The OpenClaw Meltdown: 9 CVEs, 2,200 Malicious Skills, and the Forensic Dissection of a Security Crisis
- Explosive Risk: OpenClaw (formerly Clawdbot) surged to 200,000+ GitHub stars in weeks, but simultaneously accumulated 9 CVEs and over 2,200 malicious skills, with 93.4% of exposed instances lacking proper authentication.
- Framework Validation: This crisis triggered 8 of the 10 OWASP Agentic vulnerability classes (ASI01–ASI10) in production, moving the OWASP December 2025 guidelines from theoretical manual to “war diary.”
- A New Attack Primitive: The “ClawHavoc” and “ClawJacked” campaigns proved that AI agents can be socially engineered to attack their own users, using the agent’s fluency to bypass traditional human skepticism.
I’ve built systems for thirty years, and I’ve never seen a security surface expand this fast in a project that wasn’t intentionally malicious. What started in November 2025 as a “weekend hack” by Austrian developer Peter Steinberger—then called “Clawdbot”—quickly morphed into OpenClaw, a viral sensation capable of connecting to Slack, Telegram, and executing shell commands. By late January 2026, it had crossed 100,000 GitHub stars.
However, the speed of adoption was matched only by the speed of exploitation. By March 2, 2026, the ecosystem was reeling from “ClawJacked,” a disclosure revealing that any malicious website could silently hijack local agents via WebSocket trust assumptions. In just five weeks, we witnessed the birth of an unmanaged, over-privileged, and internet-connected agent with deep access to corporate crowns: email, cloud credentials, and terminal sessions.
Mapping the Carnage: The OWASP Agentic Top 10 in the Wild
The OWASP Agentic Top 10 framework, published in late 2025, provided a theoretical roadmap for agentic risks. OpenClaw turned that roadmap into a documented reality.
The Core Compromise
The attack chain often began with ASI01 (Agent Goal Hijack). Attackers didn’t need to hack the code; they simply placed “poisoned” content in Slack DMs or Google Docs. When the agent read these for a summary, it instead followed hidden instructions to exfiltrate data. This cascaded into ASI02 (Tool Misuse), where OpenClaw’s legitimate shell and SSH tools were weaponized to execute arbitrary commands.
The most chilling realization came from Hudson Rock, who documented the theft of the “soul.md” file—the agent’s complete behavioral guidelines. This ASI03 (Identity and Privilege Abuse) represents a shift from stealing browser cookies to harvesting the “souls” of AI identities, allowing attackers to perfectly masquerade as the user’s digital assistant.
The Poisoned Supply Chain
The “Sleeper Agent” scenario became real through ASI04 (Memory Poisoning). Attackers injected malicious instructions into log files that the agent would later read, effectively tricking the agent with its own memory. This was facilitated by ASI06 (Supply Chain Vulnerabilities); of the 2,890+ skills in the ClawHub registry, a staggering 41.7% were found to contain serious vulnerabilities.
The Social Engineering of AI
The Atomic macOS Stealer (AMOS) campaign introduced a genuinely novel attack primitive: ASI09 (Human-Agent Trust Exploitation). Instead of a shady website asking for your password, a malicious skill instructed the OpenClaw agent itself to present a fake setup dialog. Because the user trusted the agent’s fluency and authority, they complied. The malware didn’t engineer the human; it engineered the AI to engineer the human.
The “Lethal Trifecta” and Your Path Forward
OpenClaw’s failure stems from the Lethal Trifecta: sensitive data access, exposure to untrusted content, and external communication capabilities. This combination creates an attack surface multiplier that exists in nearly every modern AI assistant.
If your organization has OpenClaw deployments, treat this as a P0 incident:
- Immediate Discovery: Scan your network for default OpenClaw ports and search workstations for
openclaw.jsonorsoul.md. - Patch and Rotate: Update to version 2026.2.25 immediately and rotate all OAuth tokens and API keys associated with the agent.
- Enforce Least Agency: Restrict the agent’s filesystem scope and disable shell access. If an agent doesn’t need to send email, revoke that permission.
The Opening Chapter
The buffer overflow and SQL injection eras took years to mature. The agentic AI era has matured in weeks. OpenClaw is not a one-off outlier; it is the opening chapter of a new era in application security. While only 29% of organizations feel prepared to secure these deployments, the malware ecosystem is already operating at full throttle.