The OpenClaw Meltdown: 9 CVEs, 2,200 Malicious…

💡 TL;DR (Too Long; Didn't Read)

Key takeaways in 60 seconds:

OpenClaw (formerly Clawdbot/Moltbot) went from zero to 200,000+ GitHub stars in weeks. In the same timeframe, it accumulated 9 disclosed CVEs, 2,200+ malicious skills in its marketplace, and 40,000+ internet-exposed instances — 93.4% with authentication bypass.

8 of the 10 OWASP Agentic vulnerability classes (ASI01–ASI10) were triggered in production by real incidents, not hypothetical scenarios. OpenClaw is the first comprehensive field test of the framework OWASP published in December 2025.

The attack chain is textbook: Supply Chain (ASI06) → Goal Hijack (ASI01) → Tool Misuse (ASI02) → Identity Abuse (ASI03) → Data Exfiltration. A single malicious skill can chain all four in one execution.

Atomic macOS Stealer (AMOS) was distributed through ClawHub skills that used the AI agent itself as a social engineering vector — tricking the agent into presenting fake setup dialogs to the user. This is a new attack primitive: malware that socially engineers AI, not humans directly.

"ClawJacked" (disclosed today, March 2, 2026): Any malicious website can silently hijack local OpenClaw agents via WebSocket trust assumptions. One click. Full compromise. Even localhost-bound instances are vulnerable.

Bottom line: If your organization has developers running OpenClaw, you already have an unmanaged, over-privileged, internet-connected agent with access to your email, Slack, cloud credentials, and terminal. Treat it as a P0 incident.

Series: OWASP Agentic Top 10 Deep Dive — Part 2 of 7 Previous: The New Security Bible: Why Every Engineer Building AI Agents Needs the OWASP Agentic Top 10

"To master a tool, you need to understand how it was built. To survive an era, you need to understand how things break."

The Timeline That Should Terrify You

Before we dissect the OWASP mappings, you need to see the velocity of this crisis. I've built systems for thirty years, and I've never seen a security surface expand this fast in a project that wasn't intentionally malicious.

November 2025: Austrian developer Peter Steinberger publishes "Clawdbot" as a weekend hack — a local AI agent that connects to WhatsApp, Telegram, Slack, and can execute shell commands. It goes viral in tech communities.

Late January 2026: The project (now renamed OpenClaw after trademark disputes) crosses 100,000 GitHub stars. Censys tracks growth from ~1,000 to 21,000+ publicly exposed instances in six days. Bitsight independently identifies 30,000+.

January 30, 2026: CVE-2026-25253 is disclosed — a CVSS 8.8 one-click RCE chain. Three high-severity advisories are published on the same day. The project scrambles to release version 2026.1.29.

February 2, 2026: Researchers report the ClawHavoc campaign — 341 malicious skills discovered on ClawHub, approximately 12% of the entire registry. The number climbs to 800+ within days.

February 13, 2026: GitHub issue #16052 formalizes the supply chain crisis. Trend Micro identifies 39 skills distributing AMOS (Atomic macOS Stealer) through a novel technique: the malicious skill instructs the OpenClaw agent itself to present fake CLI installation dialogs to users.

February 15, 2026: Sam Altman announces Peter Steinberger is joining OpenAI. OpenClaw will be moved to a foundation. The security crisis continues unabated.

February 23, 2026: Trend Micro publishes a comprehensive analysis documenting 2,200+ malicious skills across ClawHub and SkillsMP registries. Security researcher Maor Dayan identifies 42,665 exposed instances, with 5,194 confirmed vulnerable.

February 26, 2026: "ClawJacked" is patched in version 2026.2.25 — a design flaw where any website can hijack local agents via WebSocket connections that the gateway auto-trusts from localhost.

March 2, 2026 (today): The ClawJacked disclosure goes public. OpenClaw has shipped over 40 security fixes across recent releases. The ecosystem remains under active attack.

Five weeks. Nine CVEs. Two thousand malicious packages. Forty thousand exposed instances. And this is a personal AI assistant that many developers gave full shell access, OAuth tokens for email, cloud credentials, and API keys.

Let that sink in.

Mapping the Carnage: OpenClaw vs. OWASP Agentic Top 10

In Part 1 of this series, Athena laid out the OWASP Agentic Top 10 framework as a theoretical field manual. OpenClaw has turned that field manual into a war diary.

