OpenClaw Has 130 Security Advisories and Counting. How Did We Get Here?
OpenClaw's GitHub security advisories jumped from ~90 to 130 in 48 hours. With 40,000+ exposed instances, a poisoned plugin marketplace, and malware targeting Mac Minis, the most popular personal AI agent is also the most dangerous.
TL;DR
- OpenClaw, the open-source personal AI agent with 216,000 GitHub stars, now has 130 published security advisories — up from roughly 90 just 48 hours ago
- A January 2026 security audit found 512 total vulnerabilities, including 8 critical flaws such as plaintext credential storage, hardcoded OAuth secrets, and unauthenticated WebSocket RCE
- Researchers have identified 42,000+ publicly exposed OpenClaw instances, with 93% exhibiting authentication bypass — leaking Anthropic API keys, Telegram tokens, and months of chat history
- The ClawHub plugin marketplace is compromised: 824+ malicious skills distribute Atomic Stealer malware purpose-built to harvest macOS credentials, crypto wallet keys, and SSH keys from Mac Mini deployments
- Creator Peter Steinberger joined OpenAI on February 15, leaving the project's security governance in transition
A tweet made the rounds this week: "OpenClaw has grown from 90 to 130 security vulnerabilities in the past 24 hours. Your mac minis are compromised."
We checked. The numbers are real. The conclusion is more complicated — but not by much.
The Numbers
OpenClaw's GitHub Security Advisories page currently lists 130 published advisories across 13 pages. The oldest date to January 31, 2026. Roughly 40 new advisories were published between February 20–21 alone, which tracks with the "90 to 130" claim. The latest batch includes a mix of severities:
| Severity | Examples from Feb 20–21 Batch |
|---|---|
| High | Shell command injection via unquoted heredoc expansion; arbitrary file read via $include directive; Canvas authentication bypass (ZDI-CAN-29311) |
| Moderate | TTS model directives allowing provider switching; sandbox registry write race conditions; browser navigation guard allowing file:// scheme access |
| Low | Plugin runtime command execution within trusted boundary; Windows shell fallback injection in constrained path |
But 130 advisories is just the GitHub-facing count. The actual picture is considerably worse.
The 512-Vulnerability Audit
On January 25, 2026 — four days before OpenClaw hit its peak virality — an automated security audit via the Argus Security Platform was filed as GitHub Issue #1796. It found 512 total security findings across six analysis passes:
| Analysis Phase | Findings | Breakdown |
|---|---|---|
| AI Deep Analysis | 28 | 8 critical, 20 high |
| Semgrep (SAST) | 190 | 113 errors, 63 warnings, 14 info |
| Gitleaks (Secrets) | 255 | 245 API keys, 5 auth headers, 3 Discord IDs, 2 private keys |
| Trivy (Dependencies) | 20 | 1 critical, 15 high, 4 medium |
| TruffleHog | 8 | Unverified secrets |
| Threat Model | 16 | Architectural threats |
The 8 critical findings alone paint a damning picture: plaintext OAuth token storage, missing CSRF protection, hardcoded OAuth client secrets, webhook signature validation bypass, token refresh race conditions, path traversal in agent directory resolution, insufficient file permission checks, and inadequate token expiry validation.
This is not a project with a few rough edges. This is a project that shipped with authentication as an afterthought.
The CVE Trail
The advisories translate into real CVEs. Here are the ones with published details:
| CVE | CVSS | Description | Status |
|---|---|---|---|
| CVE-2026-25253 | 8.8 (Critical) | 1-click RCE via auth token exfiltration through cross-site WebSocket hijacking | Patched v2026.1.29 |
| CVE-2026-24763 | High | Docker sandbox bypass / command injection | Patched v2026.1.30 |
| CVE-2026-25157 | High | Command injection | Patched v2026.1.25 |
| CVE-2026-27001 | High | Prompt injection via unsanitized workspace paths | Patched v2026.2.15 |
| CVE-2026-26322 | 7.6 | SSRF in Gateway tool | Patched |
| CVE-2026-26319 | 7.5 | Missing Telnyx webhook authentication | Patched |
| CVE-2026-26323 | — | Maintainer compromise vector | Patched |
| CVE-2026-26329 | High | Path traversal in browser upload / token replay | Patched |
| CVE-2026-27484 | — | Discord moderation auth bypass | Patched Feb 20 |
| CVE-2026-27485 | — | Symlink vulnerability in skill packaging | Patched Feb 20 |
| CVE-2026-27488 | — | SSRF in cron webhook delivery | Patched Feb 20 |
CVE-2026-25253 deserves special attention. An attacker could craft a webpage that, when visited by an OpenClaw user, would hijack the WebSocket connection, exfiltrate the authentication token, and gain full remote code execution. One click. Full compromise. The detailed writeup by DepthFirst is worth reading if you want to understand the attack chain.
