OpenClaw AI Agent Platform Security Flaws Exposed

- The platform's default network configuration binds to `0.0.0.0`, causing instances to listen on all network interfaces, including the public internet, a practice that fundamentally violates secure-by-design principles. - A critical vulnerability, identified as CVE-2026-25253 with a CVSS score of 8.8, allowed for one-click remote code execution; an attacker could hijack an instance by luring a user to a single malicious webpage. - The project's extensible "Skills" ecosystem has been a major source of supply chain attacks; in one campaign, attackers distributed 341 malicious skills on the official marketplace, ClawHub, which installed malware like keyloggers and the Atomic Stealer. - The agent's design is susceptible to indirect prompt injection, where malicious instructions hidden in ingested data (such as emails or documents) can trick the agent into executing unauthorized commands, exfiltrating data, or abusing connected APIs. - A compromised agent gives an attacker the ability to access local files, including SSH keys and browser credentials, as well as control integrated applications like Slack and Telegram, effectively inheriting all permissions of the agent. - The project, which has been renamed twice from Clawdbot to Moltbot and finally to OpenClaw, experienced explosive growth, reaching over 183,000 GitHub stars in a few weeks, leading to rapid, widespread adoption that outpaced security controls. - In response to the vulnerabilities, maintainers released version 2026.2.12, which patched over 40 security issues by enforcing mandatory authentication for browser control, adding Server-Side Request Forgery (SSRF) protections, and treating all web outputs as untrusted data. - Researchers from SecurityScorecard's STRIKE team identified the widespread exposure, noting that the issue represents a failure of access-and-identity management at scale, turning a convenience-first architecture into a high-value target.