Critical Risk: OpenClaw 'ClawHavoc' Security Crisis & Supply Chain Attack
newsnewsopenclawsecurityagent-skillsopen-sourceself-hostingai-agents
trending_upTrend: news

Critical Risk: OpenClaw 'ClawHavoc' Security Crisis & Supply Chain Attack

calendar_month May 8, 2026 update Updated: May 27, 2026

🔄 Update — 27. May 2026: Momentum Shifts Toward Self-Hosted Agents and Security Hardening

OpenClaw is currently seeing increased momentum in self-hosted assistants, coding-agent integrations, and security hardening. This trend suggests a broad adoption and intensive development of the ecosystem, with a growing focus on control and security.

What’s new?

  • Focus on Self-Hosting: New guides and tools (e.g., Petronella Tech) are focusing on packaging OpenClaw for operation in private infrastructures.
  • Ecosystem Signals: Activity on GitHub, OpenRouter, and Product Hunt indicates that OpenClaw is no longer just a single product but a growing ecosystem of extensions and benchmarks.
  • Security Audits: DeepInfra and other platforms are publishing detailed analyses of prompt injection and supply-chain risks, leading to increased hardening of installations.

Why this adds to the article

This development shows that the community is actively responding to the security crises described in the article by pivoting toward self-hosting and improved security standards rather than abandoning the framework.

🔄 Update — 26. May 2026: Viral Growth Meets Escalating Security Backlash

OpenClaw is currently experiencing a paradoxical phase: while user numbers and viral interest on platforms like GitHub and YouTube are surging, warnings about security and privacy risks are simultaneously becoming louder. The growing popularity of tutorials stands in direct contrast to new research reports and critical discussions in technical forums.

What’s new?

  • Explosive Open-Source Growth: The main repository and complementary resources like “Awesome-OpenClaw-Skills” are seeing a sharp increase in stars and forks.
  • Increasing Security Concerns: New analyses on SecureFlag and arXiv, along with discussions on Reddit, highlight deeper architectural vulnerabilities when running in dedicated environments.
  • Multimedia Presence: YouTube tutorials and roadmap announcements on Facebook are driving adoption, even as the security community urges caution.

Why this adds to the article

This trend underscores the tension described in the article between rapid technological adoption and the associated security risks, which are now reaching a broader audience.

🔄 Update — 20. May 2026: OpenClaw “Claw Chain” vulnerabilities expose 245K+ AI agent servers

Researchers have discovered four chained vulnerabilities (“Claw Chain”) in OpenClaw that allow for sandbox escapes and backdoor installations. These flaws affect over 245,000 publicly accessible servers, significantly worsening the framework’s already critical security situation.

What’s new?

  • Claw Chain Vulnerabilities: Four chained flaws enable sandbox escape, backdoor delivery, data theft, and privilege escalation.
  • Massive Exposure: Approximately 245,000 public OpenClaw servers are directly vulnerable to attack.
  • Ongoing Security Challenges: Following 13 new CVEs fixed in April 2026, these new findings highlight persistent structural issues in the agent infrastructure.

Why this adds to the article

This discovery confirms the risks analyzed in the original article and demonstrates that the threat landscape is escalating through new, complex vulnerability chains.

Critical Risk: OpenClaw ‘ClawHavoc’ Security Crisis & Supply Chain Attack

Summary

The OpenClaw (formerly Moltbot) ecosystem, one of the most popular open-source AI agent frameworks, is currently grappling with a catastrophic security crisis. A coordinated supply-chain campaign named “ClawHavoc” has successfully poisoned the ClawHub skill registry with over 1,000 malicious packages. Combined with a high-severity Remote Code Execution (RCE) vulnerability (CVE-2026-25253), the attack has put over 135,000 internet-exposed instances at risk. The crisis has triggered a significant loss of trust in the platform, with a growing number of developers migrating to more secure alternatives like Nous Research’s Hermes Agent.

What happened

In February 2026, security researchers identified a massive wave of malicious activity targeting the OpenClaw ecosystem. The “ClawHavoc” campaign involved the automated upload of between 824 and 1,184 poisoned skills to the official ClawHub registry. A single malicious actor, operating under the pseudonym “hightower6eu,” was responsible for a majority of these uploads.

