OpenClaw: How a Popular AI Agent Platform Became a Security Catastrophe
Source: Dev.to
TL;DR
OpenClaw, an open‑source AI assistant platform, is massively compromised. Over 42,000 instances are exposed on the public internet, and 93 % have critical authentication flaws. A documented vulnerability (CVE‑2026‑25253) gives attackers one‑click remote code execution. This is the largest security incident in sovereign AI history—and it illustrates why privacy tools like the TIAMAT privacy proxy exist.
What You Need To Know
- 42,000+ OpenClaw instances currently exposed on the public internet with zero authentication (Shodan scan, Feb 2026)
- 93 % of scanned instances have at least one critical authentication bypass or credential exposure flaw
- 1.5 M API tokens leaked in a single backend misconfiguration (Moltbook incident) + 35 K user emails exposed
- CVE‑2026‑25253 (CVSS 8.8): One‑click RCE via WebSocket token hijacking—malicious websites can steal active bot tokens and execute shell commands
- 341 malicious skills found in ClawHub (the public skill marketplace)—37 % of community skills contain security flaws, including credential theft and malware delivery
What Is OpenClaw and Why Did It Get So Broken?
OpenClaw is a self‑hosted AI agent platform. Users install it on a laptop, VPS, or Raspberry Pi and connect it to Claude or GPT via API. The platform then gains access to files, the shell, email, calendar, browser, and third‑party services through plugins called “skills.”
The appeal was obvious: unlike ChatGPT, which runs on Anthropic/OpenAI servers, OpenClaw runs locally, giving users full control and keeping data on their own machines.
Security Shortcomings
- API keys stored in plaintext config files
- OAuth tokens stored unencrypted in SQLite
- No built‑in network isolation
- Community‑written skills could be installed with zero code review
- WebSocket connections not properly authenticated
- Default ports exposed to the internet
The Data Breach Shadow
CVE‑2026‑25253: Token Theft → RCE
A WebSocket handler failed to properly validate authentication tokens. A malicious website could:
- Detect your OpenClaw instance
- Send a WebSocket request
- Spoof the predictable token format
- Hijack the session
- Execute arbitrary shell commands
CVSS 8.8 (High). One click, thirty seconds, game over.
Moltbook: 1.5 M Tokens + 35 K Emails
Moltbook was a cloud deployment service. Their backend stored:
- User registration data
- Deployed OpenClaw API keys
- Users’ ChatGPT/Claude API tokens
- Full chat histories
All data was unencrypted and was downloaded by a researcher, exposing the information in February 2026.
ClawHub: 341 Malicious Skills
Snyk Labs audited OpenClaw’s public skill marketplace and found:
- 341 skills with documented security flaws
- 189 designed to steal credentials
- 87 that download/execute external code
- 65 that harvest browser cookies and passwords
Key Takeaways
- OpenClaw was destroyed by the surveillance forces it was trying to escape. Self‑hosting doesn’t work without professional security infrastructure.
- 42,000+ instances are vulnerable. If you’re running OpenClaw, take it offline and rotate your API keys.
- TIAMAT Privacy Proxy solves this. Scrub PII, route traffic through TIAMAT, and use any LLM while keeping your data private.
For privacy‑first AI APIs, visit https://tiamat.live.