OpenClaw Is Unsafe By Design
Source: Dev.to
The Cline Supply‑Chain Attack (Feb 17)
A popular VS Code extension, Cline, was compromised. The attack chain illustrates several AI‑specific failure modes:
-
Attacker opens a GitHub issue on Cline’s repository.
-
Cline’s AI‑powered issue‑triage bot reads the issue.
-
Prompt injection in the issue content tricks the bot.
-
The bot poisons the GitHub Actions cache with malicious code.
-
The CI pipeline steals
VSCE_PAT,OVSX_PAT, andNPM_RELEASE_TOKEN. -
The attacker publishes
cline@2.3.0with a post‑install script that runsnpm install -g openclaw@latest -
~4,000 developers install it within 8 hours before it is deprecated.
The malicious package was caught by StepSecurity’s automated checks. Two red‑flags triggered immediately:
- The package was published manually (not via OIDC Trusted Publishing).
- It had no npm provenance attestations.
The payload? OpenClaw – not malware, not a cryptominer, but a persistent AI coding agent.
What Is OpenClaw?
OpenClaw (formerly Clawdbot, then Moltbot) is a “persistent AI coding agent” that lives on your machine with broad system‑level permissions:
| Component | Details |
|---|---|
| Daemon | Runs via launchd / systemd |
| Interface | WebSocket server on ws://127.0.0.1:18789 |
| Filesystem | Full‑disk access |
| Terminal | Full terminal access |
| Credentials | Reads ~/.openclaw/credentials/ and config.json5 (API keys, OAuth tokens) |
| Skills | Installs from ClawHub, a public marketplace with zero moderation |
Value proposition: An AI assistant that can actually edit files, run commands, and manage your workflow—no copy‑pasting required.
Security implication: The same capabilities that make it useful also give attackers a powerful foothold.
The Viral Moment & Immediate Fallout
-
Early Feb 2025: Karpathy and Willison tweet about OpenClaw (Karpathy later clarifies he finds the idea intriguing but does not recommend running it).
-
Within three days, three high‑risk CVEs were issued:
CVE‑2026‑25253– Remote code executionCVE‑2026‑25157– Command injectionCVE‑2026‑24763– Command injection (again)
All were patched, but the fixes missed the underlying architectural issue.
-
SecurityScorecard’s STRIKE team discovered 135 k+ internet‑exposed OpenClaw instances within hours of the viral tweets (40 k at publication, 135 k by Feb 9). An estimated 50 k+ remained vulnerable to the already‑patched RCE.
-
Koi Security scanned ClawHub and found 341 malicious skills. One attacker uploaded 677 packages.
-
Snyk scanned ~4 k skills and found 283 (7.1 %) exposing credentials—API keys, passwords, even credit‑card numbers passed through the LLM context window in plaintext.
-
The “buy‑anything” skill can collect credit‑card details and exfiltrate them via a follow‑up prompt.
Laurie Voss, founding CTO of npm: “A security dumpster fire.”
r/netsec verdict: “The concept is unsafe by design, not just the implementation.”
Core Problem: A Broken Threat Model
To be useful, OpenClaw needs:
- Persistent filesystem access
- Ability to execute arbitrary commands
- Access to credentials & API keys
- Ability to install/run untrusted code (skills from ClawHub)
- Network access to LLM providers
To be safe, it would need to lack most of those things. The very tools that make it valuable are the same tools attackers exploit. This isn’t a bug; it’s the product.
Supply‑chain example: The attacker didn’t exploit a vulnerability in OpenClaw. They simply leveraged the fact that OpenClaw already has full system permissions. The malicious post‑install script didn’t steal data directly; it installed a tool that already could.
“Install this popular AI agent.” – not “run this malicious script.”
Microsoft’s “Running OpenClaw Safely” Guide (Feb 19)
Microsoft published a guide covering:
- Identity isolation
- Runtime risk
- Containment strategies
The existence of such a guide underscores that technology has outpaced safety infrastructure. The guide merely documents hoops you must jump through to contain something never designed to be contained.
Missing OS Primitives for Agentic Workloads
OpenClaw runs as the user, inheriting all user permissions:
- Reads SSH keys,
.envfiles, browser cookies - No sandbox, no capability‑based security, no path‑level restrictions
Research direction: A recent paper proposes a branch() syscall (a fork‑like primitive for agentic workloads with filesystem snapshots). Agents could speculatively branch into parallel approaches, each with an isolated FS snapshot; the winner commits atomically, losers abort. This is the kind of OS‑level containment we need—not just “firewall OpenClaw.”
Until such primitives exist, we rely on bubblewrap scripts and hope.
Immediate Action Steps (If You Installed OpenClaw)
-
Uninstall
npm uninstall -g openclaw rm -rf ~/.openclaw/ -
Rotate credentials – Any API keys, OAuth tokens, or passwords stored in
~/.openclaw/credentials/or passed through the LLM context window should be considered compromised. Generate new ones. -
Check for persistence – If you allowed OpenClaw to install a
launchd/systemdservice, remove the corresponding service file:-
macOS (
launchd):launchctl unload -w ~/Library/LaunchAgents/com.openclaw.agent.plist rm ~/Library/LaunchAgents/com.openclaw.agent.plist -
Linux (
systemd):sudo systemctl disable --now openclaw.service sudo rm /etc/systemd/system/openclaw.service sudo systemctl daemon-reload
-
-
Audit your system – Look for any leftover files, sockets, or processes that reference
openclaw. -
Monitor for suspicious activity – Watch network traffic, new processes, and credential usage for signs of lingering compromise.
Takeaway
OpenClaw’s architectural design—persistent, privileged, and capable of executing untrusted code—makes it a high‑value target. The Cline supply‑chain incident proves that the existence of such an agent is enough for attackers to weaponize it, even without exploiting a specific vulnerability.
To safely adopt agentic AI tools, we need OS‑level capability controls and sandboxing primitives built for the unique threat model of persistent AI agents. Until then, treat any such tool as inherently unsafe by design.
OpenClaw Security Advisory
Note: This is a warning about the risks associated with running OpenClaw or similar AI agents.
Audit Your System
-
Check the status of background services:
launchctl list # or systemctl --user list-units -
Audit ClawHub skills: If you installed any skills, assume they have seen everything you worked on while they were active.
Key Findings
- OpenClaw does not have built‑in exfiltration (as far as we know).
- However, it has full access to everything on the host, and the skills marketplace had zero moderation.
- OpenClaw isn’t buggy—it’s working as designed: providing an LLM with persistent, broad system access to automate your workflow.
- Because of this design, making it safe is effectively impossible.
Why This Matters
- The AI‑agent security conversation must happen before more “helpful coding agents” ship with root access to your environment.
- Waiting until CVEs start rolling in, or until companies publish safety guides, is too late.
- The Cline supply‑chain attack was only a proof of concept; the next attack will likely be a full‑blown data breach.
Recommendations
- Do not run OpenClaw (or anything similar) until the threat model changes.
- If you’re building AI agents, design for containment from day one, not as an afterthought.
- The tools you give an agent to make it useful are exactly the tools that make it useful to attackers. This isn’t a patchable problem—it must be addressed architecturally.
Acknowledgements
Thanks to the r/netsec and r/cybersecurity communities for their sharp analysis, and to StepSecurity for catching the Cline compromise before it spread further.