If you have been active on social media or tech news the past few weeks, you have probably come across OpenClaw. It’s the AI agent that took the world by storm and gathered over 170,000 GitHub stars in a matter of weeks. While the hype is understandable, as security experts, we see a high-privilege backdoor sitting on your endpoints.
A new class of AI agent has infiltrated corporate networks at scale, and many security teams don’t even know it’s there. For CISOs protecting enterprise environments, this represents a perfect storm: powerful autonomous capabilities, widespread shadow IT deployment, and a rapidly evolving threat landscape that traditional security controls weren’t designed to detect.
This isn’t theoretical. Employees are installing OpenClaw on corporate devices right now, connecting it to company email systems, collaboration tools, and internal networks… often with the best intentions but without understanding the risk. As security leaders, CISO’s need to move fast.
Below is our breakdown by Ian Laveyne of why OpenClaw is currently the most significant “Shadow AI” risk to your network, and how you can regain control.
The Identity Crisis That Makes Detection Harder
First, a practical warning for your SOC team: identification is a moving target. The project has gone through no less than three name changes in a very short time, which has caused a lot of confusion in the security community:
- Clawdbot (original name, until Anthropic trademark issues)
- Moltbot (January 27, 2026)
- OpenClaw (January 30, 2026 – current)
If you are scanning your environment for this tool, make sure you are looking for all three names. Security advisories, Shodan fingerprints, and even the Belgian CCB advisory reference different names, which makes tracking this thing a challenge in itself.
Understanding the Capability Set (And Why Employees Want It)
The concept is impressive, and attractive enough so that employees will bypass IT policies to install it. OpenClaw is an open-source, self-hosted AI agent that runs locally on your machine and connects to an LLM like Claude, GPT, or Gemini. What makes it stand out is that you interact with it through messaging apps you already use: WhatsApp, Telegram, Signal, or Discord.
It can automate tasks, run scripts, control your browser, manage your calendar and email, and run scheduled automations. It has persistent memory, meaning it retains your context and preferences across sessions. Think of it as a personal assistant that actually remembers what you told it yesterday. The idea of having something like that running 24/7, handling your workflows, is genuinely exciting.
The project is fully open-source with a very active community. Steinberger and around 350 contributors are pushing out features and fixes at an incredible pace. To give credit where it’s due: security vulnerabilities are being addressed in hours or days, which is rare for a project at this scale. The GitHub security page shows active engagement with responsible disclosure.
The problem is that all of these capabilities require privileged access to systems and data. An employee sees a productivity multiplier. A CISO sees an unmanaged, internet-connected autonomous agent with shell access to corporate resources.
The “Lethal Trifecta”: Why It Keeps CISOs Up at Night
The OpenClaw security documentation itself states: “There is no ‘perfectly secure’ setup.” For a tool that has access to your email, calendar, messaging apps, file system, and can execute shell commands on your machine, that is concerning.
The fundamental problem is what we call the power-versus-risk trade-off. OpenClaw is useful because it has access to your private data, can process content from external sources, and can communicate outwards. But those same three capabilities are exactly what make it dangerous. Researcher Simon Willison coined this the “Lethal Trifecta”, and OpenClaw checks all three boxes by design:
- It has access to private data: it reads your corporate emails, calendars, credentials and files.
- It can communicate externally: It lives on messaging apps and can access untrusted external input from sites, documents etc.
- It can execute code: It can run shell commands and scripts on the host machine.
The big risk for CISO’s is how fast this tool is spreading into corporate environments. Our SOC team encounters shadow IT problems regularly, but this is on another level. We have seen people installing OpenClaw on their work machines, connecting it to corporate email, Teams, and Google Workspace, often without IT even knowing it exists. The numbers are staggering: as of January 31st, 2026, over 21,000 exposed OpenClaw instances were identified on the internet. The largest concentrations were in the United States and China, with many running default configurations. Those are 21,000 potential entry points with shell access, credentials, and data.
On top of that, keeping OpenClaw running 24/7 isn’t cheap either. One user discovered his OpenClaw instance burned through $20 in API tokens overnight just by checking the time. The heartbeat cron job sent about 120,000 tokens of context every 30 minutes to Claude Opus, costing roughly $0.75 per check. Over a month, that’s $750 just for reminders. Something to keep in mind before you let it run unsupervised on any system.
Critical Vulnerabilities: What Your SOC Team Needs to Know
We are seeing a rapid evolution of exploits specifically targeting the OpenClaw ecosystem:
CVE-2026-25253: One-Click Remote Code Execution
The most critical finding so far is CVE-2026-25253, a one-click remote code execution vulnerability with a CVSS score of 8.8. Discovered by DepthFirst, this flaw is elegant in its simplicity and terrifying in its impact.