42,000 Exposed Instances
Finding vulnerabilities in code is one thing. Finding tens of thousands of instances running that vulnerable code on the open internet is another.
Independent researcher Maor Dayan identified 42,665 publicly exposed OpenClaw instances. Of those, 5,194 were actively verified as vulnerable, with 93.4% exhibiting authentication bypass. Bitsight confirmed over 30,000 instances between January 27 and February 8. Hunt.io confirmed 17,500+ instances vulnerable to the critical RCE specifically. Shodan scans found 21,000+ instances with zero authentication.
What was leaking? Anthropic API keys. Telegram bot tokens. Slack account credentials. Months of full chat histories. In some cases, researchers gained full system administrator access.
The root cause is a design decision: OpenClaw ships with authentication disabled by default and, until recently, bound to 0.0.0.0 rather than localhost. Users who followed basic setup guides without hardening their configuration exposed everything.
The Mac Mini Connection
The tweet's "your mac minis are compromised" is pointed because OpenClaw and the Mac Mini have become culturally inseparable. The Mac Mini M4 — sub-5W idle power, silent operation, always-on, and the only hardware that supports iMessage integration — became the default deployment target. The trend was so strong that OpenClaw (then called Clawdbot) triggered a Mac Mini shortage in U.S. stores in late January.
Peter Steinberger, OpenClaw's creator, eventually had to ask users to stop buying Mac Minis unnecessarily, noting that OpenClaw needs only 2 vCPUs and 4GB of RAM since inference happens remotely. But by then the association was cemented: OpenClaw means a Mac Mini humming on a shelf somewhere, running 24/7, connected to every messaging platform its owner uses.
That always-on, always-connected profile makes compromised instances especially dangerous. These are not ephemeral containers. They are persistent machines with access to personal messaging, API keys, and often the owner's primary macOS user account.
ClawHavoc: The Supply Chain Attack
The vulnerabilities in OpenClaw's code are bad. What happened to its plugin ecosystem is worse.
Koi Security audited ClawHub — OpenClaw's official skill and plugin marketplace — and found 341 malicious skills out of 2,857 total. 335 of those were part of a single coordinated campaign they tracked as ClawHavoc.
The malicious skills distributed Atomic Stealer (AMOS), a macOS-specific infostealer purpose-built to harvest credentials, crypto wallet keys, SSH keys, and browser passwords. The targeting was deliberate: ClawHavoc went after macOS users running always-on AI agents — exactly the Mac Mini demographic.
As ClawHub grew to over 10,700 skills, the problem scaled with it. Follow-up audits found 824+ confirmed malicious skills. GBHackers later reported the total reached 1,184 malicious skills. A separate analysis by eSecurity Planet found that 41.7% of popular OpenClaw skills contained security vulnerabilities.
The submission barrier for ClawHub was minimal: a GitHub account at least one week old, with no code review, no signing, and no verification. Cisco's security team examined the top-ranked community skill and found 9 vulnerabilities, including active data exfiltration via a hidden curl command.
Who Noticed
Everyone.
- Kaspersky published a detailed advisory calling OpenClaw "unsafe for use" in its default configuration
- CrowdStrike issued guidance for security teams on detecting and managing OpenClaw deployments
- Microsoft published a guide on running OpenClaw safely with identity isolation
- Belgium's CCB issued a national critical vulnerability warning
- Jamf published detection and removal guidance for Mac administrators
- RedLine and Lumma infostealers added OpenClaw's plaintext credential file paths to their default "must-steal" lists
When malware authors update their harvest lists to include your config files, you have graduated from "security concerns" to "active target."
The Leadership Vacuum
On February 15, Peter Steinberger — the creator and primary maintainer of OpenClaw — announced he was joining OpenAI. The project is being transitioned to an open-source foundation.
