OpenClaw Had 135K Instances Exposed, 8 Critical CVEs, and a Poisoned Marketplace. Here's What We Can Learn.

OpenClaw is the most popular open-source AI agent framework of 2026. Over 135,000 GitHub stars. Thousands of organizations running it. A thriving marketplace of third-party skills on ClawHub.

Between January and March 2026, security researchers found eight critical vulnerabilities in it. Cisco, Microsoft, and Kaspersky all published advisories. 12% of the ClawHub marketplace turned out to be malicious. And 15,000+ instances were directly vulnerable to remote code execution with no authentication required.

This is the first major AI agent security crisis. It won't be the last. And the lessons from it apply to every team running AI agents — not just OpenClaw users.

The Vulnerabilities

Here's what was found, in rough chronological order:

CVE-2026-25253: "ClawJacked" (CVSS 8.8)

The headline bug. OpenClaw exposes a WebSocket interface for its local gateway. A malicious website could connect to this WebSocket and hijack a running OpenClaw agent by brute-forcing the gateway password. The rate limiter conveniently exempted localhost connections, meaning an attacker's JavaScript running in your browser could try thousands of passwords per second against your local agent.

Zero clicks required. Visit a webpage, lose control of your agent.

CVE-2026-25593, CVE-2026-24763: RCE and Command Injection

Multiple paths to remote code execution. An attacker who could reach an OpenClaw instance — and 135,000 were exposed on the public internet — could execute arbitrary commands on the host machine. No authentication needed for some of these paths.

CVE-2026-25157, CVE-2026-25475: Auth Bypass and Path Traversal

Authentication could be bypassed entirely. Path traversal bugs let attackers read files outside the intended directory. Combined with the RCE bugs, this meant full system compromise.

CVE-2026-26319, CVE-2026-26322, CVE-2026-26329: SSRF, Additional RCE, Additional Command Injection

More of the same pattern: the agent's network-facing interface was a wide-open attack surface. Server-side request forgery bugs let attackers use the agent as a proxy to reach internal services.

Eight CVEs. All critical or high severity. All in a tool that runs with the user's full system permissions.

The Marketplace Problem

The CVEs were bad. The marketplace was worse.

Bitdefender analyzed ClawHub — OpenClaw's official skill marketplace — and found that 341 of 2,857 published skills were malicious. That's 12%. One in eight.

The malicious skills primarily installed the AMOS infostealer, which harvests:

• macOS Keychain credentials
• Browser passwords and cookies
• Cryptocurrency wallet data
• System credentials

Koi Security traced 335 of the malicious skills to a single coordinated campaign they called "ClawHavoc." One attacker, 335 skills, thousands of potential victims.

This isn't a hypothetical supply chain attack. It's a real one that happened at scale on the most popular AI agent marketplace in 2026.

Why "Audit Your Skills" Doesn't Work

OpenClaw's official response included advice like "audit skills before installing" and "periodically review access granted to AI agents."

This is the app store model of security, and it has already failed everywhere it's been tried.

Chrome's Web Store has battled malicious extensions for over a decade. npm, PyPI, and every package registry have the same problem: malicious packages slip through because attackers can generate and publish them faster than anyone can review them. Google's own Play Store still catches malicious apps months after publication.

The difference with AI agent marketplaces is the blast radius. A malicious browser extension can read your tabs. A malicious AI agent skill can execute code, make API calls, access your filesystem, and exfiltrate data — all with your credentials, your permissions, and your identity.

"Review the code before you install it" doesn't scale when:

1. Skills are published faster than humans can review them
2. Malicious behavior can be obfuscated across multiple files
3. Skills can update post-install to add malicious functionality
4. The agent runs with full system access by default

What Actually Happened: The Attack Chain

Let me walk through what an OpenClaw victim actually experienced:

1. Developer installs a ClawHub skill that looks useful — a database helper, a deployment automation, whatever
2. The skill contains hidden AMOS infostealer code that executes when the skill is loaded
3. AMOS harvests credentials from the macOS Keychain, browser password stores, and crypto wallets
4. The stolen data is exfiltrated to an attacker-controlled server via an outbound HTTPS connection
5. The developer sees nothing unusual because the skill also does what it promised to do

Alternatively, for the WebSocket attack:

1. Developer has OpenClaw running locally (135K+ instances on the internet, many more behind NAT)
2. Developer visits a webpage — could be a legitimate site with a compromised ad, a phishing link, anything
3. JavaScript on the page connects to localhost:port and brute-forces the OpenClaw gateway password
4. Attacker now controls the agent and can execute arbitrary commands on the developer's machine
5. The developer doesn't know until the damage is done

Both attack chains have something in common: they involve outbound network connections to attacker-controlled infrastructure. The infostealer exfiltrates data over HTTPS. The WebSocket hijack sends commands to attacker-controlled C2 servers.

The Layer That Was Missing

Every security advisory about OpenClaw — from Cisco, Microsoft, Kaspersky, and OpenClaw's own team — focused on patching the application and auditing marketplace skills.

None of them mentioned network-level controls.

