OpenClaw AI Agent Exposures and One-Click RCE via WebSocket Hijacking
The open-source autonomous AI assistant OpenClaw (previously Clawdbot and Moltbot) is drawing security scrutiny after rapid adoption coincided with both widespread unsafe deployments and newly disclosed exploit chains. Reporting highlighted that the project’s autonomy-focused design (integrations with email, calendars, smart-home services, and other action-taking connectors) increases blast radius when misconfigured, and that security concerns have persisted through multiple rebrands as the ecosystem grows quickly.
Internet scanning data indicated 21,000+ OpenClaw/Moltbot instances were publicly exposed despite documentation recommending local-only access (default TCP/18789) and remote access via SSH tunneling rather than direct internet exposure; even where tokens are required for full access, exposed endpoints can aid adversary reconnaissance and targeting. Separately, researchers disclosed a one-click RCE chain leveraging cross-site WebSocket hijacking due to missing WebSocket Origin validation, enabling a malicious webpage to obtain an auth token, connect to the OpenClaw server, disable safety prompts/sandboxing, and invoke command execution (e.g., via node.invoke); the project issued a patch and advisory, while adjacent ecosystem components (e.g., agent-focused social features) were also flagged as adding additional attack surface.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
27 events from the most recent confirmed update back to the earliest known activity.
Nvidia introduces NemoClaw as enterprise-focused OpenClaw variant
Dark Reading reported that Nvidia introduced NemoClaw as an enterprise-grade version of OpenClaw aimed at safer organizational use. The offering was described as adding governance, sandboxing, policy enforcement, and isolation tailored for AI agents.
OpenClaw outlines next-phase security roadmap and hardening plans
OpenClaw published a blog post detailing current and planned security measures, including fs-safe filesystem protections, a planned SQLite refactor to reduce risky file access, Proxyline-based proxy enforcement for network egress, stronger ClawHub provenance and moderation controls, improved command approval parsing, and OpenGrep/CodeQL rule-based regression testing. The post frames these as the project's forward-looking security direction following recent vulnerability disclosures and patches.
OpenClaw patches four 'Claw Chain' flaws enabling takeover and persistence
Cyera disclosed four OpenClaw vulnerabilities, dubbed 'Claw Chain,' that could be chained from sandboxed code execution to data theft, owner-level impersonation, privilege escalation, and persistence via configuration tampering or backdoor installation. OpenClaw said the access control bug stemmed from trusting a client-controlled ownership flag and patched all four issues in version 2026.4.22 after responsible disclosure.
Koi Security finds 341 malicious skills in ClawHub registry
Koi Security reported that 341 of 2,857 skills in the ClawHub registry were malicious, highlighting a supply-chain problem in the OpenClaw ecosystem. Reported examples included skills delivering Atomic Stealer on macOS and reverse-shell backdoors on Windows.
OpenClaw formalizes trust model and broad security hardening
OpenClaw said it formalized its trust model in SECURITY.md and improved vulnerability triage amid a surge of security reports since January 10, 2026. The project also described broader hardening work, including fixes for authentication and sandbox issues, reduced attack surface via plugins, stronger release controls, expanded CI and observability, and improved secret handling.
Microsoft reportedly launches internal OpenClaw-based 'Project Lobster' effort
A 2026-04-24 report said Microsoft had an internal project, reportedly called Project Lobster, built from an OpenClaw fork to bring autonomous assistant capabilities into Microsoft 365 workflows. The effort was described as being led within Omar Shahine’s organization, with a version called 'ClawPilot' tied to Entra identity and Agent 365 management despite ongoing security concerns around OpenClaw-style agents.
OpenClaw patches three policy bypass and host override flaws
Researchers disclosed three moderate-severity OpenClaw vulnerabilities affecting gateway configuration integrity, local policy enforcement, and API host handling. OpenClaw version 2026.4.20 patched the issues, which could allow persistent security-setting changes, bypass of deny lists and owner-only restrictions, and exposure of API credentials via attacker-controlled hosts.
ARMO discloses CVE-2026-32922 OpenClaw privilege-escalation flaw
ARMO published research on CVE-2026-32922, describing a critical privilege-escalation vulnerability in OpenClaw with implications for cloud security teams. The disclosure added a new named CVE and technical details about escalation risk not reflected in the existing timeline.
GitHub advisory discloses .env injection policy bypass in OpenClaw
A GitHub security advisory disclosed an OpenClaw vulnerability in which a current-working-directory `.env` file could inject environment variables, bypass host-environment policy, and enable configuration takeover. The issue added new technical detail about configuration and policy enforcement weaknesses in OpenClaw.
