1. Executive Summary
OpenClaw (formerly ClawdBot, briefly Moltbot) is an open-source autonomous AI agent framework that exploded to 30,000+ GitHub stars in January 2026. Created by Peter Steinberger, founder of PSPDFKit/Nutrient, the project enables AI-powered personal assistants that operate directly on user hardware with full system access, including filesystem control, browser automation, shell command execution, and integration with messaging platforms.
This report documents the critical security vulnerabilities, active exploitation patterns, and supply chain compromise vectors identified in the OpenClaw ecosystem between January and February 2026. The findings represent what security researchers are calling the first major wave of AI-agent abuse in the wild, establishing a new exploitation class where threat actors weaponize trust in autonomous AI tooling.
Key Findings
Remote Code Execution
CVE-2026-25157 and CVE-2026-25253: Critical RCE vulnerabilities enabling one-click remote compromise of host systems.
Plaintext Credential Storage
API keys, authentication tokens, user profiles, and conversation memories stored in unencrypted Markdown and JSON files.
Supply Chain Compromise
Malicious VS Code extensions deploying trojans and RATs. Hundreds of malicious skills identified in the ClawHub repository.
Authentication Bypass
Gateway localhost handling flaw allows external attackers to bypass login when behind Nginx reverse proxy.
Indirect Prompt Injection
The agent's ability to read emails and messages creates attack surfaces for unauthorized command injection.
Social Engineering via Trademark Chaos
During the Clawdbot-to-Moltbot rename, threat actors hijacked @clawdbot handles to promote fraudulent $CLAWD tokens to 60,000+ followers.
2. Threat Landscape Analysis
Vulnerability Summary
| Vulnerability | Severity | CVE | ATT&CK ID | Status |
|---|---|---|---|---|
| Remote Code Execution | Critical | CVE-2026-25157 |
T1203 | Patched (2026.1.29) |
| RCE via Exploitation | Critical | CVE-2026-25253 |
T1203 | Patched (2026.1.30) |
| Plaintext Credential Storage | High | N/A | T1552 | Design Flaw (Unresolved) |
| Authentication Bypass | High | N/A | T1556 | Partially Mitigated |
| Exposed Control Interface | High | N/A | T1133 | User Misconfiguration |
| Malicious Skills (Supply Chain) | High | N/A | T1195.002 | Ongoing |
| Fake VS Code Extensions | High | N/A | T1195.002 | Active Threat |
| Indirect Prompt Injection | Medium | N/A | T1059 | Architectural Limitation |
| Crypto Scam (Handle Hijack) | Medium | N/A | T1598 | Active Threat |
3. MITRE ATT&CK Framework Mapping
3.1 Initial Access
| Technique ID | Technique | OpenClaw Context |
|---|---|---|
T1133 | External Remote Services | Unsecured control interfaces discovered publicly accessible via Shodan scanning |
T1195.002 | Supply Chain: Software | Malicious skills in ClawHub + fake VS Code extensions delivering trojans |
T1598 | Phishing: Software Dependencies | Fake repos, domain typosquatting, hijacked social handles for crypto scams |
3.2 Execution
| Technique ID | Technique | OpenClaw Context |
|---|---|---|
T1203 | Exploitation for Client Execution | CVE-2026-25253: One-click RCE for full system compromise |
T1059 | Command and Scripting Interpreter | Skills execute local scripts with full OS permissions; prompt injection triggers unauthorized execution |
T1609 | Abuse of Trusted Relationships | Fake VS Code extension leverages developer trust in marketplace |
3.3 Persistence and Credential Access
| Technique ID | Technique | OpenClaw Context |
|---|---|---|
T1552 | Unsecured Credentials | API keys, tokens stored in plaintext Markdown/JSON files |
T1556 | Modify Authentication Process | Localhost handling flaw bypasses auth behind Nginx |
3.4 Collection and Exfiltration
| Technique ID | Technique | OpenClaw Context |
|---|---|---|
T1071.001 | Application Layer Protocol: Web | WebSocket backdoors blending with legitimate agent traffic |
Novel | Cognitive Context Theft | Exfiltration of persistent memory and conversation histories |
4. Attack Chain Reconstruction
4.1 Primary Kill Chain: Exposed Gateway to Full Compromise
4.2 Secondary Kill Chain: Supply Chain Compromise
5. Emerging Threat Category: AI Agent Abuse
The OpenClaw incidents establish a new threat category: autonomous AI agent abuse. The defining characteristics are:
- Permission Inheritance: AI agents inherit the user's full permission set
- Trust Amplification: Persistent memory reduces user skepticism toward agent actions
- Action Opacity: Distinguishing legitimate vs. malicious automated operations is extremely difficult
- Cognitive Context as Attack Surface: Memory and conversation histories expose behavioral patterns and decision-making processes
Organizations must incorporate autonomous AI agent threat modeling into security frameworks. Evaluate deployments against: principle of least privilege enforcement, credential isolation and encryption, action logging with anomaly detection, supply chain verification, and network segmentation.
