What Is OpenClaw?
OpenClaw — previously known as Clawdbot (launched November 2025) and then renamed Moltbot after trademark disputes — is an open-source, self-hosted autonomous private AI agent that runs directly on the user’s machine and connects to supported messaging platforms. Users interact with it through WhatsApp, iMessage, Telegram, Discord, Slack, and Teams. The bot can complete useful daily tasks like booking flights, making dinner reservations, managing calendars and email, running scripts, controlling browsers, and executing scheduled automations.
What makes OpenClaw architecturally distinct from a chatbot is its autonomous execution model. Once installed with APIs configured, OpenClaw interprets user instructions via a language model and executes tasks such as reading files, running scripts, querying APIs, or interacting with other applications on the system — all without step-by-step approval from the user. It also stores persistent memory, retaining long-term context, preferences, and history across sessions rather than forgetting when the session ends.
A key component is its plugin marketplace. Developers can extend its capabilities through community-built plug-ins, or “skills,” available via its marketplace, ClawHub — a combination of flexibility, local control, and a fast-growing ecosystem that has made it extraordinarily popular among developers in a very short time.
Why It Became Famous — Fastest GitHub Rise in History
OpenClaw reached 100,000 GitHub stars within weeks of going viral in early 2026 and now ranks as GitHub’s most-starred non-aggregator software project, surpassing both the Linux kernel and React. Its chart on GitHub Star History shows an adoption curve so steep that it reached the 100k-star milestone in a fraction of the time it took the three most-starred repositories on GitHub to get there.
The velocity was driven by a simple value proposition: a single persistent AI agent that follows you across messaging apps, with deep system-level access to your digital life. OpenClaw crossed 180,000 GitHub stars and drew 2 million visitors in a single week, according to creator Peter Steinberger. This wasn’t an enterprise product pushed by a vendor — it was grassroots, BYOD, and entirely unmanaged from an enterprise security standpoint.
The Security Risk Landscape — Multiple Attack Surfaces
The OpenClaw threat landscape is not a single CVE story. It’s a convergence of five distinct attack surfaces that, together, define a new AI-native threat category.
1. CVE-2026-25253 — The ClawJacked One-Click RCE (CVSS 8.8)
The vulnerability stemmed from OpenClaw’s incorrect assumption that any connection originating from localhost can be implicitly trusted, without accounting for the fact that websites can also originate connections from that same local address. A threat actor would only have to trick the victim into visiting a malicious website, which would execute JavaScript in the browser to obtain their OpenClaw authentication token and send it back to the attacker. The malicious website also establishes a WebSocket connection to the local host, authenticated using the stolen token — allowing the attacker to disable sandboxing and bypass user confirmation for dangerous commands.
Oasis Security codenamed this ClawJacked. Security researchers confirmed the attack chain takes “milliseconds” after a victim visits a single malicious webpage. OpenClaw had set no rate limits or failure thresholds for incorrect passwords, meaning brute-force guessing of the gateway password triggered no alerts.
Hunt.io researchers found over 17,500 internet-exposed instances vulnerable to this flaw.
2. The Full CVE Stack
Beyond the headline flaw, OpenClaw was found susceptible to multiple vulnerabilities — CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, and CVE-2026-26329 — ranging from moderate to high severity, covering remote code execution, command injection, SSRF, authentication bypass, and path traversal.
OpenClaw also patched a log poisoning vulnerability allowing attackers to write malicious content to log files via WebSocket requests on TCP port 18789. Since the agent reads its own logs to troubleshoot tasks, this created an indirect prompt injection pathway where embedded instructions could influence decisions and automated actions.
3. Malicious Skills Supply Chain — ClawHub Compromise
Attackers distributed 335 malicious skills via ClawHub using professional documentation and innocuous names like “solana-wallet-tracker,” then instructed users to run external code that installed keyloggers on Windows or Atomic Stealer malware on macOS. Researchers later confirmed 341 malicious skills total out of 2,857 — roughly 12% of the entire registry was compromised.
The problem escalated rapidly. Researchers at Koi Security found that out of 10,700 skills on ClawHub, more than 820 were malicious — a sharp increase from 324 discovered just weeks prior. Bitdefender’s analysis placed that figure at roughly 900 malicious packages, or 20% of all published skills, with some using obfuscated payloads that slipped through code review.
4. Indirect Prompt Injection (IDPI / XPIA)
Risks from prompt injections arise where malicious instructions embedded within a web page can cause the agent to leak sensitive information if it’s tricked into accessing and consuming that content. Adversaries, instead of interacting directly with the LLM, weaponize benign AI features like web page summarization — this is referred to as indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA).
The gap between ideal autonomous performance and current security defaults allows attackers to use link previews in messaging apps like Telegram or Discord to transmit confidential user data to malicious domains without requiring a single user click, effectively turning useful AI features into weaponized entry points.
5. Shadow AI and Enterprise Blast Radius
OpenClaw integrates with email, calendars, documents, and messaging platforms. When connected to corporate SaaS apps, the agent can access Slack messages and files, emails, calendar entries, cloud-stored documents, and OAuth tokens that enable lateral movement. The agent’s persistent memory means any data it accesses remains available across sessions.
A Token Security study found 22% of organizations have employees running OpenClaw without IT approval, creating shadow AI deployments that bypass traditional security controls and corporate governance frameworks. When agents run on BYOD hardware, security stacks go blind — enterprise defenses treat agentic AI as just another development tool, and OpenClaw proves that assumption is architecturally wrong.
OpenClaw is the Log4Shell moment for agentic AI — not because the vulnerability is equivalent in severity, but because it marks the point where a previously theoretical class of risk became tangibly, mass-scale exploitable. The organizations hardening now are writing the playbooks everyone else will follow in 12 months.