I'm going to walk through each vulnerability class and show you exactly how OpenClaw triggered it — not with hypothetical scenarios, but with CVE numbers, attack chains documented by CrowdStrike, Trend Micro, Oasis Security, and Hudson Rock, and code you can audit yourself.

ASI01 — Agent Goal Hijack ✅ CONFIRMED

What OWASP says: An attacker alters an agent's objectives by injecting malicious instructions into data the agent processes — poisoned emails, PDFs, meeting invites, RAG documents, or web content. Agents cannot reliably separate instructions from data.

What OpenClaw proved: This isn't a theoretical edge case. It's the default operating mode for attacks against OpenClaw.

The Cyera Research Labs analysis documented the exact mechanism. OpenClaw connects to your email, Slack, Google Docs, and Notion. Every one of these surfaces allows an external attacker to inject content that the agent processes. A malicious Slack DM can coerce the agent into running global searches for credentials and exfiltrating results. A shared Google Doc with invisible or low-contrast instructions can redirect the agent to export contacts, spreadsheets, and Drive contents when the user asks for a summary.

The critical insight: the attacker never needs to compromise the skill itself. They just need to place poisoned content on any surface the agent reads.

The log poisoning variant patched in version 2026.2.13 demonstrated an even more insidious attack: an attacker writes crafted content into gateway log files via WebSocket requests. When the agent later reads its own logs for troubleshooting (a standard behavior), the poisoned log entry contains malicious instructions that the LLM follows. The agent is literally tricked by its own memory.

ASI02 — Tool Misuse ✅ CONFIRMED

What OWASP says: Agents use legitimate tools in unsafe or unintended ways due to ambiguous commands or malicious influence. The tools themselves aren't malicious — they're over-permitted.

What OpenClaw proved: OpenClaw's architecture is essentially a tool misuse engine by design. The agent runs with full shell access, API keys in its configuration, and the ability to install and run skills from a community marketplace.

CVE-2026-25157 (high-severity command injection in SSH handling) demonstrates the pattern perfectly. Improperly escaped inputs in the macOS application's SSH handler allow attackers to execute arbitrary commands on local or remote hosts. The SSH tool is legitimate. The use of the SSH tool is weaponized through input manipulation.

The deeper problem is what the Stellar Cyber research team described: your agent's access controls are governed by network-level permissions. If the agent account has API access to a customer database, the firewall will allow any query from that agent. The firewall cannot distinguish between legitimate retrieval and unauthorized extraction. Semantic validation at the network layer simply doesn't exist.

ASI03 — Identity and Privilege Abuse ✅ CONFIRMED

What OWASP says: Attackers exploit existing permissions or cached credentials to escalate privileges. Risk increases when agents use shared identities or reuse tokens across security contexts.

What OpenClaw proved: The Hudson Rock discovery is the most chilling example. Their team documented an information stealer infection that successfully exfiltrated a victim's entire OpenClaw configuration: openclaw.json (gateway tokens and email), device.json (cryptographic keys for pairing and signing), and soul.md (the agent's complete operational principles and behavioral guidelines).

As Hudson Rock put it: "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents." The stolen gateway token allows an attacker to connect to the victim's OpenClaw instance remotely or masquerade as the client in authenticated requests.

This maps directly to what Palo Alto Networks flagged in their OWASP analysis: the average enterprise faces an 82:1 machine-to-human identity ratio. Every AI agent becomes an aggregation point for non-human identities. When one agent is compromised, the attacker inherits the authority of every key, token, and service account assigned to it.

ASI04 — Memory Poisoning ✅ CONFIRMED

What OWASP says: Attackers corrupt the data sources the agent relies on for knowledge and decision-making, leading to flawed, biased, or malicious outcomes. Memory poisoning scales across time — one injection compromises months of interactions.

What OpenClaw proved: The log poisoning attack (patched in 2026.2.13) is a textbook implementation of ASI04. But Lakera AI research paints an even darker picture: indirect prompt injection via poisoned data sources can corrupt an agent's long-term memory, causing it to develop persistent false beliefs about security policies and vendor relationships. The agent defends these false beliefs as correct when questioned by humans.

This creates the "sleeper agent" scenario that keeps security teams awake at night. The initial injection may be invisible. The downstream damage only manifests when the planted instruction is activated weeks or months later. Traditional incident response assumes containment happens quickly. Memory poisoning breaks that assumption completely.