The attack works like this: OpenClaw’s Control UI accepts a gateway URL from the query string without validation and automatically connects on page load, sending the stored authentication token in the WebSocket payload. An attacker crafts a malicious link, and when a user clicks it, the token is sent to the attacker’s server. The attacker then connects to the victim’s local gateway, disables sandboxing and safety guardrails through the API, and executes arbitrary shell commands on the host. The entire kill chain takes milliseconds.
What makes this especially nasty is that even loopback-only instances are vulnerable, because the victim’s own browser initiates the outbound connection. So if you thought binding to localhost would save you, it won’t. This was patched in version 2026.1.29, but if you haven’t updated, you should do so immediately.
Prompt Injection: the Gift that Keeps on Giving
Beyond the CVE, the prompt injection surface is enormous. In a detailed writeup, researchers demonstrated how asking OpenClaw to summarize a webpage could lead to a full takeover. The malicious page contained hidden instructions that told the agent to download a shell script and execute it. That script modified the HEARTBEAT.md file, which OpenClaw executes every 30 minutes by default, creating a persistent backdoor that survives restarts.
Think about that for a moment. You ask your AI assistant to summarize a webpage, and in return you get a backdoor on your machine that phones home every half hour. The agent didn’t question it, it just did it.
Separately, Giskard’s research confirmed that in default configurations, API keys and credentials were leaked in plaintext across sessions. Their tests also showed that anyone in a group chat with an OpenClaw bot could send crafted prompts to trigger tool calls and configuration changes without admin approval.
Unfortunately, it only gets worse. Researchers at Zenity showed that indirect prompt injection could create a persistent command and control channel using nothing but OpenClaw’s native features. No CVE needed. An attacker injects instructions through a shared document, the agent adds a new Telegram integration under the attacker’s control, and from that point on, the attacker can issue commands through that channel without ever touching the original systems. The agent becomes the backdoor.
Malicious Skills: an Open Marketplace for Malware
Perhaps the ugliest part of the whole story is the Skills ecosystem. OpenClaw uses skills to extend its capabilities: organized folders of instructions, scripts, and resources that tell the agent how to perform specific tasks. These are shared through ClawHub, an open marketplace where anyone with a GitHub account older than one week can publish.
You can see where this is going: security researchers found 341 malicious skills on ClawHub. A separate analysis of nearly 4,000 skills found that roughly 7.1% contained critical security flaws that exposed credentials in plaintext through the LLM’s context window.
The most common attack pattern, dubbed ClawHavoc, was surprisingly low-tech. A skill would look perfectly legitimate with professional documentation and everything, but the “Prerequisites” section would instruct users to download and run a binary from a GitHub repo. That binary was Atomic Stealer (AMOS), a macOS information stealer that goes after crypto wallets, SSH credentials, browser passwords, and API keys. 335 skills used this exact pattern.
Other malicious skills were more subtle. Some used direct prompt injection to bypass the agent’s safety guidelines and silently exfiltrate data via curl commands to external servers. The user never sees a thing. And because these skills are being cloned and republished at scale with small name variations, it’s nearly impossible to keep up with them manually.
In response, OpenClaw has partnered with VirusTotal to scan all published skills. Skills are now hashed with SHA-256, cross-checked against VirusTotal’s database, and either approved, flagged, or blocked. Active skills are re-scanned daily. It’s a solid step forward, but it’s also a reactive one. The fundamental issue is that ClawHub was built as an open marketplace first, with security bolted on after hundreds of malicious skills had already been distributed.
Detection and Response: action items for security teams
OpenClaw is an impressive piece of engineering, and the pace at which the team is responding to security issues is commendable. But the reality is that this tool should not be anywhere near production environments, corporate email, or sensitive data unless you have hardened it extensively and know exactly what you are doing.
The security documentation provides good guidance: bind to loopback, set a gateway auth token, enable sandboxing, use strict tool allowlists, and avoid installing unaudited skills. Unfortunately, most people deploying this aren’t reading those docs. They’re installing it, connecting it to WhatsApp, and giving it access to their entire system.
For security teams, the immediate action is to check your environment for OpenClaw, Moltbot, and Clawdbot signatures. Check Shodan, check DNS for requests to openclaw.ai, check for the default ports (18789, 3000), and audit for the installation directory (~/.openclaw/). If you find instances, treat them as privileged infrastructure, not a productivity app.
As OpenClaw’s own documentation jokingly ends: “Security is a process, not a product. Also, don’t trust lobsters with shell access.”
We couldn’t agree more. If you’d like to learn more on how to protect your environment again shadow AI, just reach out to our team.