β οΈ If you run OpenClaw, read this before continuing
The events described below happened in JanuaryβFebruary 2026 and affected thousands of operators. If your setup was configured before February 15, 2026 and hasn't been audited since, there's a meaningful chance you're still exposed.
OpenClaw went viral fast. Over 135,000 GitHub stars in weeks. Coverage in every major tech outlet. Founders, freelancers, and small business owners scrambling to get it running.
And then the security incidents started.
Not one. Not two. A cascade β each one worse than the last β that security researchers are now calling the first major AI agent security crisis of 2026.
Here's what happened, why it matters, and what every OpenClaw operator needs to do right now.
The Timeline: What Actually Happened
341 malicious skills on ClawHub
Attackers uploaded 335+ skills to ClawHub (OpenClaw's public marketplace) with professional documentation and innocent names like "solana-wallet-tracker." They installed keyloggers on Windows and Atomic Stealer malware on macOS. Researchers confirmed 341 malicious skills out of 2,857 total β roughly 12% of the entire registry was compromised.
CVE-2026-25253: One-click remote code execution
OpenClaw released v2026.1.29 patching a critical RCE vulnerability before public disclosure. A malicious link could completely hijack a running OpenClaw instance via cross-site WebSocket hijacking β even if it was configured to listen only on localhost.
21,639 instances publicly accessible on the internet
Censys mapped the public internet and found 21,639 OpenClaw Control UIs exposed β up from ~1,000 just days earlier. Many were leaking API keys, OAuth tokens, and plaintext credentials. The US had the largest share, followed by China where 30% ran on Alibaba Cloud.
1.5 million agent API tokens exposed
Moltbook β the AI agent social network that had grown to 770,000+ active agents and gotten NBC/NYT coverage β was found to have an unsecured database. 35,000 email addresses and 1.5 million agent API tokens were publicly accessible. Anyone who connected their OpenClaw agent to Moltbook potentially had their API credentials compromised.
CVSS 8.8 + two additional command injection vulnerabilities
CVE-2026-25253 was publicly disclosed with a CVSS score of 8.8 (High). The same day, three high-impact security advisories dropped simultaneously β the RCE plus two command injection vulnerabilities. The attack surface was larger than anyone realized.
Why OpenClaw Is a Higher-Risk Target Than Most Apps
Most apps that get hacked leak your email address. Maybe a hashed password.
OpenClaw is different. When an attacker compromises your OpenClaw setup, they get:
- Your API keys β Anthropic/Claude, OpenAI, whatever you've connected. These have spending limits and billing attached.
- Your files β OpenClaw has filesystem access by default.
- Your connected accounts β Calendly, Gmail, Stripe, whatever you've wired in via skills or environment variables.
- Your messages β If connected to WhatsApp, Telegram, or iMessage, read access to your conversations.
- Your agent's instructions β They can modify your SOUL.md, change your agent's behavior, and plant persistent backdoors.
This isn't a data breach. This is a full system compromise.
Are You Still Exposed? Check This Right Now
Even if you patched in February, many operators are still running insecure configurations. These are the most common failure modes we see in audits:
Your Control UI is accessible from the public internet
Run curl https://ifconfig.me to get your public IP, then try accessing http://[your-ip]:PORT from a different device. If it loads, you're exposed. Your gateway should be behind a VPN or firewall, never directly internet-facing.
You connected to Moltbook before February 2026
If you linked your agent to Moltbook.com before the breach was disclosed (January 31, 2026), your API tokens should be considered compromised. Rotate all API keys immediately β Anthropic, OpenAI, and any third-party integrations in your environment.
You installed ClawHub skills before February 2026
12% of ClawHub was malicious at peak. Any skill installed during January 27βFebruary 2 should be considered suspect. Remove and reinstall only from verified, reviewed sources. Check running processes for keyloggers (Windows) or unusual background services.
Your environment variables contain API keys in plaintext
OpenClaw's default config stores credentials in .env files that OpenClaw itself can read (and report back to you β or an attacker β if asked). Audit what's in your .env file. Use secrets management if possible. Never store keys you don't need.
You haven't updated since January 2026
CVE-2026-25253 (CVSS 8.8) was patched in v2026.1.29. Three additional vulnerabilities were patched in early February. Run openclaw --version and verify you're on v2026.3.x or later. If not, update before doing anything else.
Your gateway has no auth and is accessible over HTTP (not HTTPS)
The gateway is the public-facing entry point for your agent via messaging apps. It should run behind HTTPS with a unique gateway token that you rotate periodically. HTTP gateways in public networks transmit your conversations and commands in plaintext.
The Uncomfortable Truth About "I Set It Up Myself"
The OpenClaw documentation is excellent for getting running. It's much thinner on security hardening. The project moved fast, the community grew faster, and security guidance lagged behind adoption.
This isn't a knock on the project. It's just reality: when something goes viral, the "happy path" documentation wins. Firewall rules and secret rotation guides don't get bookmarked.
Most self-setups we audit have at least three of the issues listed above. Not because the people who set them up were careless β because the docs didn't make these steps obvious, and no one told them what "secure" actually looks like for an AI agent with this level of system access.
What a Proper Security Audit Covers
When we audit a ClawReady client's setup, here's what we check:
- Gateway exposure β is the Control UI internet-accessible?
- Auth configuration β are all API keys scoped to least privilege?
- Skills audit β what's installed, what has filesystem access, what calls external URLs?
- Secrets hygiene β where are credentials stored, what can the agent read?
- Update status β are all known CVEs patched?
- Moltbook exposure β was the agent ever connected? Were tokens rotated?
- Network config β what can reach the gateway, and from where?
- Memory files β are sensitive details (names, keys, account numbers) stored in agent memory?
Most audits take about 45 minutes and turn up 3β5 issues that can be fixed in an afternoon.
Get Your Setup Audited β $49, One-Time
We'll check every point above and give you a prioritized fix list. If your setup is clean, you'll know for certain. If it's not, we'll tell you exactly what to fix and help you fix it.
Book a Security Audit β45 min screen share Β· written report delivered same day Β· no upsell required
The Bottom Line
The Moltbook breach, the ClawHub malware wave, and the 21,000+ exposed instances weren't flukes. They were predictable outcomes of a powerful, low-friction tool going viral faster than security guidance could keep up.
OpenClaw is still the best AI agent platform out there. But "best" and "secure by default" aren't the same thing. If you set it up before March 2026 and haven't done a security review, this is a good week to do it.
The cost of getting this wrong β leaked API keys billing up a $2,000 Claude charge, compromised business accounts, exposed client data β is a lot higher than 45 minutes and $49.