The Claw Security Ledger - 10 Products in the Dock
We audited ten AI agent products sold under the Claw name. The ledger shows 11 live CVEs, 130 published advisories, 1,184 malicious marketplace skills, and one leaked SSL private key - concentrated almost entirely in a single vendor.
7 min read
Our analysis of ten AI agent products that carry the Claw name found 11 live CVEs, 130 published GitHub security advisories, 1,184 malicious marketplace skills, one leaked wildcard SSL key, and a single coordinated repository wipe campaign that hit seven unrelated open-source projects. Nine of those numbers belong to the same vendor.
TL;DR
- Our analysis: six of the ten Claw-branded products we tracked disclosed a security event in the last 90 days; only three shipped with a sandbox on by default
- Our analysis: OpenClaw carries 11 assigned CVEs, 130 GitHub advisories, and roughly 135,000 publicly exposed instances, 93 percent of which default to no authentication
- Our analysis: ClawHub, OpenClaw's skill marketplace, shipped 1,184 confirmed malicious packages through uncurated publishing - 11 percent of the registry
- Our analysis: 360 Security Claw shipped a wildcard SSL private key inside its public installer on day one and still doesn't hold an assigned CVE
- Our analysis: the three newer alternatives (IronClaw, ZeroClaw, PicoClaw) carry zero disclosed CVEs between them but together account for under ten percent of OpenClaw's install base
Methodology
We treated every Claw-branded product we could identify as a single subject and scored it on seven dimensions: assigned CVE count, open GitHub advisories, publicly reachable instances, marketplace poisoning rate, authentication default, sandbox default, and incident status across the 90 days ending April 21, 2026. Data was pulled from each project's GitHub security tab, CNA public feeds, Koi Security and Snyk telemetry cited in their February and March publications, Qihoo 360's installer binary, and Awesome Agents reporting referenced inline below. Where a project has no public repository (NemoClaw), we scored only the dimensions that are observable at announcement time.
The sample is ten products. It is not exhaustive - several Chinese vendors run internal Claw forks that we could not verify - but it covers every Claw-branded product with 1,000 or more GitHub stars or a commercial launch announcement.
The Ledger
| Product | Vendor | Stars | Assigned CVEs | Open Advisories | Exposed Instances | Marketplace Risk | Auth default | Sandbox default | 90-Day Incident |
|---|---|---|---|---|---|---|---|---|---|
| OpenClaw | Foundation (ex-Steinberger) | 360,891 | 11 | 130 | ~135,000 | 1,184 malicious skills | off | off | Yes - CVE-2026-25253, marketplace poisoning, China restrictions |
| ClawHub | Foundation | n/a | 0 (not tracked) | n/a | n/a | 11% of 10,700 skills flagged | n/a | n/a | Yes - ClawHavoc campaign, 12 publisher accounts banned |
| 360 Security Claw | Qihoo 360 | closed source | 0 | not disclosed | unknown | wraps OpenClaw | unknown | unknown | Yes - wildcard SSL private key shipped in installer |
| Claw-Code | Community fork | 100,000+ | 0 | 0 | n/a | forked from DMCA'd source | n/a | inherits Claude Code | Yes - DMCA takedown wave, 8,100 repositories |
| NemoClaw | NVIDIA | pre-launch | 0 | 0 | 0 | none yet | TBD | TBD | No - not yet shipped |
| DefenseClaw | Cisco | ~6,100 | 0 | 0 | n/a (it's the control) | n/a | on | on | No |
| IronClaw | Jones / independent | 11,800 | 0 | 0 | n/a | 890 signed skills | on | capability-based | No |
| ZeroClaw | Tanaka / community | 15,200 | 0 | 0 | n/a | 4,800 skills (inherited) | off | Wasm on | No |
| PicoClaw | Petrov / ETH Zurich | 8,400 | 0 | 0 | n/a | 340 curated | on | minimal surface | No |
| HackerBot Claw | attacker (autonomous agent) | n/a | n/a | n/a | n/a | weaponised | n/a | n/a | Yes - wiped Trivy, hit six more repos |
The distribution is lopsided on purpose. OpenClaw, ClawHub and 360 Security Claw account for every assigned CVE, every exposed instance and every leaked credential in the set. The four alternatives built in direct response to OpenClaw's posture (DefenseClaw, IronClaw, ZeroClaw, PicoClaw) carry zero disclosed CVEs between them - but they also carry a combined install base that our GitHub star sampling suggests is under ten percent of OpenClaw's reach.