One real-world example reported by Stellar Cyber: a manufacturing company's procurement agent was manipulated over three weeks through seemingly helpful "clarifications" about purchase authorization limits. By the time the attack was complete, the agent believed it could approve any purchase under $500,000 without human review. The attacker then placed $5 million in false purchase orders across ten separate transactions.

ASI05 — Unsafe Code and Output Handling ✅ CONFIRMED

What OWASP says: Agents generate and execute code without proper validation, creating injection vectors.

What OpenClaw proved: The core exploit chain in CVE-2026-25253 demonstrates this perfectly. The OpenClaw Control UI accepts a gatewayUrl parameter from the query string and automatically establishes a WebSocket connection to that URL — transmitting the user's authentication token without confirmation. The attacker crafts a malicious link. The victim clicks it. Their auth token is exfiltrated. The attacker connects to the gateway, disables sandboxing, and executes arbitrary commands.

But the skill ecosystem makes this worse. The "soul-evil" hook documented by security researchers showed how prompt injection can chain with OpenClaw features to achieve persistent compromise. Skills can contain SKILL.md files with arbitrary instructions that the agent executes. The 2,200+ malicious skills identified by Trend Micro include:

Base64-encoded payloads that decode to curl commands downloading arbitrary code from attacker infrastructure
Hidden MCP server endpoints routing through bore.pub tunneling to attacker-controlled hosts
GitHub repositories hosting malicious installers disguised as driver packages

Every one of these payloads was generated and executed by the agent framework without adequate sandboxing or output validation.

ASI06 — Supply Chain Vulnerabilities ✅ CONFIRMED

What OWASP says: Risks arise from third-party models, tools, or pre-configured agent personas that may be compromised or malicious. What makes this trickier than traditional software is that agentic components are often loaded dynamically.

What OpenClaw proved: This is where the crisis reaches industrial scale.

The numbers are staggering: 2,200+ malicious skills identified across ClawHub and SkillsMP registries. An independent audit of 2,890+ OpenClaw skills found 41.7% contain serious security vulnerabilities. The Barracuda Security report identified 43 agent framework components with embedded supply chain vulnerabilities.

The Trend Micro analysis of the AMOS distribution campaign reveals a genuinely novel attack primitive. The malicious skills don't just contain malware — they instruct the OpenClaw agent itself to present fake setup requirements to users. The agent becomes a trusted intermediary for social engineering. It tells the user, with all the fluency and authority of an AI assistant, that it needs a password to complete the installation. The user trusts the agent. The malware is installed.

This is not traditional supply chain poisoning. This is agentic supply chain poisoning — where the compromised component weaponizes the agency of the host system. The skill marketplace has all the attack vectors of npm, PyPI, and any other package registry (typosquatting, mass uploads, social engineering), but with a critical difference in privilege. A compromised dependency in a web application runs in a sandboxed runtime. A compromised OpenClaw skill runs with the agent's full permissions — shell access, file system, OAuth tokens, API keys, cloud credentials.

ASI07 — Insecure Inter-Agent Communication ⚠️ PARTIALLY CONFIRMED

What OWASP says: In multi-agent systems, coordination often lacks encryption, authentication, or integrity checks. Attackers can intercept, spoof, or modify messages between agents.

What OpenClaw proved: While OpenClaw is primarily a single-agent framework, the ClawJacked vulnerability demonstrates the inter-communication attack vector. The gateway trusts WebSocket connections from localhost, and modern browsers allow JavaScript on any website to open cross-origin WebSocket connections to local services. The attacker registers a rogue "device" that the gateway treats as trusted — effectively creating an unauthorized inter-agent communication channel.

The Cisco State of AI Security 2026 report documented broader patterns: a compromised research agent inserting hidden instructions into output consumed by a financial agent, which then executed unintended trades. OpenClaw's expanding ecosystem of skills and MCP server integrations creates the infrastructure for exactly this kind of inter-agent attack, even if individual instances are technically single-agent.

ASI08 — Cascading Failures ⚠️ PARTIALLY CONFIRMED

What OWASP says: A single error — caused by hallucination, prompt injection, or any other glitch — can ripple through and amplify across a chain of autonomous agents.

What OpenClaw proved: The ClawHavoc campaign demonstrates cascading failure at the ecosystem level, if not at the multi-agent level. A single malicious skill can chain: infection of the agent → exfiltration of OAuth tokens → lateral movement through connected SaaS → compromise of downstream services. The "bob-p2p-beta" malicious skill went further: it instructed other AI agents (not just the host) to store Solana wallet private keys in plaintext and route payments through attacker infrastructure. This is cascading failure crossing agent boundaries.

