Three months ago, OpenClaw didn’t exist. Today it has 247,000 GitHub stars, over 2.2 million deployed agent instances, and a security track record that reads like a penetration tester’s wish list.
Nine CVEs disclosed. Over 1,184 malicious skills confirmed on ClawHub. More than 135,000 instances found exposed to the public internet with default credentials. Palo Alto Networks called it the potential biggest insider threat of 2026.
And yet—OpenClaw remains genuinely revolutionary. It turns a large language model into a 24/7 autonomous agent that can read your email, run shell commands, manage files, control your browser, and connect to over 50 services across WhatsApp, Slack, Discord, Telegram, and more. The creator described it as an AI that actually does things. He wasn’t exaggerating.
The problem isn’t the technology. It’s that most teams are deploying it without understanding what they’re exposing.
This guide covers what OpenClaw skills actually are, why the ecosystem was compromised so quickly, what’s been fixed, what hasn’t, and exactly what it takes to run them safely in an enterprise environment.
What Are OpenClaw Skills?
OpenClaw skills are modular plugin packages that extend what the AI agent can do. Each skill is built around a SKILL.md file—natural-language instructions that tell the AI how to perform a specific task. Check email. Query a database. Deploy code. Monitor a dashboard. Control smart home devices. Browse the web and fill out forms.
Unlike traditional plugins written in Python or JavaScript, OpenClaw skills use plain English instructions that the AI interprets and executes at runtime. The agent reads the skill documentation, decides which tools to use, and runs the workflow autonomously. A skill you’d spend days building as a traditional integration takes minutes as an OpenClaw plugin.
That’s the appeal. It’s also the root of nearly every security problem.
Learn how organizations can build, secure, and scale AI agent skills.
Architecture in 60 Seconds
The framework runs as a local Node.js gateway on your machine. It routes messages from connected platforms (WhatsApp, Slack, Telegram, Discord, Signal, iMessage, Microsoft Teams—over 20 channels supported) through your local AI pipeline to an LLM of your choice: Claude, GPT-4o, DeepSeek, Ollama, or any compatible model.
Three layers matter for security:
- Identity files (SOUL.md / AGENTS.md) — Define the agent’s personality, permissions, and behavioral rules. Load at every conversation start.
- The skill layer — Individual plugin packages granting specific capabilities. Over 100 preconfigured AgentSkills ship with OpenClaw; thousands more on ClawHub.
- ClawHub marketplace — The public skill registry. Now over 10,700 skills. The AI itself can discover, install, and run skills mid-conversation—no human approval needed by default.
The Security Crisis: What Actually Happened
OpenClaw went from launch to crisis in under three weeks. What follows is not opinion—it’s documented by Bitdefender, Koi Security, Snyk, Cisco, CrowdStrike, Microsoft, Kaspersky, Endor Labs, and SecurityScorecard.
The ClawHub Supply Chain Attack
The numbers kept getting worse with each independent audit:
- Koi Security (early Feb): 324 malicious skills found across 2,857 total. Weeks later, that number jumped to 824 across an expanded registry of 10,700+.
- Antiy CERT: Confirmed 1,184+ total malicious skills—roughly one in five packages on the platform.
- ClawSecure: Audited 2,890+ of the most popular skills and found 41.7% contain substantive security vulnerabilities, including command injection and credential exposure.
- Snyk ToxicSkills: 36% of all ClawHub skills contain detectable prompt injection. 283 skills (7.1%) expose credentials in plain text.
- VirusTotal: Analyzed 3,016+ skills directly and found hundreds with malicious characteristics.
A single ClawHub user—“hightower6eu”—uploaded 314+ malicious skills in an automated campaign. Another attacker, “aslaep123,” used typosquatting to mimic the legitimate user “asleep123.” Cisco tested the #1-ranked skill on ClawHub (“What Would Elon Do?”) with their Skill Scanner tool: nine security findings, two critical, functionally malware.
Why traditional antivirus misses it: Skills are written in natural language, not executable code. Malware scanners look for code signatures and suspicious binaries. A SKILL.md file that instructs the AI to silently forward data to an external server does not trip any traditional detection. The malicious instructions hide in plain sight.