The CVE count is only one layer of the posture. Default auth, sandbox model and marketplace curation live further down the stack, and all three are where Claw products diverge.
Source: unsplash.com
How This Compares to Public Filings
The NVD database lists 11 OpenClaw CVEs assigned since late January, headed by CVE-2026-25253 at CVSS 8.8. That tracks with the OpenClaw GitHub security tab, which lists 130 advisories as of this morning. Where the numbers diverge is on the Argus Security Platform audit filed as issue #1796 on January 25: 512 total findings across SAST, secrets scanning and dependency analysis, of which only 28 have since been assigned CVE numbers. NVD doesn't see the other 484.
Qihoo 360's installer leak is the sharper filing gap. A wildcard private key for *.myclaw.360.cn, valid until April 2027, shipped inside the retail installer on March 10 and was found on March 16. No CVE has been assigned. The MITRE CNA queue shows the vulnerability as "received," not published. Users who installed the product in the six-day window have no formal filing to point to when rotating trust.
ClawHub's 1,184 malicious skills never show up in CVE databases either. Marketplace poisoning doesn't fit the vulnerability model CNAs work with - each malicious package is a policy failure, not a software flaw. The closest formal record is the Cisco Talos and Koi Security threat bulletins from February. Neither counts toward any product's "assigned CVE" number.
Roughly 135,000 OpenClaw instances are publicly reachable over the internet, up from 42,000 in February. The disclosure filings don't capture the posture choice that turned a local tool into a wide-area surface.
Source: unsplash.com
What the Filings Don't Say
Default auth. Of the ten products, three ship with authentication off by default: OpenClaw, ZeroClaw and any third-party fork that inherits OpenClaw's default config. Shodan scans put publicly reachable instances at roughly 135,000 for OpenClaw alone, up from 42,000 in February. The GitHub advisory count captures the bugs. It does not capture the posture choice that turned a LAN tool into an internet surface.
Sandboxing. Only IronClaw, DefenseClaw, ZeroClaw and PicoClaw run skills in a sandbox by default. IronClaw's capability-based model is the strictest - a malicious skill we ported from ClawHub failed at runtime because it lacked a NetConnect capability. OpenClaw runs skills in-process with the same privileges as the host agent. That's not a vulnerability per NVD's definition. It's the reason the marketplace poisoning worked.
Marketplace curation. ClawHub accepts packages from accounts seven days old with no code signing, no review and no sandbox verification. IronClaw requires signed skill manifests and publisher identity verification. DefenseClaw scans skills against a policy grammar before they load. NVIDIA hasn't disclosed NemoClaw's marketplace posture, which is itself a filing gap worth watching at GTC.
Downstream cost. Google banned AI Ultra subscribers paying $250 a month for connecting OpenClaw via OAuth - no warning, no refund. The economic cost of an agent that autoconfigures broad OAuth scopes is borne by users and downstream SaaS providers, not by the agent vendor. That ledger line does not appear in any 10-K.
The attacker line. HackerBot Claw isn't a defender and isn't ours - it's an autonomous agent that used the Claw branding in its handle while methodically compromising seven open-source projects in late February. Including it in the dataset is deliberate. The Claw name now carries attacker baggage the vendors cannot scrub off.
The ledger implies two things for the next quarter. First, the CVE-to-install ratio tilts heavily toward OpenClaw, and every new NVIDIA, Cisco or Qihoo wrapper that embeds OpenClaw without fixing the default posture inherits the liability - expect more CVE-2026-25253-style one-click RCEs as the wrapper surface grows. Second, the products actively marketed on security (DefenseClaw, IronClaw) show a clean sheet today, but neither has the install base to have drawn a serious attacker yet. The honest read of this ledger isn't that a Claw product is safe. It's that some products have not yet been stress-tested by anyone who wanted them to break.
Sources:
- OpenClaw GitHub Security Advisories
- OpenClaw Argus Audit Issue #1796
- DepthFirst - 1-Click RCE via CVE-2026-25253
- Koi Security - ClawHavoc campaign disclosure
- StepSecurity - HackerBot Claw GitHub Actions exploitation
- OpenClaw 130 Advisories Coverage - Awesome Agents
- ClawHub Supply Chain Attack Coverage - Awesome Agents
- Qihoo 360 SSL Leak Coverage - Awesome Agents
- HackerBot Claw Trivy Wipe Coverage - Awesome Agents
- China OpenClaw Restrictions Coverage - Awesome Agents
- Google Antigravity OpenClaw Ban Coverage - Awesome Agents
- Cisco DefenseClaw Release Coverage - Awesome Agents
