
The following table details the critical security risks associated with the OpenClaw ecosystem, ranging from remote code execution vulnerabilities to supply chain attacks and social engineering exploits.
| Risk Category | Specific Threat / Vulnerability | Description & Mechanism | Potential Impact |
|---|---|---|---|
| Remote Code Execution (RCE) | CVE-2026-25253 (1-Click RCE) | A critical vulnerability (CVSS 8.8) where an unvalidatedgatewayUrl parameter allows attackers to hijack the WebSocket connection. A victim visiting a malicious link can trigger a kill chain that disables security guardrails and executes arbitrary shell commands on the host machine. | Full takeover of the host machine, installation of malware, and disablement of user confirmation prompts. |
| Exposed Control Panels (The “Shodan Trap”) | Users frequently misconfigure the gateway to listen on public interfaces (0.0.0.0) without authentication. Attackers use Shodan to locate these open ports (typically 18789), gaining a remote terminal into the user’s server. | Unauthenticated remote access to the agent’s full capabilities, including file system read/write and command execution. | |
| Prompt Injection | Indirect Prompt Injection | Attackers hide malicious instructions in content the agent processes (e.g., emails, websites, or hidden text in documents). Because the agent cannot distinguish between data and instructions, it may execute the malicious commands. | Data exfiltration (e.g., forwarding emails to an attacker), deletion of files, or unauthorized financial transactions. |
| Persistent Memory Poisoning | Malicious inputs are stored in the agent’s long-term memory files (e.g., MEMORY.md). These “dormant” instructions can be triggered in future sessions, creating a persistent compromise that survives restarts. | Long-term manipulation of agent behavior, altering its decision-making logic or “identity” over time (described as a “Cognitive Worm”). | |
| Supply Chain Attacks | ClawHavoc / Malicious Skills | A campaign identified 341 malicious skills on the ClawHub marketplace. Attackers used typosquatting (e.g., clawhubb) and legitimate-looking tools to distribute malware like AMOS Stealer via installation scripts. | Theft of browser cookies, SSH keys, crypto wallets, and passwords immediately upon skill installation. |
| NPM Honeypots | Scammers fork the OpenClaw repository and republish it to npm with slight name changes (e.g., openclaw-bot). These packages contain postinstall scripts that exfiltrate environment variables. | Immediate exfiltration of .env files and API keys before the user even finishes setup. | |
| Data & Credential Leakage | Plaintext Credential Storage | OpenClaw stores sensitive data, including API keys (Anthropic/OpenAI), WhatsApp credentials, and session transcripts, in plaintext files within the ~/.moltbot or ~/.openclaw directory. | Infostealer malware can easily harvest all credentials, allowing attackers to impersonate users and access connected cloud services. |
| Moltbook Database Exposure | A misconfiguration in the Moltbook social network exposed the entire database, leaking 1.5 million API tokens, 35,000 email addresses, and private messages between agents. | Potential hijacking of 150,000 AI agent accounts, including high-profile accounts, allowing impersonation and fraud. | |
| Social Engineering | Rebrand Handle Sniping | During the rapid rebrands (Clawdbot → Moltbot → OpenClaw), scammers registered the abandoned social media handles and GitHub repositories to impersonate the official project. | Users unknowingly downloading malware or participating in fake crypto token scams promoted by “official” looking accounts. |
| Session-Key Hijacking | Malicious plugins or skills extract the session tokens used for WhatsApp or Telegram. This bypasses 2FA because the attacker steals the active authenticated session. | Attackers can read private DMs, message contacts as the user, and request money from friends/family. | |
| Operational Risks | Shadow IT / “God Mode” | Employees running OpenClaw on work devices often grant it root/admin access (“God Mode”) to file systems and internal networks without IT knowledge. | An unmanaged, high-privilege entry point into corporate networks that bypasses traditional security controls like SSO and DLP. |
| Browser Control Risks | The agent’s browser automation (via Chrome DevTools Protocol) can execute arbitrary JavaScript. If the agent visits a compromised site, it can be tricked into performing actions within the user’s logged-in sessions. | Session cookie theft, bypassing MFA on banking or corporate sites, and unauthorized actions on web services. |