The “Lethal Trifecta”
Security researcher Simon Willison coined the term for the exact combination of properties that makes OpenClaw vulnerable by design:
Default OpenClaw activates all three simultaneously. Full disk access, terminal permissions, OAuth tokens, and API keys are routinely granted just to make the agent functional. Microsoft’s Defender team published an explicit warning: OpenClaw should not run on a standard personal or enterprise workstation.
The CVE Cascade
Nine CVEs were disclosed across multiple rounds between January and March 2026. Three had public exploit code enabling one-click remote code execution:
- CVE-2026-25253 (CVSS 8.8): One-click RCE chain exploitable even against localhost-bound instances. The agent automatically connected to attacker-controlled WebSocket servers and leaked authentication tokens.
- CVE-2026-24763 / CVE-2026-25157: Command injection vulnerabilities. The default binding to 0.0.0.0:18789 exposed the full API to any network interface.
- ClawJacked (Feb 25): Malicious websites could hijack local OpenClaw agents via WebSocket. Localhost connections were implicitly trusted with auto-approved device registrations.
SecurityScorecard found over 135,000 OpenClaw instances exposed to the public internet across 82 countries. Of those, more than 53,000 correlated with prior breach activity.
What’s Been Fixed (and What Hasn’t)
To their credit, the OpenClaw team has responded aggressively:
- Version 2026.2.26 (latest stable as of March 2026) includes 40+ vulnerability patches.
- VirusTotal partnership launched—all ClawHub skills now scanned automatically using Code Insight.
- Malicious skills flagged and blocked from download. Daily re-scans catch skills that turn malicious after initial upload.
- Onboarding now includes explicit security warnings that OpenClaw is “personal-by-default” with a single trusted operator boundary.
- Jamieson O’Reilly (founder of Dvuln, CREST Advisory Council) brought on as lead security advisor.
What hasn’t been fixed: OpenClaw’s own maintainers acknowledge that VirusTotal scanning is not comprehensive. Cleverly concealed prompt injection payloads can still slip through. Endor Labs disclosed seven vulnerabilities, and it’s unclear whether all have been patched. The Snyk ToxicSkills research found that the same malicious skills targeting ClawHub also work against Cursor and other agent platforms—the attack format is portable across ecosystems.
As one of OpenClaw’s own maintainers put it on Discord: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”
Discover the hidden risks of OpenClaw and how enterprises can protect sensitive data.
How to Deploy OpenClaw Skills Safely in Production
The risks are real and well-documented. They’re also manageable—with the right architecture. Here’s what actually works, based on guidance from Microsoft Defender, Cisco, and the independent research consensus.
1. Never run on a standard workstation
Microsoft’s official position is unambiguous: deploy OpenClaw only in a fully isolated environment—a dedicated VM or separate physical system. Use dedicated, non-privileged credentials. Access only non-sensitive data. Continuous monitoring and a rebuild plan should be part of the operating model.
2. Replace ClawHub with a private, curated registry
The 41.7% vulnerability rate (ClawSecure) and 36% prompt injection rate (Snyk) make ClawHub unsuitable for any production deployment. Maintain a private skill registry where every plugin goes through manual inspection, AI behavioral analysis, and sandboxed execution testing before approval.
3. Bind to localhost and enforce authentication
The default 0.0.0.0:18789 binding is responsible for 135,000+ exposed instances. Change it to 127.0.0.1. Enable mandatory authentication. If remote access is required, place it behind a VPN—not a reverse proxy with default settings.
4. Quarantine all external content
Skills that process emails, messages, or documents should handle that content in an isolated environment with no action permissions. The AI can read and analyze—but it cannot execute commands, install plugins, or touch configuration files based on external content.
5. Lock down identity files and credentials
SOUL.md and AGENTS.md must be read-only at runtime. API keys, passwords, and OAuth tokens belong in a secrets manager—not in plain text configuration files where infostealers like RedLine and Lumma are already targeting OpenClaw file paths specifically.
6. Encrypt everything, isolate the network
All data at rest and in transit should be encrypted. AI processing should happen within a private cloud network. Conversation logs, memory files, and credential stores should never sit as plain text on the host filesystem.