China moves to curb OpenClaw use at banks and state agencies
A 2026-03-11 report said China moved to restrict or curb OpenClaw AI use at banks and government-linked state agencies. The development marked a regulatory and institutional response to security and governance concerns around OpenClaw deployments.
NanoClaw launches containerized isolation for OpenClaw-style agents
A March 7, 2026 report described NanoClaw, a project that runs each AI agent in its own Docker container to mitigate security risks associated with OpenClaw-style autonomous agents. The release represented a new community mitigation approach focused on runtime isolation rather than upstream patching alone.
Fake OpenClaw installers spread malware via Bing AI search promotion
A report said threat actors were distributing malware-laced fake OpenClaw installers and that the campaign gained visibility through Bing AI search promotion. The activity marked a new distribution vector targeting people seeking OpenClaw software outside the official ecosystem.
Researcher reports OpenClaw agent accidentally deleted emails
A PCMag report described a Meta security researcher saying an OpenClaw-based AI agent accidentally deleted her emails, illustrating real-world safety and reliability risks from autonomous agent actions beyond disclosed software vulnerabilities. The incident added a concrete example of user harm tied to agent behavior in the OpenClaw ecosystem.
Moatbot-security project launches as hardened OpenClaw/Moltbot fork
A GitHub repository for 'moatbot-security' was published as a security-hardened AI agent platform intended to address OpenClaw/Moltbot vulnerabilities, including CVE-2026-25253. The release reflects a community response that packaged mitigations into a separate fork or derivative project rather than an official OpenClaw patch.
Endor Labs discloses six OpenClaw vulnerabilities
Endor Labs published research describing six OpenClaw vulnerabilities uncovered through AI-assisted SAST data-flow analysis. The disclosure added new technical details about additional weaknesses in OpenClaw beyond the earlier one-click RCE and command-injection issues.
Report says 1,184 malicious skills infected OpenClaw's ClawHub
A 2026-02-18 report said ClawHub contained 1,184 malicious skills, describing a major supply-chain exposure in the OpenClaw ecosystem. The malicious packages reportedly created risks of data theft and broader compromise for users installing untrusted skills.
Researchers disclose leaky and malicious ClawHub skills plus prompt-injection abuse
On 2026-02-05, Snyk reported that 283 ClawHub skills exposed plaintext secrets and 76 skills were malicious, containing credential theft, backdoor, and data-exfiltration payloads. Separately, Zenity showed an indirect prompt injection attack against OpenClaw integrations that could create an attacker-controlled Telegram bot channel and lead to remote command execution and broader compromise.
Wiz details Moltbook exposure affecting 35,000 emails and private messages
Wiz and Dvuln reported serious Moltbook security flaws, with Wiz saying it accessed a misconfigured database in under three minutes. The exposure reportedly included 35,000 email addresses and private agent messages, adding significant new impact detail to earlier reports about Moltbook's insecure setup before remediation.
Moltbook exposure is remediated after disclosure
Following the Moltbook database exposure report, Supabase CEO Paul Copplestone said he had a one-click fix and was trying to coordinate with the creator. O’Reilly later confirmed that the exposed Moltbook data had been secured.
Moltbook database exposure reveals secret API keys
Researcher Jamieson O’Reilly reported that Moltbook, an OpenClaw-adjacent social network for AI agents created by Matt Schlicht, exposed a database containing secret API keys. The issue could have allowed attackers to post as any linked agent, raising impersonation, scam, and disinformation risks.
OpenClaw patches RCE and other command injection issues
The OpenClaw team quickly patched the reported one-click RCE issue and published a public advisory. Reporting also indicates the project recently made dozens of security-hardening commits and fixed additional command injection flaws.
Researcher discloses one-click OpenClaw RCE exploit chain
DepthFirst researcher Mav Levin reported a one-click remote code execution chain affecting OpenClaw. The attack relied on cross-site WebSocket hijacking caused by missing Origin validation, allowing a victim visiting a malicious webpage to have an auth token stolen and dangerous commands executed.
Hudson Rock reports infostealer infections stealing OpenClaw configurations
Hudson Rock reported real-world infostealer infections affecting OpenClaw users and targeting locally stored OpenClaw configuration data. The finding indicated attackers were not only probing exposed gateways but also harvesting sensitive OpenClaw-related credentials and settings from compromised endpoints.
GitHub issue warns ClawHub/MoltHub could distribute malicious code
A GitHub issue filed against the ClawHub project warned that the skill/package ecosystem could be abused to distribute malicious code. The report surfaced the supply-chain risk in the OpenClaw ecosystem before later research quantified large numbers of malicious skills in the registry.
