In late January 2026, an open-source AI agent called Clawdbot appeared on GitHub and racked up over 20,000 stars in a single day. It was quickly rebranded as Moltbot, then OpenClaw. By the time most IT teams had heard of it, it had already spread to personal machines, home offices, and corporate environments around the world. It has surpassed 179,000 GitHub stars and attracted over 2 million visitors in a single week.
OpenClaw promises something genuinely compelling: a persistent, always-on AI assistant that connects to your messaging apps, manages your files and calendar, reads your email, executes terminal commands, and can even write its own code to handle tasks it doesn’t already know how to do. It runs 24/7 in the background with deep system access. For technically adventurous users, it sounds like magic.
For your organization… it should sound like an alarm!
OpenClaw is an open-source AI agent framework. It’s designed to run continuously on a user’s machine with system-wide permissions, meaning it can execute terminal commands, modify system files, manage network configurations, and connect to any service the user grants it access to via tokens, API keys, or credentials.
It operates through a marketplace of add-ons called “skills,” hosted on a community registry called ClawHub. Anyone can upload a skill. And as security researchers have quickly discovered, many have already done exactly that, with malicious intent.
This isn’t a theoretical risk. Within weeks of OpenClaw going viral, security researchers from CrowdStrike, Kaspersky, Cisco, Bitdefender, and Bitsight had all published serious warnings. Here’s what they found:
Thousands of exposed instances are open to anyone on the internet. A researcher scanning with Shodan discovered nearly a thousand publicly accessible OpenClaw installations running without any authentication. Researcher Jamieson O’Reilly was then able to access Anthropic API keys, Telegram bot tokens, Slack accounts, and months of chat histories, and execute commands with full system administrator privileges on exposed instances. Kaspersky noted that “hundreds of misconfigured OpenClaw administrative interfaces are sitting wide open on the internet.” A later Bitsight analysis found over 30,000 exposed instances in less than two weeks.
A marketplace riddled with malware. ClawHub, OpenClaw’s skills registry, had no automated malware scanning at launch. Security researcher Paul McCarty found malicious packages within two minutes of browsing the marketplace and identified 386 malicious packages from a single threat actor. When he raised the issue with OpenClaw’s founder, the founder reportedly said that security “isn’t really something that he wants to prioritize.” Bitdefender’s analysis found nearly 900 malicious skills, roughly 20% of all packages available, stealing API keys, SSH credentials, browser passwords, and cryptocurrency wallets.
Configuration files are a goldmine for infostealers. Researchers recently documented a case where an infostealer stole a victim’s OpenClaw configuration files. These included openclaw.json (containing gateway tokens), device.json (containing private cryptographic keys), and “memory” files outlining the agent’s behavior and personal context. Security Affairs reported that stolen files give attackers the ability to connect to the victim’s local OpenClaw instance remotely if the port is exposed, or to impersonate the client in authenticated requests to the AI gateway.
Prompt injection attacks can hijack the agent. OpenClaw’s own documentation admits, “Even with strong system prompts, prompt injection is not solved.” Because the agent actively reads emails, web pages, and documents, an attacker can embed hidden instructions in any piece of content the agent ingests. CrowdStrike has warned that successful prompt injection attacks can leak sensitive data from connected systems or hijack OpenClaw’s agentic capabilities to conduct reconnaissance, move laterally, and execute adversaries’ instructions.
A log poisoning vulnerability exists in older versions. Versions of OpenClaw prior to February 13, 2026, logged unsanitized WebSocket headers, creating an AI log-poisoning attack vector. If your users are running older versions, they are exposed.
The supply chain is under active attack. When OpenClaw rebranded from Clawdbot to Moltbot, attackers used the brief window before the creator could update his accounts to register typosquatted domains and clone his GitHub repository. As Bitsight noted, “within days, typosquat domains and a cloned GitHub repository appeared, impersonating the project’s creator and positioning infrastructure for a potential supply-chain attack.”
You may be thinking, “Our team wouldn’t install something like this on company machines, right?”
Take Bob from accounting as an example. He hears about OpenClaw from a tech podcast, installs it on his personal laptop over the weekend to help manage his emails, and finds it works wonderfully. By Monday, he’s connected it to his work email to help clear a backlog. Then his work calendar. Then his Slack account. Then a shared drive.
Bob hasn’t done anything he thinks is wrong. But he’s just quietly turned an unsanctioned, potentially compromised AI agent into a highly privileged system with access to your corporate infrastructure, operating entirely outside your visibility, controls, and guardrails. Bitsight has specifically warned that employees mixing personal and work-related OpenClaw integrations to get things done faster can quietly turn the assistant into a highly privileged system within your organization, operating outside the usual controls, visibility, and guardrails.
This pattern, sometimes called “Bring Your Own AI” (BYOAI), is accelerating. Bitdefender observed a surge in BYOAI adoption moving beyond the early, technically skilled users and into the general population, warning that the threat extends all the way to employees who fail every phishing simulation. The concern is not just the technically sophisticated user; it’s the entire workforce.
OpenClaw is not malware in the traditional sense. It is a legitimate open-source project that has been embraced by attackers as an attack surface, a distribution vector, and a high-value target. Its creator built it quickly, acknowledged that security was not a priority, and shipped it with defaults that left tens of thousands of instances exposed to the open internet.
The result is a tool that Aikido Security described as “only useful when it’s dangerous.” The very capabilities that make it powerful, namely persistent access, broad system permissions, and the ability to act autonomously on behalf of the user, are precisely what make a compromised instance so damaging.
The cybersecurity community is sounding the alarm in rare unison. CrowdStrike, Kaspersky, Cisco, Bitdefender, Bitsight, and others have all published warnings in the past few weeks. The Register called it a “dumpster fire.”
Your organization doesn’t need to wait for a breach to take this seriously. The best time to act is before an employee connects it to your systems. That window may already be closing.
Have questions about your organization’s exposure to OpenClaw or agentic AI risks? Contact our team for a consultation.