you need to know.

OpenClaw isn't a chatbot. It's an autonomous AI agent that can execute shell commands, read and write files, browse the web, send emails, manage calendars, and take actions across your digital life. When employees connect it to corporate systems like Slack and Google Workspace, they create shadow AI with elevated privileges that traditional security tools can't detect. We warned about this exact pattern in our agentic AI shadow crisis analysis.

The Vulnerability: CVE-2026-25253

Rated CVSS 8.8, CVE-2026-25253 is a token exfiltration vulnerability that leads to full gateway compromise. If a user visited an attacker-controlled webpage, JavaScript on that page could silently open a WebSocket connection to the OpenClaw gateway, steal the authentication token, and take full administrative control of the instance. From there, an attacker could disable user confirmation prompts, escape the Docker sandbox, and run arbitrary commands directly on the host machine.

A patch landed in version 2026.1.29, less than 24 hours after the initial report. But by then, Censys had identified over 21,000 exposed instances publicly accessible on the internet — up from roughly 1,000 just days earlier. Most of these instances were running without any authentication at all.

The Supply Chain Attack: ClawHavoc

The CVE was the headline. The supply chain attack was worse. Attackers planted 341 malicious skills in ClawHub, OpenClaw's public marketplace — roughly 20% of the entire registry. These skills used professional documentation and innocuous names like "solana-wallet-tracker" to appear legitimate. They instructed users to run external code that installed keyloggers on Windows or Atomic Stealer malware on macOS.

The Atomic macOS Stealer payload collected browser credentials, keychains, SSH keys, and crypto wallets and exfiltrated them to attacker infrastructure. Meanwhile, Moltbook — a social network built exclusively for OpenClaw agents — was found to have an unsecured database exposing 35,000 email addresses and 1.5 million agent API tokens.

• 341 malicious skills planted in ClawHub (20% of the entire registry)
• Keyloggers and Atomic Stealer malware distributed via fake skills
• 35,000 email addresses and 1.5 million API tokens exposed via Moltbook
• 21,000+ instances publicly accessible without authentication
• CVE-2026-25253: one-click remote code execution via WebSocket

Why Traditional Security Missed This Completely

Here's what makes OpenClaw different from previous shadow IT incidents: it didn't show up in your SaaS audit. Employees installed it locally, connected it to their existing accounts via OAuth, and gave it permissions that exceeded what any SaaS tool would typically request. Your CASB can't see it. Your DLP can't scan it. Your identity provider shows normal OAuth token usage.

No network signature. OpenClaw runs locally and makes API calls to services your employees already use — Slack, Gmail, Google Drive. The traffic looks identical to normal usage.

Permission creep by design. AI agents request broad permissions because they need them to be useful. "Read and write all files" isn't suspicious for an agent — it's a feature. This makes it impossible to distinguish authorized from unauthorized agent usage without tool-level monitoring.

Marketplace trust model is broken. ClawHub had no code signing, no review process, and no runtime sandboxing for skills. Users installed agent extensions the same way they install npm packages — trusting the registry without verification.

The Industry Response: Too Late, Too Narrow

Cisco released DefenseClaw, an open-source security framework for OpenClaw deployments. CrowdStrike added AI agent discovery to its Falcon platform. Microsoft expanded Edge for Business with shadow AI detection. All of these are steps in the right direction — and all of them arrived after the damage was done.

The fundamental problem isn't that OpenClaw had a vulnerability. Every complex software has vulnerabilities. The problem is that thousands of employees deployed an autonomous AI agent with admin-level access to corporate systems, and their security teams had zero visibility into it until it made headlines. The gap isn't in patch management. It's in discovery.

What Your Team Should Do Right Now

If you're a security leader reading this after the fact, here's your immediate action plan. These steps apply not just to OpenClaw but to any AI agent your employees may have installed.

• Scan for exposed instances. Use Censys, Shodan, or internal network scans to identify any OpenClaw instances accessible on your network. Check for the default ports (3000, 8080).
• Audit OAuth tokens. Review Google Workspace and Microsoft 365 admin consoles for OAuth tokens granted to unfamiliar applications. AI agents often request broad scopes.
• Check for MCP server connections. AI agents increasingly use the Model Context Protocol. If your developers use Claude, Cursor, or VS Code with MCP, audit which servers are connected and what permissions they have.
• Deploy AI-specific monitoring. Traditional EDR and CASB tools weren't designed for AI agent traffic. You need tool-level visibility that can distinguish between a user accessing Slack and an AI agent accessing Slack on their behalf.
• Write an AI agent policy. Not a ban — a usage policy that defines which agents are approved, what permissions they can request, and what data they can access. Then enforce it.

From OpenClaw to the Next Agent Crisis

OpenClaw won't be the last AI agent security incident. The pattern — open-source tool goes viral, employees deploy without IT knowledge, marketplace gets compromised, data gets exposed — will repeat. The question is whether your organization will have visibility into the next one before it becomes a headline.

The AI agent era requires a new security model: continuous discovery of what tools and agents are running, real-time monitoring of what data they access, policy enforcement at the tool level (not just the network level), and an audit trail that captures agent actions alongside human actions. The OWASP MCP Top 10 catalogs the specific risks — tool poisoning, prompt injection, context spoofing — that make agent governance critical. Companies that wait for the next CVE to discover their AI exposure are repeating the same mistake that made OpenClaw a crisis instead of an incident.