Security Risks From Self-Hosted Autonomous AI Agents (Clawdbot/Moltbot/OpenClaw)
Security researchers and vendors warned that self-hosted, agentic AI assistants—notably Clawdbot (rebranded as Moltbot and also referred to as OpenClaw)—expand enterprise attack surface by combining broad data access with the ability to take direct actions (browser control, messaging, email, and command execution). Resecurity reported finding hundreds of exposed deployments reachable from the public Internet, frequently with weak authentication, unsafe defaults, or misconfigurations that could allow attackers to access API keys/OAuth tokens, retrieve private chat histories, and in some cases achieve remote command execution on the host. Dark Reading similarly highlighted that OpenClaw’s ecosystem can be undermined by malicious “skills” and fragile configuration/removal practices, reinforcing that these tools can be difficult to operate safely even when users attempt to limit permissions.
CyberArk framed the issue as an identity security problem: autonomous agents often run with user-level permissions and integrate with platforms like Slack, WhatsApp, and GitHub, creating pathways for credential/token theft, data leakage, and unauthorized actions if the agent is exposed to untrusted content or deployed without strong controls. In contrast, Dark Reading’s coverage of Shai-hulud focuses on a separate threat—self-propagating supply-chain worms targeting NPM projects—and is not directly about autonomous AI agents, though it underscores the broader risk of downstream compromise when widely used components or ecosystems are poisoned.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
20 events from the most recent confirmed update back to the earliest known activity.
Flare reports widespread OpenClaw exploitation by multiple threat groups
Flare reported on February 19 that multiple threat groups were actively exploiting OpenClaw through RCE, exposed interfaces, poisoned skills, and credential-harvesting campaigns. The report described campaigns such as 'ClawHavoc' and warned of near-term exfiltration and persistence risks across exposed deployments.
Microsoft publishes guidance to run OpenClaw only in isolated environments
Microsoft advised treating OpenClaw as untrusted code execution with persistent credentials and recommended evaluating it only in isolated, disposable environments with low-privilege identities. The guidance emphasized containment, monitoring, and rapid rebuild capability over relying on prevention alone.
Major firms begin restricting OpenClaw use
By February 19, reporting indicated that companies including Meta and other AI firms had moved to restrict or limit OpenClaw use because of mounting security concerns. The restrictions reflected a shift from research warnings to concrete enterprise control actions.
OpenClaw releases version 2026.2.17 with security fixes
On February 17, OpenClaw released version 2026.2.17, adding new model support and platform features while also including security fixes. The release landed as the project remained under heavy scrutiny for RCE, audit findings, and malicious skills abuse.
OpenClaw partners with VirusTotal to scan ClawHub skills
OpenClaw maintainers announced a partnership with VirusTotal to scan for malicious skills on ClawHub, develop a threat model, and add misconfiguration auditing. The move came amid ongoing reports that attackers were bypassing marketplace checks with decoy skills and off-platform malware hosting.
Infostealer campaign steals OpenClaw config files and gateway tokens
Researchers reported that a likely Vidar-variant infostealer exfiltrated OpenClaw artifacts including openclaw.json, device.json, and soul.md from an infected victim. The theft showed that malware operators were beginning to target AI-agent configuration and identity material, not just browser credentials.
OpenAI hires OpenClaw creator Peter Steinberger
On February 16, OpenAI hired OpenClaw creator Peter Steinberger to work on safer personal and multi-agent systems. Steinberger said OpenClaw would remain open source and transition toward a foundation structure with OpenAI support.
Researcher publishes OpenClaw token-theft to RCE demonstration
A public write-up described how weakly configured, internet-exposed OpenClaw instances could be abused through token theft to achieve account takeover and arbitrary code execution. The author said the demonstration was performed on a default installation deployed for research.
OpenClaw adds detection support to Praetorian's Julius scanner
Praetorian released Julius v1.2.0 with new probes to detect exposed OpenClaw, Moltbot, and Clawdbot gateways on networks. The update reflected growing concern over misconfigured or outdated instances leaking tokens, chat histories, and filesystem access.