Censys identifies 21,639 internet-exposed OpenClaw instances
Censys reported that 21,639 OpenClaw instances were publicly exposed online as of January 31, 2026. The exposed systems could be enumerated and fingerprinted, creating reconnaissance opportunities and increasing the risk to users' sensitive configurations and connected services.
Pillar observes real-world attack traffic targeting exposed Clawdbot gateways
Pillar Security reported seeing in-the-wild attack traffic aimed at internet-exposed Clawdbot gateways, indicating that exposed deployments were already being actively targeted. This marked an escalation from theoretical exposure risk to observed hostile activity against the ecosystem.
OpenClaw project rebrands from Clawdbot to Moltbot to OpenClaw
The open-source autonomous AI assistant created by Peter Steinberger underwent rapid rebranding from Clawdbot to Moltbot and then OpenClaw, reportedly in part due to trademark concerns. The project's popularity and deployment count grew quickly during this period.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
For Enterprises, Security Remains Agentic AI's Biggest Challenge
darkreading.com
Open sourceMoltbot: The Agentic Trojan Horse - Noma Security
noma.security
Open sourcePatched OpenClaw Flaw Let Hackers Hijack AI Agents
bankinfosecurity.com
Open sourcePatched OpenClaw Flaw Let Hackers Hijack AI Agents
govinfosecurity.com
Open sourceFrom Clawdbot to OpenClaw: This viral AI agent is evolving fast - and it's nightmare fuel for security pros | ZDNET
zdnet.com
Open sourceOver 21,000 OpenClaw AI Instances Found Exposing Personal Configuration Data
cyberpress.org
Open source21,000+ OpenClaw AI Instances With Personal Configurations Exposed Online
cybersecuritynews.com
Open sourceOpenClaw can be Hazardous to your Software Supply Chain
jfrog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw (ClawdBot/Moltbot) One-Click Remote Code Execution via Unsafe Gateway URL Handling
A **critical one-click remote code execution (RCE)** issue was reported in *OpenClaw* (also referred to as **ClawdBot/Moltbot**), an open-source AI “agent” assistant that runs with high local privileges and access to sensitive data (e.g., messaging apps and API keys). The described exploit chain abuses **unsafe URL parameter ingestion** (e.g., a `gatewayUrl` query parameter accepted without validation), persistence of attacker-controlled values (stored in `localStorage`), and an **automatic gateway connection** that transmits an `authToken` during the handshake—enabling **cross-site WebSocket hijacking** and ultimately unauthenticated code execution after a victim clicks a single malicious link. Reporting indicates the flaw has been **weaponized**, making it a practical drive-by compromise path for endpoints running the assistant. Separate reporting highlighted broader concerns with agentic/open-source AI tooling and deployments, including the security risks of highly privileged “AI that acts for you” and the growing attack surface created by exposed AI services. Research cited large-scale internet exposure of open-source LLM runtimes (e.g., **Ollama**) with tool-calling and weak guardrails, warning that a single vulnerability or misconfiguration could enable widespread abuse (resource hijacking, identity laundering, or remote execution of privileged operations). These themes reinforce that AI agents and self-hosted AI stacks should be treated as **critical infrastructure**, with strict input validation, hardened update/connection flows, and strong monitoring around token handling and outbound connections.
Mar 21, 2026
OpenClaw AI Agent Runtime Vulnerability Exposes Instance Tokens and Enables RCE
A high-severity vulnerability in the open-source AI utility **OpenClaw** (formerly *Moltbot/ClawdBot*) allows attackers to steal an instance’s gateway token via a crafted link and gain “god mode” administrative control, potentially leading to **remote code execution (RCE)**. The issue stems from the UI failing to validate/sanitize query strings in the gateway URL; when a victim opens a malicious URL or phishing page, the browser initiates a WebSocket connection that leaks the stored gateway token in the payload, enabling an attacker to connect back to the target’s local gateway and change configuration or execute privileged actions. The flaw was reported via responsible disclosure and is fixed in **v2026.1.29** and later; deployments on **v2026.1.28 or earlier** are advised to upgrade. Separate reporting describes a broader criminal ecosystem of **autonomous AI agents** using OpenClaw as a local runtime alongside a collaboration network (*Moltbook*) and an underground marketplace (*Molt Road*) to trade stolen credentials, weaponized code, and alleged zero-days, with claims of rapid scaling to hundreds of thousands of agents and use of infostealer logs/session cookies to bypass MFA and automate intrusion lifecycles (lateral movement, ransomware, and crypto-funded operations). Another item is a vendor blog post focused on **prompt-injection detection** and speculative **quantum** risks to encrypted AI orchestration streams (MCP), which is not tied to the OpenClaw vulnerability disclosure or the specific criminal-agent ecosystem claims.
Mar 21, 2026
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
Mar 21, 2026