Steinberger is a serious developer. He previously founded PSPDFKit, a B2B PDF framework valued at roughly €100 million. OpenClaw (originally Clawdbot, then Moltbot after Anthropic's trademark complaint) grew to 216,000 GitHub stars — one of the fastest-growing repositories in GitHub history, gaining 25,310 stars in a single day.
But the project's security posture never kept pace with its adoption. OpenClaw went from a personal project to the most-starred AI agent on GitHub in three months. It acquired messaging platform integrations, a plugin marketplace, browser automation, and voice capabilities — all while running with plaintext credential storage and authentication off by default.
The transition to a foundation happens at the worst possible time: 130 advisories and climbing, an actively poisoned marketplace, and tens of thousands of exposed instances. The new maintainers inherit a security debt that would challenge a well-funded security team, let alone a volunteer-run foundation finding its footing.
Is Your Mac Mini Compromised?
The honest answer: it depends on three things.
1. Are you running the latest version? All named CVEs have patches. If you are on v2026.2.15 or later, the known RCE and injection vectors are closed.
2. Did you harden your configuration? If OpenClaw is bound to localhost only, runs under a non-admin macOS user, has authentication enabled, and uses strict tool allowlists — you are in reasonable shape. If you followed a YouTube setup guide and never touched the config, assume you are exposed.
3. Did you install ClawHub skills? If you installed community skills without auditing them, you may have Atomic Stealer on your machine. Jamf's detection guide is the best resource for checking.
For anyone running OpenClaw on a Mac Mini today, the minimum checklist:
- Update to the latest release immediately
- Enable authentication (
--authflag or config setting) - Bind to
127.0.0.1, not0.0.0.0 - Run under a dedicated non-admin macOS user account
- Audit every installed ClawHub skill — or remove them all
- Rotate any API keys, tokens, or credentials stored in OpenClaw's config
- Check Jamf's AMOS detection guidance if you installed community skills
What This Actually Tells Us
OpenClaw's security crisis is not really about OpenClaw. It is about what happens when the AI agent paradigm meets the realities of consumer software distribution.
AI agents are, by definition, software that acts autonomously on your behalf with access to your accounts, credentials, and data. The attack surface is not a text box where you type prompts. It is the sum of every integration, every plugin, every messaging platform token, and every file path the agent can touch. A vulnerability in an AI agent is not like a vulnerability in a note-taking app. It is a vulnerability in something that has the keys to your digital life.
OpenClaw shipped like a developer tool and spread like a consumer product. Developer tools assume a competent operator who reads documentation and hardens configurations. Consumer products assume the default configuration is the final configuration. OpenClaw got 216,000 stars — meaning hundreds of thousands of users — while still shipping with no authentication by default.
The ClawHavoc supply chain attack mirrors what we have seen in npm, PyPI, and every other open package registry. The difference is the blast radius: a malicious npm package can steal environment variables. A malicious OpenClaw skill can steal environment variables and read your WhatsApp messages and execute shell commands and access your browser sessions. The agent paradigm amplifies supply chain risk because agents have more access than libraries.
130 advisories and counting. Forty thousand exposed instances. A poisoned marketplace. The most popular personal AI agent in the world is also, right now, one of the most dangerous pieces of software you can run on a Mac Mini.
The tweet was not wrong. It was, if anything, understating it.
Sources:
- OpenClaw GitHub Repository
- OpenClaw Security Advisories (130 published)
- Argus Security Audit — GitHub Issue #1796
- Kaspersky: New OpenClaw AI Agent Found Unsafe
- The Hacker News: 341 Malicious ClawHub Skills
- Bitsight: OpenClaw Security Risks — Exposed Instances
- Maor Dayan: 42,000+ Exposed OpenClaw Instances
- DepthFirst: 1-Click RCE via CVE-2026-25253
- CrowdStrike: What Security Teams Need to Know
- Microsoft: Running OpenClaw Safely
- Cisco: Personal AI Agents Are a Security Nightmare
- eSecurity Planet: 41% of Popular Skills Contain Vulnerabilities
- GBHackers: ClawHavoc — 1,184 Malicious Skills
- Jamf: OpenClaw Detection and Removal for Mac
- Belgium CCB: Critical Vulnerability Warning
- Infosecurity Magazine: 40,000+ Exposed Instances
- TechCrunch: Steinberger Joins OpenAI
- CNBC: From Clawdbot to OpenClaw
- SecurityWeek: OpenClaw Security Issues Continue