Gartner advises organizations to block OpenClaw
By mid-February, Gartner guidance cited in industry reporting recommended that organizations block OpenClaw because of insecure-by-default agentic-AI risks. The advice also aligned with calls to rotate credentials exposed to the platform and restrict enterprise use.
OpenClaw creator adds ClawHub anti-abuse controls
Peter Steinberger announced security-oriented updates to ClawHub, including requiring skill uploaders to have GitHub accounts at least a week old and adding a way for users to flag malicious skills. These changes were presented as an initial response to abuse in the skills marketplace.
SecurityScorecard reports massive internet exposure of OpenClaw
By February 9-10, SecurityScorecard's STRIKE team reported tens of thousands of exposed OpenClaw control panels and more than 135,000 internet-facing deployments, with many vulnerable to previously patched RCE issues. The team tied the exposure to default binding on 0.0.0.0:18789, weak access controls, and widespread failure to patch.
Security research wave warns OpenClaw is unsafe by design
On February 6, multiple firms and researchers publicly warned that OpenClaw's architecture and defaults made safe deployment difficult, citing prompt injection, plaintext secret storage, overprivileged execution, and risky third-party skills. The reporting framed the issue as a structural security problem rather than a single bug.
Resecurity reports hundreds of exposed Clawdbot/Moltbot deployments
Resecurity said it found hundreds of publicly exposed Clawdbot/Moltbot instances with weak authentication or unsafe defaults, enabling access to API keys, OAuth tokens, chat histories, and in some cases remote command execution. The company also noted that Shodan had indexed large numbers of related instances, making discovery easy.
Researchers demonstrate prompt-injection takeover and persistence
Security researchers showed that malicious content such as web pages or documents could coerce OpenClaw into unsafe actions, including downloading and executing shell scripts and persisting changes through HEARTBEAT.md or memory files. These demonstrations highlighted the platform's exposure to indirect prompt injection from untrusted inputs.
Threat actors begin exploiting OpenClaw within days of adoption
Multiple sources describe active exploitation starting within roughly 72 hours of OpenClaw's viral rise, using exposed admin panels, RCE, prompt injection, and credential-harvesting techniques. Reported outcomes included API key theft, message interception, and infostealer delivery.
Malicious skills appear in ClawHub marketplace
In late January and early February, attackers uploaded malicious third-party skills to OpenClaw's ClawHub marketplace, using social engineering and decoy packages to steal credentials, wallet data, and other secrets. Multiple reports described this as an early supply-chain style abuse of the agent ecosystem.
OpenClaw patches critical RCE flaw CVE-2026-25253
OpenClaw released fixes in late January for a critical remote code execution issue tracked as CVE-2026-25253, along with other high-severity flaws affecting older versions. Later reporting indicated many internet-exposed deployments remained unpatched despite the fix.
Security audit identifies 512 vulnerabilities in OpenClaw
A late-January 2026 security audit reportedly found 512 vulnerabilities in OpenClaw, including eight critical issues. The findings helped trigger broader scrutiny of the platform's insecure defaults, exposed interfaces, and plugin ecosystem.
OpenClaw gains viral popularity in late January 2026
OpenClaw, previously known as Clawdbot and Moltbot, rapidly gained adoption in late January 2026, with reports citing explosive GitHub growth and widespread self-hosted deployments. Its popularity drove broad experimentation by users and enterprises before its security model had matured.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
24 references tracked. Mallory keeps watching after this page renders.