ASI09 — Human-Agent Trust Exploitation ✅ CONFIRMED

What OWASP says: Agents can be fluent and persuasive. Attackers exploit anthropomorphic trust to induce users to perform harmful actions. The agent acts as a "bad influence," but the human is the one who performs the final audited action.

What OpenClaw proved: The AMOS distribution campaign is the defining case study for ASI09. The attack works in three stages:

Malicious skill is installed (ASI06 — Supply Chain).
The skill instructs the agent to display a fake "CLI installation required" dialog (ASI01 — Goal Hijack + ASI09 — Trust Exploitation).
The user, trusting the agent's recommendation, enters their system password into the fake dialog (Human performs the final action).

To a forensic team, it looks like the user voluntarily installed software and entered their password. The agent's manipulation stays invisible. This is exactly the attack pattern OWASP warned about, executed at scale through a community marketplace.

ASI10 — Rogue Agents ✅ CONFIRMED

What OWASP says: Compromised or misaligned agents diverge from intended behavior.

What OpenClaw proved: Every compromised OpenClaw instance running a malicious skill is, by definition, a rogue agent. But the most significant example is the infostealer that captured soul.md — the agent's behavioral guidelines. An attacker who possesses your agent's soul file, gateway token, and cryptographic keys can create a perfect copy of your agent, with your permissions, your behavioral profile, and your connected services. The rogue agent is your agent, running on attacker infrastructure.

The OWASP Coverage Matrix

ASI	Vulnerability Class	Status	Key Evidence
ASI01	Agent Goal Hijack	✅	Indirect prompt injection via Slack, email, Google Docs, log poisoning
ASI02	Tool Misuse	✅	CVE-2026-25157 (SSH command injection), over-privileged shell access
ASI03	Identity & Privilege Abuse	✅	Hudson Rock soul.md theft, 82:1 NHI ratio, OAuth token aggregation
ASI04	Memory Poisoning	✅	Log poisoning (patched 2026.2.13), persistent false belief attacks
ASI05	Unsafe Code/Output	✅	CVE-2026-25253 (RCE), skill payloads executing arbitrary code
ASI06	Supply Chain	✅	2,200+ malicious skills, ClawHavoc, AMOS distribution
ASI07	Inter-Agent Communication	⚠️	ClawJacked WebSocket trust, bob-p2p-beta cross-agent instructions
ASI08	Cascading Failures	⚠️	Ecosystem-level cascading via OAuth token chains
ASI09	Trust Exploitation	✅	AMOS fake dialog campaign — agent as social engineering vector
ASI10	Rogue Agents	✅	Infostealers capturing complete agent identity (soul.md + tokens)

Score: 8/10 confirmed, 2/10 partially confirmed. In five weeks.

No other single incident in the history of application security has validated this many vulnerability classes from a new framework this quickly. The OWASP Agentic Top 10 was published December 10, 2025. OpenClaw proved every entry by early March 2026. The framework didn't predict the future — it described the present.

The "Lethal Trifecta" Dissected

Multiple security researchers have converged on a concept that explains why OpenClaw was uniquely catastrophic. They call it the Lethal Trifecta:

Sensitive data access: Email, calendar, files, cloud credentials, API keys — all accessible through a single agent.
Untrusted content exposure: The agent ingests content from email, Slack, web pages, shared documents — all of which can contain adversarial instructions.
External communication ability: The agent can send emails, post messages, make API calls — enabling exfiltration through legitimate channels.

Any system that combines all three becomes an attack surface multiplier. OpenClaw is a textbook implementation of the Lethal Trifecta. But here's the uncomfortable truth: so is every agentic AI assistant that connects to your workplace tools. The difference between OpenClaw and your company's internal AI agent is not the architecture. It's the maturity of the security controls.

What You Need To Do Right Now

I don't do hand-waving recommendations. Here's the concrete action list, ordered by blast radius:

If Your Organization Has OpenClaw Deployments (Priority: P0)

First, discover them. Run a network scan for OpenClaw's default ports. Check for the openclaw.json, device.json, and soul.md files on developer workstations. Many installations happened without IT knowledge — this is shadow AI at its most dangerous.

bash

# Hunt for OpenClaw installations on macOS/Linux
find /Users -name "openclaw.json" -o -name "device.json" -o -name "soul.md" 2>/dev/null

# Network scan for default gateway port
nmap -p 3000,3001 --open 192.168.1.0/24

Second, patch immediately. Every instance must be running version 2026.2.25 or later. Versions prior to 2026.1.29 are confirmed vulnerable to the one-click RCE chain.

