Research Chapter · OpenClaw Security 23 Apr 2026~10,000 words
A book-chapter draft · red team, blue team, and the space in between

Claws Out.

OpenClaw went from unknown to ubiquitous faster than almost any open-source project in recent memory — and acquired, along the way, what may be the richest accidental security laboratory of 2026. This chapter surveys it.

Research cutoff
23 April 2026 Sources verified
57 primary citations CVEs confirmed
13 (NVD / GHSA / VulnCheck) Ecosystem events
3 defining shocks

Executive summary

OpenClaw went from unknown to ubiquitous faster than almost any open-source project in recent memory. It shipped publicly on 24 November 2025, crossed 300,000 GitHub stars within four months, and — along the way — acquired what may be the richest accidental security laboratory of 2026. Thirteen confirmed CVEs in the first five months, a supply-chain campaign that poisoned between 341 and 1,184 skills on the official ClawHub registry, 135,000+ internet-exposed instances with no authentication, a one-click RCE that actually got exploited in the wild, and a formal MITRE ATLAS investigation cataloguing seventeen distinct techniques observed against the platform.

By February 2026 Laurie Voss (founding CTO of npm, now at Arize) had called it a "security dumpster fire"1; Andrej Karpathy explicitly told users not to run it on their computers2; a Meta executive reportedly told his team that installing it on a work laptop was a fireable offense3. And despite all of that, OpenAI acquired the project and hired its founder Peter Steinberger4.

362kStars on
openclaw/openclaw
135k+Instances
exposed to internet
63%Of those
running no auth
341–1,184Malicious skills
on ClawHub
13Confirmed CVEs
in 5 months
17ATLAS techniques
observed

The ecosystem of third-party tooling around OpenClaw is the most interesting security story in the project. On the red-team side you have veganmosfet's five-part "BrokenClaw" series demonstrating 0-click RCE via email hooks, Johann Rehberger-adjacent indirect-prompt-injection research, a Koi Security audit that flagged 341 malicious skills, JFrog's discovery of the "GhostClaw" scoped-package impersonation attack, and a prolific community researcher (GitHub user @coygeek) filing half a dozen of the most important advisories against the core repo. On the blue-team side you have SecureClaw from Adversa AI (56 audit checks, 15 behavioral rules, mapped to seven agentic-AI security frameworks), Claw EA's commercial policy-as-code layer, ClawVet and ClawSecure's open-source scanners, SlowMist's validation guide, and a cottage industry of sandbox profiles, skill policies, and adversarial benchmarks.

The chapter's three central claims

  1. The ecosystem's dominant architectural risk is the collapse of the trust boundary between instructions and data. Every major exploit class — from one-click RCE to malicious skills to heartbeat memory pollution — exploits the fact that OpenClaw cannot distinguish, at the code level, between the operator's instructions and attacker-controlled content that arrives through email, web fetches, tool outputs, or installed skills. Patches close specific holes; the underlying property does not patch.
  2. Defensive tooling has converged on a sensible pattern — layered enforcement, policy-as-code, scanned skills, hardened gateway defaults — but none of it solves prompt injection. The strongest current defenses (SecureClaw, Claw EA, container isolation with default-deny network) reduce blast radius and harden configuration; they do not eliminate the underlying class of attack.
  3. ClawHub in its current form is a supply-chain liability that a cautious operator should treat as presumptively hostile. Between 13% and 41.7% of audited skills contain meaningful vulnerabilities by different researchers' counts; ~1 in 9 are actively malicious at peak exposure; and the registry still does not operate a verified-publisher system or a public takedown log.

1. Ground truth: what OpenClaw actually is

A Gateway on port 18789, a coding agent behind it, and twenty-odd messaging channels pouring untrusted input in the front door.

OpenClaw is a self-hosted personal AI assistant. You install it with npm install -g openclaw@latest; you run openclaw onboard --install-daemon; a Gateway process starts on port 18789 and becomes the control plane for every agent, session, skill, tool, and channel the assistant can see5. The founder, Peter Steinberger, designed it to feel "local, fast, and always-on" — a single piece of software that takes inbound messages from WhatsApp, Telegram, Slack, Discord, Signal, iMessage, IRC, Microsoft Teams, Matrix, Feishu, LINE, Mattermost, Nextcloud Talk, Nostr, Synology Chat, Tlon, Twitch, Zalo, QQ, WeChat, WebChat, and mobile nodes on iOS and Android6.

That list is the threat model. An OpenClaw Gateway sits behind every one of those channels and has — by default — a set of high-power tools wired to a coding agent. The built-in tool inventory includes bash, process, exec, read, write, edit, the browser automation stack, a Canvas renderer that ships UI back into the chat, cron jobs, webhook handlers, and a system.run primitive that executes on paired mobile nodes7. Inbound messages from any of the supported channels become context for the agent; the agent decides which tools to call; the tools run on the host (or, optionally, inside a Docker / SSH / OpenShell sandbox) and return results that again become agent context.

