OpenClaw AI Agent Framework Compromised

- The framework, originally named Clawdbot, was created by developer Peter Steinberger in November 2025 and rebranded twice due to trademark disputes before becoming OpenClaw. On February 14, 2026, Steinberger announced he was joining OpenAI, and the project would move to an independent, OpenAI-sponsored foundation. - Security audits have uncovered hundreds of issues; one audit in late January 2026 identified 512 vulnerabilities, with eight classified as critical. Specific named vulnerabilities include CVE-2026-25253, a remote code execution (RCE) flaw, and CVE-2026-26322, a high-severity server-side request forgery (SSRF) bug. - The compromise is not limited to a single flaw; attackers are using multiple vectors, including a supply-chain poisoning campaign in the OpenClaw skills marketplace called "ClawHavoc." This campaign introduced 341 malicious "skills" to the official ClawHub registry, primarily designed to deploy the Atomic macOS Stealer malware. - Due to ease of use and default settings, tens of thousands of OpenClaw instances have been found exposed to the public internet. One security researcher identified over 42,000 exposed instances, with more than 5,000 confirmed to be actively vulnerable to an authentication bypass. - The framework's core design allows it to connect to various messaging apps like Slack and Telegram and execute tasks with broad permissions, including reading emails, accessing local files, and running terminal commands. This deep integration means a successful exploit can give an attacker control over many connected services and the underlying system. - Exploitation techniques vary, with attackers using WebSocket hijacking to steal authentication tokens from active users, and embedding malicious instructions in web pages or documents that the AI agent ingests, an attack known as indirect prompt injection.