February 9, 2026 - Bitsight researchers found thousands of exposed OpenClaw AI instances. Here's what the risks are, how attackers exploit them, and what security teams should do

2 weeks ago - Cybersecurity researchers have ... collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors....

February 23, 2026 - Multiple hacking groups have taken advantage of severe vulnerabilities to steal API keys, extract persistent memory data, and push information-stealing malware instead of leaving the platform’s expanding user base unharmed. Security analysts have linked more than 30,000 compromised instances to campaigns that intercept messages and deploy malicious payloads through channels such as Telegram...

February 9, 2026 - Some OpenClaw users have also been leaking API keys linked to third-party services via their control panels, further amplifying the impact of instances’ internet exposure.

April 1, 2026 - Any website could steal your authentication token and run arbitrary code on your machine through a single malicious link. The vulnerability was patched in version 2026.1.29. Before that patch landed, Censys found over 21,000 OpenClaw instances ...

February 18, 2026 - OpenClaw Security Crisis: 135,000+ instances are now exposed and active Vidar infostealer campaigns stealing gateway tokens. Signal Cage breaks down what the OSINT data shows right now.

March 2, 2026 - A high-severity vulnerability called ClawJacked in OpenClaw allowed malicious websites to brute-force and take control of local AI agent instances. Oasis Security discovered the flaw, which enabled silent data theft.

February 22, 2026 - Flare analysts have observed over 30,000 compromised OpenClaw instances used to steal API keys, intercept messages, and distribute info-stealing malware via Telegram and other malicious communication channels.

February 10, 2026 - These scripts — which mimicked trading bots, financial assistants, OpenClaw skill management systems, and content services — packaged a stealer under the guise of a necessary utility called “AuthTool”. Once installed, the malware would exfiltrate files, crypto-wallet browser extensions, seed phrases, macOS Keychain data, browser passwords, cloud service credentials, and much more. To get the stealer onto the system, attackers used the ClickFix technique, where victims essentially infect themselves by following an “installation guide” and manually running the malicious software. A security audit conducted in late January 2026 — back when OpenClaw was still known as Clawdbot — identified a full 512 vulnerabilities, eight of which were classified as critical.

March 24, 2026 - DepthFirst researcher Mav Levin discovered CVE-2026-25253, a one-click remote code execution vulnerability that could compromise any OpenClaw instance in milliseconds. Simply visiting a malicious webpage was enough to trigger the attack chain, which exploited missing WebSocket origin validation to steal authentication tokens, disable sandboxing via the API, and achieve full host compromise.

1 month ago - Earlier this month, researchers discovered over 1,000 malicious skills in OpenClaw's community marketplace (ClawHub) —fake plugins masquerading as crypto tools and productivity integrations that instead deployed info-stealers and backdoors.

February 17, 2026 - Infostealer malware stole OpenClaw AI agent files including tokens and keys, while exposed instances and malicious skills expand security risks.

February 26, 2026 - This article explores the critical security failures of the OpenClaw agentic AI, which allowed sensitive data to leak across user sessions and IM channels. It examines how architectural weaknesses in the Control UI and session management created direct paths for prompt injection and unauthorized tool use. Finally, it outlines the essential hardening steps and systematic red-teaming strategies required to transform a vulnerable "fun bot" into a secure enterprise assistant.

February 19, 2026 - Credentials and accessible data may be exposed or exfiltrated. The agent’s persistent state or “memory” can be modified, causing it to follow attacker-supplied instructions over time.

2 weeks ago - They can enable data theft, privilege escalation, sandbox escape, and persistence. AI agents often have access to files, credentials, tools, APIs, and execution environments. If compromised, attackers can use the agent’s own permissions to ...

2 weeks ago - OpenClaw trusted a client-controlled ownership flag without verifying it against the authenticated session. CVE-2026-44113 mirrored the first flaw but on the read side: an attacker could swap a validated file path with a redirect pointer aimed outside the permitted directory boundary, exposing system files and internal credentials the agent was not intended to reach. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation and persistence - using the agent as their hands inside the environment," Cyera said.

2 weeks ago - Deep dive into OpenClaw flaws: Discover four critical vulnerabilities enabling data theft, privilege escalation, and persistence in containerized envi

April 3, 2026 - The word ‘privilege escalation’ undersells this: the outcome is full instance takeover.” · While fixed, the vulnerability means that thousands of instances may have been compromised without users having the slightest idea.

February 4, 2026 - A security audit found 341 malicious ClawHub skills abusing OpenClaw to spread Atomic Stealer and steal credentials on macOS and Windows.

February 12, 2026 - What actually helps: review SKILL.md source before installing anything, don’t blindly playbooks add from ClawHub. Run openclaw security audit --deep after any new skill install. Enable Docker sandboxing (mode all, network none) so a bad skill can’t reach your host or network.