DIY Deployment vs. Managed Platform: The Real Trade-Off
The honest question most engineering teams face: build all six security layers in-house, or use a managed platform?
| Risk Area | Self-Hosted (DIY) | Managed Platform |
|---|---|---|
| Network Isolation | Manually rebind + VPN + firewall rules | Private cloud, localhost-only by default |
| Skill Vetting | DIY review of 10,700+ skills | Curated private registry + multi-stage scanning |
| Prompt Injection | VirusTotal catches some; many slip through | AI-native behavioral filtering (beyond signatures) |
| Identity File Protection | Manual chmod + monitoring scripts | Immutable config + continuous integrity checks |
| Credential Storage | Migrate to secrets manager manually | Encrypted vault, zero plain-text storage |
| Compliance | Build GDPR/HIPAA controls from scratch | Built-in audit logging + compliance frameworks |
Self-hosting is viable if you have a dedicated security team, deep AI agent expertise, and the bandwidth to track a project that’s shipped 40+ security patches in six weeks. Most organizations don’t—and the cost of getting it wrong is a breach that CrowdStrike has already classified as “full-scale.”
The Bottom Line
OpenClaw is one of the most significant open-source projects of 2026. Its skill system is what transforms a chatbot into an autonomous agent that can genuinely replace hours of daily work. But autonomy without controls is liability—and the default installation provides almost none.
The security challenges are well-documented by Microsoft, Cisco, CrowdStrike, Kaspersky, and a dozen independent research teams. They’re not reasons to avoid OpenClaw. They’re reasons to deploy it with the right architecture.
Frequently Asked Questions About OpenClaw Skills
What are OpenClaw skills?
OpenClaw skills are natural-language plugin packages that teach the AI agent new capabilities. Each skill is built around a SKILL.md file with instructions the AI interprets at runtime. Skills can check email, run shell commands, browse the web, manage files, interact with APIs, and automate multi-step workflows across 20+ connected messaging platforms.
How many OpenClaw skills are malicious?
As of March 2026, Antiy CERT confirmed over 1,184 malicious skills on ClawHub out of 10,700+ total—roughly 1 in 5. ClawSecure’s independent audit found 41.7% of popular skills contain substantive security vulnerabilities. Snyk’s ToxicSkills research found 36% contain detectable prompt injection and 7.1% expose credentials in plain text.
What is prompt injection and how does it affect OpenClaw?
Prompt injection embeds hidden instructions inside content the AI processes—an email, document, or web page. When OpenClaw reads that content, it cannot distinguish malicious instructions from legitimate ones. Researchers demonstrated attacks where a single crafted message caused OpenClaw to exfiltrate credentials, modify its own identity files for persistent control, and install backdoors. Snyk found 36% of ClawHub skills contain this vulnerability.
What CVEs have been found in OpenClaw?
Nine CVEs have been disclosed across multiple rounds, including CVE-2026-25253 (CVSS 8.8, one-click RCE), CVE-2026-24763 and CVE-2026-25157 (command injection), CVE-2026-25475, CVE-2026-25593, CVE-2026-26319, CVE-2026-26322, and CVE-2026-26329 (ranging from SSRF to path traversal to authentication bypass). Three had public exploit code. Kaspersky independently identified 512 vulnerabilities, 8 critical. Most have been patched in v2026.2.26.
Can I use OpenClaw with GDPR or HIPAA compliance?
Not in its default configuration. OpenClaw stores conversation logs, credentials, and memory files in plain text. Data is sent to third-party AI providers over the public internet. Kaspersky and Microsoft both note that API keys and OAuth tokens are stored unencrypted. Achieving compliance requires end-to-end encryption, private cloud processing, audit logging, and credential management that the default installation does not provide.
Is OpenClaw safe for enterprise use?
Not without significant additional infrastructure. The framework itself is powerful and improving rapidly—v2026.2.26 includes 40+ security patches and VirusTotal integration. But the default out-of-box experience remains dangerous for organizations that do not actively configure isolation, authentication, encrypted credential storage, content filtering, and continuous monitoring. A managed platform that provides these controls is the fastest path to production-grade deployment.
Ready to deploy OpenClaw skills without the risk?
Book a Strategy Call
