I have some truly wonderful news for you today. Because the more popular an AI assistant becomes, the more excited everyone gets. OpenClaw has collected over 135,000 GitHub stars in record time. More than 100,000 downloads per week. The most popular open-source project in this space. An assistant that can do everything - and completely autonomously.
Only: The smarter artificial intelligence becomes, the less we notice that it is no longer making smart decisions about who gets access. It just hands the key to anyone who knocks.
512 vulnerabilities. 40,000 open doors.
A security audit identified 512 vulnerabilities, eight of them critical. Shodan searches revealed over 40,000 publicly accessible OpenClaw instances without any protection whatsoever. 63 percent of them were directly attackable. Nearly 13,000 instances completely takeable over via Remote Code Execution. And that is just the beginning.
What OpenClaw can do - and why that is a problem
What OpenClaw can do actually sounds impressive. It reads your emails. It manages your calendar. It books flights. It executes shell commands on your computer. It controls your browser. It connects to WhatsApp, Telegram, Slack, AWS, Google Cloud, Stripe - practically everything lying around in your digital life.
And for all of that, it needs your API keys. All of them. And it stores them in plain text. Across sessions. Permanently. Cisco summed it up very succinctly: From a technical perspective, OpenClaw is groundbreaking. From a security perspective, an absolute nightmare.
Vibe-Coded: Assembled by AI
A security audit from January 2026 identified 512 vulnerabilities, eight of them classified as critical. The project was essentially assembled by AI programs - security researchers call that "vibe-coded". It stores credentials in plain text, uses insecure code patterns, and direct execution of user input is enabled by default. No privacy policy. No clear accountability.
ClawHub: 30,000 skills, 335 malicious
OpenClaw has its own marketplace for extensions - called ClawHub. Over 30,000 skills are listed there. Researchers from Reco.ai identified 335 malicious skills. With professional documentation and harmlessly sounding names. Trend Micro analyzed 39 more - all installed themselves in the background and stole Apple keychain passwords, browser passwords, credit card data. Cisco found at least one security vulnerability in over a quarter of the skills. 12 percent contained demonstrably malware.
ClawJacked: Any website could take over your agent
Any website you open in your browser could take over your entire OpenClaw agent. Without a plugin. Without a browser extension. Without you having to do anything. CVE-2026-25253, CVSS score of 8.8. The patch came in less than 24 hours. Only the 24 hours before were somewhat unpleasant.
What this means for businesses
74 percent of companies plan to deploy autonomous AI agents. Only 21 percent have any strategy at all for how to control these agents. OpenClaw shows where this development leads - capabilities that were science fiction a year ago are now reachable in three clicks.
OpenClaw can execute shell commands. Arbitrary ones. Including "rm -rf" - the Unix command that deletes everything without asking. One wrong path, and the entire computer is gone. The German Federal Office for Information Security therefore recommends: OpenClaw only for IT professionals, and please operate it in a sandbox.
The risks are real. Governance lags behind. And the warnings come from the BSI, from Cisco, from Trend Micro, from Kaspersky, from Oasis Security and dozens of other independent researchers.
The key takeaway
Autonomous AI agents are more powerful than any tool that has ever run on your computer. That also means: a mistake or an attack is more powerful than ever before. Anyone using such tools needs a strategy - not just for usage, but for security. The appeal of convenience is great. The consequences of negligence are too.
Sources
-
Kaspersky Blog: New OpenClaw AI agent found unsafe for use
Detailed vulnerability analysis, 512 identified security flaws, eight critical:
kaspersky.com - OpenClaw vulnerabilities exposed -
Cisco Blogs: Personal AI Agents like OpenClaw Are a Security Nightmare
Investigation of the skill ecosystem: 26% of 31,000 analyzed skills with vulnerabilities, active data exfiltration documented:
blogs.cisco.com - OpenClaw Security Nightmare -
Infosecurity Magazine: Researchers Find 40,000+ Exposed OpenClaw Instances
SecurityScorecard analysis: 40,000 exposed deployments, 63% vulnerable, 12,812 attackable via RCE:
infosecurity-magazine.com - 40,000 Exposed OpenClaw Instances -
Oasis Security: ClawJacked - OpenClaw Vulnerability Enables Full Agent Takeover
Technical analysis of CVE-2026-25253: WebSocket hijacking from any website, patched in v2026.2.25:
oasis.security - ClawJacked -
Trend Micro: Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer
39 malicious skills analyzed, AMOS stealer distribution via ClawHub and SkillsMP documented:
trendmicro.com - OpenClaw AMOS Stealer -
Snyk: How a Malicious Google Skill on ClawHub Tricks Users Into Installing Malware
Analysis of the "Pastebin Piping" attack vector via ClawHub skills:
snyk.io - Malicious Google Skill on ClawHub