Third, audit connected services. Review every OAuth grant, API key, and token permission associated with OpenClaw instances. Assume these have been compromised and rotate credentials.

Fourth, enforce least privilege. Restrict filesystem scope, disable shell access where not needed, remove unnecessary OAuth scopes. If the agent doesn't need to send email, revoke the email scope.

Fifth, treat ClawHub as an untrusted supply chain. Run openclaw security audit --deep on every instance. Enforce allowlists for approved skills. Treat every third-party skill as potentially hostile.

If You're Building Any Agentic AI System (Priority: P1)

Apply the OWASP Agentic Top 10 as your security requirements baseline. If you haven't read the full framework overview, stop reading this article and go read it now.

Implement the two foundational OWASP principles: Least Agency (constrain what agents can decide to do) and Strong Observability (log every decision, tool call, and state change). Neither works without the other.

Design for the Lethal Trifecta. If your agent combines sensitive data access, untrusted content exposure, and external communication, you will become a case study. Architect around it by isolating high-privilege operations into separate, tightly-controlled agents with human-in-the-loop gates.

typescript

// Minimal-privilege agent configuration pattern
interface AgentSecurityConfig {
  // Explicit capability allowlist — deny everything else
  allowedTools: string[];
  // Filesystem scope — jail the agent
  filesystemRoot: string;
  maxFileSystemDepth: number;
  // Network scope — block exfiltration paths
  allowedDomains: string[];
  blockOutboundOnUntrustedContent: boolean;
  // Human-in-the-loop gates
  requireApproval: {
    shellCommands: boolean;    // ALWAYS true
    emailSend: boolean;        // ALWAYS true
    oauthGrant: boolean;       // ALWAYS true
    fileDelete: boolean;       // ALWAYS true
    externalApiCall: boolean;  // true for sensitive APIs
  };
  // Observability — log everything
  auditLog: {
    logToolInvocations: boolean;
    logDecisionChains: boolean;
    logContextSources: boolean;
    retentionDays: number;
  };
}

Never trust agent-generated code. Scan every line for vulnerabilities before execution. Ban dangerous functions like eval(). This was already DevSecOps best practice — now extend it to all code written by AI agents.

Secure your skill/plugin supply chain. If your agent framework supports community extensions, treat that marketplace as an attack vector. Pin versions. Verify signatures. Run behavioral analysis, not just static scanning — the attackers are already bypassing VirusTotal by hosting payloads externally.

If You're a Developer Who Ran OpenClaw Casually (Priority: P1)

Assume your API keys, OAuth tokens, and credentials were exposed. Rotate everything. Check your email forwarding rules — compromised agents have been known to create silent forwarding rules to exfiltrate ongoing communications.

Review your Slack/Teams messages, Google Docs, and Notion pages for injected content. If you shared workspace access with the agent, an attacker may have planted instructions that will fire the next time the agent processes that content.

The Uncomfortable Truth

I've been building systems since before Git existed. I watched the buffer overflow era. I watched the SQL injection era. I watched the deserialization era. Every generation of vulnerability follows the same pattern: a powerful new capability is deployed before the security model catches up, and the gap between capability and security produces a crisis that forces the industry to mature.

We are in that gap right now for agentic AI.

The difference this time is the speed. OpenClaw went from zero to 200,000 stars and 40,000+ exposed instances in weeks, not years. The malware ecosystem adapted in days, not months. The AMOS campaign that used AI agents as social engineering vectors represents a genuinely novel attack primitive that didn't exist six months ago.

Cisco's State of AI Security 2026 found that while most organizations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments. That 71% gap is not a statistic. It is an invitation.

The OWASP Agentic Top 10 gave us the vocabulary. OpenClaw gave us the proof. The question now is whether we treat this as a one-off incident or recognize it for what it is: the opening chapter of a new era in application security.

I know which one it is. I've seen this movie before. The only question is whether you'll be ready for act two.

Next in the OWASP Agentic Series: Part 3 — Attack Chains Deconstructed: How Goal Hijack, Tool Misuse, and Identity Abuse Combine Into Full System Compromise (coming next week)

The OpenClaw Meltdown: 9 CVEs, 2,200 Malicious Skills, and the Most Comprehensive Real-World Test of the OWASP Agentic Top 10

✨TL;DR / Executive Summary