Beneath the Vibe: Unmasking Critical Vulnerabilities in the Internet’s Favorite AI Assistant
- Holistic Security Audit: Beyond individual bugs, we categorized exploits across 10 distinct vectors to understand why OpenClaw’s rapid development cycle invites systemic risk.
- The “Happy Path” Pitfall: We explore how a “vibe coding” workflow—merging 300+ commits daily via AI—prioritizes user delight over security hygiene, leaving critical backdoors wide open.
- Specific Exploits & Fixes: We detail two major vulnerabilities—broken access control and supply chain RCE—alongside the specific pull requests (PRs) we submitted to close them.
OpenClaw is, by all accounts, awesome. Created by Pete Steinberger (@steipete), a developer with a legendary track record, it has quickly become the poster child for the new era of “agentic” AI. Built with a lightning-fast workflow involving multiple sessions of OpenAI’s Codex and frontier models, Pete has been able to merge an incredible 300+ commits a day. This “lightning in a bottle” has captured the community’s imagination, racking up 180,000 stars and 9,000 commits in record time.
However, this breakneck speed comes at a cost. While the project focuses on the “happy path”—building features that delight users and meet soaring demand—the security perimeter has become an afterthought. In our comprehensive review of the 400,000+ lines of code, we found that even with the strongest AI models assisting a capable developer, the focus on execution speed has left the “front door” unlocked.
The Open Front Door: VULN-188
OpenClaw operates as a multi-channel AI messaging gateway. When a client connects via WebSocket, they are supposed to declare their “role” and “scopes.” These scopes determine whether the user can simply read data or exercise “god mode” (operator.admin) to shut down the gateway or execute shell commands.
We discovered that if a client simply omits the scopes field entirely during the handshake, the server defaults to granting full administrative control. This is a textbook case of Broken Access Control (OWASP A01:2021). It was likely an early development shortcut to make the first-party UI easier to build, but in a production environment, it means anyone with a valid token can bypass all restrictions by just “forgetting” to ask for permission.
The Fix: We proposed changing the default state to “least-privilege” (operator.read) or rejecting the connection entirely if scopes are missing.
Supply Chain Sabotage: VULN-210
The second major exploit we surfaced involves OpenClaw’s plugin system. To make the assistant more powerful, users can install third-party plugins. The gateway automates this by running npm install. Crucially, the system was missing the --ignore-scripts flag.
Without this flag, npm executes any lifecycle scripts (preinstall, postinstall) embedded in the plugin’s dependency tree. An attacker could create a seemingly harmless plugin that contains a malicious script three levels deep in its dependencies. The moment a user clicks “install,” that script runs with the full permissions of the OpenClaw process, allowing an attacker to exfiltrate API keys, install persistent backdoors, or pivot to other systems on the network.
Surgical Precision: PR #8073
We didn’t just find these holes; we helped plug them. Our PR for VULN-210 added the --ignore-scripts flag to the npm installcommand. During the review, an automated reviewer (Greptile bot) flagged that our initial test mock didn’t capture the full command signature. We refined the fix to ensure the test now asserts that npm runs in the correct directory and that exactly one call exists with the security flag included.