Humans Will Give AI Anything If You Make It Sound Cool Enough
blog.knowbe4.com
Open sourceWidespread OpenClaw Exploitation by Multiple Threat Groups - Flare | Threat Exposure Management | Unmatched Visibility into Cybercrime
flare.io
Open sourceOpenClaw security fears lead Meta, other AI firms to restrict its use - Ars Technica
arstechnica.com
Open sourceRunning OpenClaw safely: identity, isolation, and runtime risk | Microsoft Security Blog
microsoft.com
Open sourceOpenClaw instances open to the internet present ripe targets • The Register
go.theregister.com
Open sourceResecurity | Clawdbot / Moltbot: The Autonomous AI Butler That Could Expose Your Entire Digital Life
resecurity.com
Open sourceOpenClaw's Gregarious Insecurities Make Safe Usage Difficult
darkreading.com
Open sourceHow autonomous AI agents like OpenClaw are reshaping enterprise identity security
cyberark.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Clawdbot Open-Source Agentic AI Assistants Raise Endpoint and Identity Security Risks
The open-source agentic assistant **Clawdbot** rapidly went viral on GitHub (reported at ~24,000–25,000+ stars in a short period) and drew high-profile attention, with reports of engineers running it locally on always-on hardware such as **Mac minis**. Clawdbot is positioned as a “local-first” AI gateway that can be driven from common messaging platforms (e.g., Slack/Discord/Telegram) and can take real actions on a host—invoking terminals, running scripts, using a browser for web automation, and retaining “memory” over time—effectively operating with permissions similar to a human user account. Security commentary around Clawdbot emphasizes that agentic assistants change incident patterns because they can persist like service accounts while behaving like users, expanding the blast radius if compromised or misconfigured. Key risks highlighted include **shadow AI** adoption outside IT controls, inherited or over-granted permissions across chat and SaaS tools, data exposure via long-lived context/memory, and new attack paths such as prompt manipulation or “helpful” automation that executes unsafe actions on endpoints. The guidance focuses on SOC readiness: monitoring for unusual automation behaviors and access patterns consistent with an agent executing actions across endpoints and collaboration/SaaS environments, and treating these tools as a machine-identity and endpoint-control problem rather than a simple chatbot governance issue.
Mar 21, 2026
Security Risks From OpenClaw ‘Sovereign’ AI Agents With Local Terminal Access
**OpenClaw** (formerly *Clawdbot/Moltbot*) is rapidly spreading as an open-source “sovereign agent” that runs locally and can be granted high-privilege access to a user’s machine (including terminal/code execution), shifting AI from a passive chatbot to an active operator on endpoints. Trend Micro warns this model materially expands the attack surface by combining agent **access to files/commands**, **untrusted inputs** (e.g., messages/web/email), and **exfiltration paths**, and adds a fourth compounding risk—**persistence** via retained memory/state—creating conditions where prompt/instruction manipulation could translate into real system actions and data loss. Adoption is accelerating in China, where Shenzhen’s Longgang district proposed subsidies and an ecosystem to support OpenClaw-driven “one-person companies,” even as regulators and state media flag **data security and privacy** concerns tied to the tool’s ability to access personal and enterprise data. The reporting notes OpenClaw’s plug-in model support (including OpenAI, Anthropic, and Chinese model providers) and highlights official scrutiny amid China’s tightened data-privacy and export-control posture, underscoring that the primary risk is not a single vulnerability but the **operational security implications of deploying locally empowered AI agents** at scale.
Apr 3, 2026
OpenClaw (ClawdBot/Moltbot) One-Click Remote Code Execution via Unsafe Gateway URL Handling
A **critical one-click remote code execution (RCE)** issue was reported in *OpenClaw* (also referred to as **ClawdBot/Moltbot**), an open-source AI “agent” assistant that runs with high local privileges and access to sensitive data (e.g., messaging apps and API keys). The described exploit chain abuses **unsafe URL parameter ingestion** (e.g., a `gatewayUrl` query parameter accepted without validation), persistence of attacker-controlled values (stored in `localStorage`), and an **automatic gateway connection** that transmits an `authToken` during the handshake—enabling **cross-site WebSocket hijacking** and ultimately unauthenticated code execution after a victim clicks a single malicious link. Reporting indicates the flaw has been **weaponized**, making it a practical drive-by compromise path for endpoints running the assistant. Separate reporting highlighted broader concerns with agentic/open-source AI tooling and deployments, including the security risks of highly privileged “AI that acts for you” and the growing attack surface created by exposed AI services. Research cited large-scale internet exposure of open-source LLM runtimes (e.g., **Ollama**) with tool-calling and weak guardrails, warning that a single vulnerability or misconfiguration could enable widespread abuse (resource hijacking, identity laundering, or remote execution of privileged operations). These themes reinforce that AI agents and self-hosted AI stacks should be treated as **critical infrastructure**, with strict input validation, hardened update/connection flows, and strong monitoring around token handling and outbound connections.
Mar 21, 2026