6. Indicators of Compromise
| Type | Indicator | Context |
|---|---|---|
| VS Code Extension | clawdbot.clawdbot-agent | Malware delivery (trojan + RAT) |
| CVE | CVE-2026-25157 | Remote Code Execution |
| CVE | CVE-2026-25253 | One-click remote compromise |
| Social Media | @clawdbot (X/GitHub) | Crypto scam ($CLAWD token) |
| Network | Exposed Control interfaces | Shodan-discoverable, no auth |
| File Pattern | Obfuscated shell scripts | Supply chain payload delivery |
| CWE | CWE-400 (SSE client) | Denial of service vector |
7. Hardening Recommendations
7.1 Immediate Actions (Critical)
- Whitelist Tools Explicitly: Default-deny for shell execution capabilities
- Verify Gateway Authentication: Ensure gateway.auth.password is set; verify reverse proxy header passing
- Update to Latest Version: Minimum version 2026.1.29 for CVE patches
- Audit Installed Skills: Remove unverified third-party skills
- Rotate All Credentials: Consider all plaintext-stored credentials compromised
- Network Isolation: Never expose control interface publicly; deploy behind VPN
7.2 Organizational Policy
- AI Agent Deployment Policy: Require security review before any autonomous agent deployment
- Action Logging: Implement logging with anomaly detection baselines
- Credential Encryption: Require encrypted storage (Vault, AWS Secrets Manager)
- IR Playbook Update: Include AI agent compromise scenarios in incident response
- Continuous Monitoring: Track emerging CVEs targeting AI agent ecosystems
8. Conclusion
The OpenClaw/ClawdBot incident sequence represents a critical inflection point in AI security. The speed of compromise, from project launch to active CVE exploitation to supply chain poisoning in under six weeks, should serve as a warning to any organization evaluating autonomous AI agent deployment.
The fundamental tension at the heart of AI agent design is that usefulness requires access, and access creates risk. Organizations that begin building AI agent security capabilities now will be positioned to safely leverage productivity benefits while managing inherent risks.
9. References
1. Tenable. "Agentic AI Security: How to Mitigate Clawdbot/Moltbot/OpenClaw Vulnerabilities." February 3, 2026.
2. CNBC. "From Clawdbot to Moltbot to OpenClaw." February 2, 2026.
3. Security Boulevard. "Critical Vulnerabilities and 6 Immediate Hardening Steps." February 3, 2026.
4. Bolen, S. "OpenClaw: When the AI With Hands Becomes a Digital Minefield." RONIN OWL CTI, February 2026.
5. MITRE ATT&CK Enterprise Framework v14. The MITRE Corporation, 2025.
6. OpenClaw GitHub Repository. github.com/openclaw/openclaw.
7. SlowMist Security Advisory. OpenClaw Deployment Misconfiguration Analysis, January 2026.
Protect Your Business
Not sure how AI agents and tools like this affect your security? Book a 1-on-1 Business Security Checkup. 60 minutes, personalized risk report, actionable plan.
Book a Security Checkup - $250