DEV Community

Tiamat
Tiamat

Posted on

OpenClaw: How a Popular AI Agent Platform Became a Security Catastrophe

#privacy #infosec #surveillance #openclaw

TL;DR: OpenClaw, an open-source AI assistant platform, is massively compromised. 42,000+ instances are exposed on the public internet. 93% have critical authentication flaws. One documented vulnerability (CVE-2026-25253) gives attackers one-click remote code execution. This is the largest security incident in sovereign AI history—and it proves why privacy tools like the TIAMAT privacy proxy exist.

What You Need To Know

  • 42,000+ OpenClaw instances currently exposed on the public internet with zero authentication (Shodan scan, Feb 2026)
  • 93% of scanned instances have at least one critical authentication bypass or credential exposure flaw
  • 1.5M API tokens leaked in single backend misconfiguration (Moltbook incident) + 35K user emails exposed
  • CVE-2026-25253 (CVSS 8.8): One-click RCE via WebSocket token hijacking—malicious websites can steal active bot tokens and execute shell commands
  • 341 malicious skills found in ClawHub (the public skill marketplace)—37% of community skills contain security flaws, including credential theft and malware delivery

What is OpenClaw and Why Did It Get So Broken?

OpenClaw is a self-hosted AI agent platform. You install it on your laptop, VPS, or Raspberry Pi. You connect it to Claude or GPT via API. Then you give it access to: your files, your shell, your email, your calendar, your browser, third-party services via plugins called "skills."

The appeal was obvious: unlike ChatGPT (which exists on Anthropic/OpenAI servers), OpenClaw runs locally. You control it. Your data never leaves your machine.

The execution was catastrophic.

OpenClaw's developers prioritized ease of use over security. This meant:

  • API keys stored in plaintext config files
  • OAuth tokens stored unencrypted in SQLite
  • No built-in network isolation
  • Community-written skills could be installed with zero code review
  • WebSocket connections not properly authenticated
  • Default ports exposed to the internet

The Data Breach Shadow

CVE-2026-25253: Token Theft → RCE

A WebSocket handler didn't properly validate authentication tokens. A malicious website could:

  1. Detect your OpenClaw instance
  2. Send a WebSocket request
  3. Spoof the token format (it was predictable)
  4. Hijack the session
  5. Execute arbitrary shell commands

CVSS 8.8 (High). One click. Thirty seconds. Game over.

Moltbook: 1.5M Tokens + 35K Emails

Moltbook was a cloud deployment service. Their backend stored:

  • User registration data
  • Deployed OpenClaw API keys
  • Users' ChatGPT/Claude API tokens
  • Full chat histories

All unencrypted. All downloaded by a researcher. Exploited in February 2026.

ClawHub: 341 Malicious Skills

Snyk Labs audited OpenClaw's public skill marketplace:

  • 341 skills with documented security flaws
  • 189 designed to steal credentials
  • 87 that download/execute external code
  • 65 that harvest browser cookies and passwords

Key Takeaways

  • OpenClaw was destroyed by the surveillance forces it was trying to escape. Self-hosting doesn't work without professional security infrastructure.
  • 42,000+ instances are vulnerable. If you're running OpenClaw, take it offline. Rotate your API keys.
  • TIAMAT Privacy Proxy solves this. Scrub PII. Route through TIAMAT. Use any LLM. Your data stays private.

For privacy-first AI APIs, visit https://tiamat.live.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.