These malicious skills were designed to appear as legitimate extensions but contained payloads such as the Atomic macOS Stealer (AMOS) and custom Trojans. Concurrently, a critical logic error in the OpenClaw Control UI (CVE-2026-25253) was discovered, allowing attackers to exfiltrate user authentication tokens and gain full remote control of local agent instances with a single click.

Why it matters

This event marks the first major supply-chain attack specifically targeting the emerging agentic AI developer ecosystem. OpenClaw’s wide adoption (over 135k GitHub stars) means that the blast radius is immense. For developers and enterprises, this crisis highlights several “lethal” design flaws in the first generation of AI agent frameworks:

  • Plaintext Credential Storage: Storing API keys and OAuth tokens in unencrypted Markdown and JSON files.
  • Unvetted Skill Registries: A lack of automated scanning or verification for community-contributed tools.
  • Memory Poisoning: The ability for attackers to inject malicious instructions into an agent’s persistent memory, creating long-term behavioral threats.

Evidence

  • Registry Poisoning: 824 to 1,184 malicious skills identified in ClawHub.
  • CVE-2026-25253: CVSS 8.8 vulnerability fixed in version 2026.1.29.
  • Malware Payloads: Verified deployment of AMOS and Trojan/OpenClaw.PolySkill.
  • Exposure: Over 135,000 OpenClaw instances found on the public internet via Censys and Bitsight.
  • Market Shift: Growing volume of social media reports (Product Hunt, YouTube, ofox.ai) showing a migration to Hermes Agent.

Analysis

The OpenClaw crisis is a watershed moment for agentic AI security. It demonstrates that the “move fast and break things” approach to agent development is no longer sustainable. The core issue isn’t just a single bug; it’s an architectural reliance on trust in an ecosystem that has become too large to self-police.

The “ClawHavoc” campaign used sophisticated social engineering, such as professional-looking documentation and “ClickFix” tactics, to bypass developer skepticism. This suggests that attackers are now treating AI agents as high-value targets for credential harvesting and lateral movement within corporate networks.

The rapid emergence of the Hermes Agent as a primary alternative is significant. By implementing “Defense-in-Depth” features like container isolation and human-in-the-loop command approvals from day one, Hermes Agent is positioning itself as the “Enterprise-Grade” open-source successor to OpenClaw.

Practical takeaway

If you are currently using OpenClaw, immediate action is required:

  1. Update Immediately: Ensure you are running version 2026.1.29 or later to patch CVE-2026-25253.
  2. Audit Skills: Manually verify every skill installed from ClawHub. Remove any skill that was not created by a trusted maintainer.
  3. Rotate Credentials: Change all API keys (OpenAI, Anthropic, etc.) and SSH keys that were accessible to the OpenClaw environment.
  4. Harden Deployments: Bind your gateway to localhost and run the agent in a sandboxed container as a non-root user.
  5. Evaluate Alternatives: Consider migrating to frameworks like Hermes Agent that offer better default security isolation.

Open questions

  • Will the OpenClaw maintainers implement a “verified” tier for the ClawHub registry?
  • To what extent was the “Moltbook” leak (35k emails, 1.5M tokens) used to facilitate the initial stages of ClawHavoc?
  • Will this crisis lead to a permanent fragmentation of the open-source agent ecosystem toward more “closed” or highly-vetted marketplaces?

Sources

  1. Claw Chain: OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery
  2. Four New OpenClaw Vulnerabilities: When AI Agents Become the Attackers’ Execution Layer
  3. Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
  4. OpenClaw Chain Vulnerabilities Expose Public AI Agent Servers to Attack
  5. OpenClaw Chain Vulnerabilities Expose Public AI Agent Servers to Attack
  6. OpenClaw April 2026 New CVEs & Security Patch Guide
  7. AI Agent Security: Lessons from the OpenClaw Exploits - SecureFlag
  8. OpenClaw — Personal AI Assistant - GitHub
  9. OpenClaw Security Risks Discussion - Reddit
  10. OpenClaw Security Roadmap Announcement - Facebook