Here's what a network-layer proxy would have caught:

Attack Step	What the Proxy Sees	Action
Malicious skill exfiltrates Keychain data	Outbound HTTPS to unknown domain containing credential-shaped data	Block and alert
AMOS infostealer phones home	Connection to known malicious IP/domain	Block and alert
WebSocket hijack sends commands to C2	Outbound traffic to unauthorized endpoint	Block and alert
Agent SSRF targets internal services	Request to metadata endpoint or internal IP range	Block and alert
Skill downloads secondary payload	HTTPS GET to suspicious domain for executable content	Block and alert

The OpenClaw application can be patched. The marketplace can be cleaned up. But the fundamental problem remains: AI agents make outbound network connections, and without monitoring those connections, you're blind to what the agent is actually doing.

The Broader Pattern

OpenClaw is the canary. The same pattern will play out across every AI agent framework:

Claude Code already had two CVEs (CVE-2025-59536 and CVE-2026-21852) where malicious repository configuration files could steal API keys and execute arbitrary code. Knostic independently confirmed that both Claude Code and Cursor silently upload .env secrets to cloud APIs without disclosure.

MCP servers had 30 CVEs in the first 60 days of 2026, including CVE-2026-26118 (Azure MCP SSRF, CVSS 8.8) and CVSS 9.8 RCE in MCPJam Inspector — actively exploited.

Gravitee's 2026 State of AI Agent Security report found that 88% of organizations had an AI agent security incident in the past year, and 47% of deployed agents have zero security monitoring.

This isn't an OpenClaw-specific problem. It's an AI agent problem. Every agent framework that:

• Runs with the user's system permissions
• Makes network connections to external services
• Supports third-party extensions or plugins
• Trusts configuration from untrusted sources

...will eventually have its own version of the OpenClaw crisis.

What Actually Fixes This

Application-level patches fix known bugs. Marketplace reviews catch known-bad skills. Neither addresses the underlying architecture problem: agents with network access, system permissions, and no independent enforcement layer.

Here's what a defense-in-depth approach for AI agents looks like:

Layer 1: Filesystem Sandboxing

Restrict which files and directories the agent can read and write. On macOS, this means Seatbelt profiles. On Linux, Landlock. This limits the blast radius if the agent is compromised — it can't read your Keychain if it doesn't have filesystem access to the Keychain database.

Layer 2: Network-Level Interception

A proxy that sits between the agent and the internet, inspecting every outbound connection. It checks:

• Destination allowlisting — is this agent supposed to talk to api.anthropic.com? Yes. Is it supposed to talk to exfil.attacker.com? No.
• Secret detection — is this outbound request carrying credential-shaped data (API keys, passwords, connection strings)? Block it before it leaves the machine.
• Metadata endpoint denial — block connections to cloud metadata endpoints (169.254.169.254) that agents should never need to reach.

Layer 3: Credential Isolation

Don't give agents your raw credentials. Use a credential proxy that injects credentials at the network layer so the agent never sees them. If the agent is compromised, the attacker gets a credential proxy URL, not your actual API key.

Layer 4: Tool Call Policy

Inspect the AI model's tool call arguments before they execute. If the model says "run rm -rf /", catch it at the request level, not after the filesystem is gone.

The OpenClaw crisis validated all four layers. The ClawHavoc campaign would have been stopped by Layer 1 (filesystem access to Keychain denied), Layer 2 (exfiltration to attacker domain blocked), or Layer 3 (no real credentials available to steal). The WebSocket hijack would have been stopped by Layer 2 (unauthorized outbound connections blocked).

The Numbers

• 135,000+ — OpenClaw instances exposed on the public internet (Cisco, Microsoft, Kaspersky advisories, 2026)
• 15,000+ — instances directly vulnerable to unauthenticated RCE
• 341 — malicious skills found on ClawHub out of 2,857 total (12%)
• 335 — malicious skills traced to a single attacker campaign (Koi Security, 2026)
• 8 — critical and high-severity CVEs disclosed in three months
• 88% — organizations that experienced an AI agent security incident in the past year (Gravitee, 2026)
• 47% — deployed AI agents with zero security monitoring (Gravitee, 2026)

What to Do Now

If you're running AI agents — OpenClaw, Claude Code, Cursor, custom agents, anything:

1. Don't expose agent interfaces to the internet. 135,000 OpenClaw instances were publicly reachable. Unless your agent needs to be internet-facing (it probably doesn't), bind it to localhost only.

2. Don't trust marketplace skills or plugins without network monitoring. "Audit before install" doesn't work at scale. Monitor what the skill actually does after install — specifically, what network connections it makes and what data it sends.

3. Put a proxy between your agents and the internet. This is the single highest-impact defense. A network-layer proxy that checks destinations, scans for secrets, and blocks unauthorized connections catches the entire class of exfiltration attacks that made the OpenClaw crisis so damaging.

4. Restrict filesystem access. Your AI agent doesn't need access to your macOS Keychain, your SSH keys, or your browser password store. Sandbox it.

5. Use credential injection, not credential sharing. If your agent needs an API key, inject it at the proxy layer so the agent never holds the raw credential. If the agent is compromised, there's nothing to steal.

The OpenClaw crisis proved that AI agents are a real attack surface, not a theoretical one. 341 malicious skills. 15,000 vulnerable instances. Coordinated campaigns stealing credentials at scale.

The question isn't whether your agent framework will have a similar incident. The question is whether you'll catch it at the wire when it happens.

---

CitrusGlaze is an open-source AI traffic proxy that provides network-layer security for AI agents — destination allowlisting, secret detection, credential injection, and tool call inspection. Runs locally. 5-minute install. No cloud routing. Try it free.

#AISecurity #AgentSecurity #OpenClaw #SupplyChainAttack #AIAgents