The official threat model, such as it is

The OpenClaw docs do explicitly mark inbound DMs as untrusted input and recommend setting agents.defaults.sandbox.mode: "non-main" for group or channel messages8. The default sandbox allow list is bash, process, read, write, edit, sessions_list, sessions_history, sessions_send, sessions_spawn; the default deny list is browser, canvas, nodes, cron, discord, gateway. Two sentences the docs concede in small type turn out to be the whole chapter:

"Treat third-party skills as untrusted code. Read them before enabling."10
"Gateway-backed skill dependency installs … run the built-in dangerous-code scanner before executing installer metadata. critical findings block by default unless the caller explicitly sets the dangerous override; suspicious findings still warn only."10

Both sentences admit what the rest of this chapter is about: third-party skills are the primary attack surface, and there is an operator-flippable override that turns off the dangerous-code scanner.

ClawHub: the registry

ClawHub is the public skill registry at clawhub.ai. The homepage advertises 52,700 skills, 180,000 users, 12 million downloads, and a 4.8 average rating, and promotes four featured verticals — "self-improving agent," "GitHub integration," "security soul," and "dashboard builder"11. Skills are installed via openclaw skills install <slug> and land in the active workspace's skills/ directory. Under the hood a skill is a folder containing a SKILL.md file with YAML frontmatter and a list of executable scripts; ClawHub does not currently enforce a manifest schema describing filesystem access, network egress, or tool use12.

A registry scan performed for this chapter confirmed that ClawHub's taxonomy is flat: a single "Security" category, with no subcategories for red-team, blue-team, pentesting, DFIR, forensics, or networking. The homepage's "security soul" branding is marketing copy — it does not correspond to a namespace or a verification tier. There is no public verified-publisher system, no reputation score, no public takedown log, and — as of April 2026 — no mandatory dependency audit before a skill is published.

2. The three defining events

The third-party ecosystem formed in response to three shocks that all landed between late January and early February 2026. Any analysis that doesn't start with these will miss why the ecosystem looks the way it does.

2.1 ClawHavoc — the supply chain goes on fire

Between roughly 15 January and 10 February 2026, attackers systematically uploaded malicious skills to ClawHub. Koi Security's audit of 2,857 skills found 341 of them malicious13. A later count from Antiy CERT put the number at 1,184 out of roughly 10,700 — about 1 in 914. Independent audits by Snyk ("ToxicSkills") found that 36% of examined skills contained prompt-injection payloads and 7.1% exposed credentials in plaintext15; SkillSieve (Imperial College London / UCL) later put the rate of "security vulnerabilities" at 13–26% of the registry16.

Payloads observed in the wild included Atomic macOS Stealer (AMOS) variants that dumped Keychain, browser cookies, and crypto wallets; token harvesters that targeted ~/.openclaw/ config files (WhatsApp credentials, Telegram bot tokens, Anthropic and OpenAI API keys); backdoors establishing reverse shells; and keyloggers timed to capture credentials during agent interactions. The delivery vector was social: attackers published skills with real, useful functionality ("Tech News Digest," "Productivity Booster," "solana-wallet-tracker") alongside a parallel malicious payload, and inflated install counts to boost discovery in ClawHub's default search ranking. MITRE later assigned this a new technique, AML.T0111 "AI Supply Chain Reputation Inflation"17.

ClawHub responded by adding VirusTotal scanning of new submissions and committing to a future "Extension Marketplace" with vetting. CertiK's follow-up in March 2026 argued — correctly — that VirusTotal-style scanning of Markdown skill content is not a security boundary, because the payloads are not binaries18.

2.2 ClawBleed — the one-click RCE that actually got used

On 31 January 2026 a coordinated disclosure published GHSA-g8p2-7wf7-98mq, which became CVE-2026-25253 ("ClawBleed"), a CVSS 8.8 one-click remote code execution against any default OpenClaw install1920. The chain is worth reproducing in detail because most of the later defensive tooling is a response to it:

  1. The Control UI reads gatewayUrl from the query string and writes it to localStorage without validation (app-settings.ts).
  2. app-lifecycle.ts immediately calls connectGateway() on load, sending the stored authToken in the WebSocket handshake — now pointed at the attacker's URL.
  3. Because the Gateway's WebSocket server did not validate the Origin header, Cross-Site WebSocket Hijacking (CSWSH) allowed any origin to open a connection to ws://localhost:18789.
  4. With the stolen token, the attacker sent API calls to set exec.approvals to off, set tools.exec.host to gateway, and send a node.invoke / system.run shell command. Full RCE, localhost-only instances included.

DepthFirst and Ethiack independently discovered the bug within hours of each other (Ethiack's autonomous AI pentester "Hackian" found it in under two hours)2122. Blink's CVE timeline writes that ClawBleed is "the only 2026 OpenClaw CVE confirmed as actively exploited in the wild"23. The Sploitus PoC remains publicly available as of 18 April 202624.

2.3 Moltbook — the Supabase mistake that taught the ecosystem a lesson

On 2 February 2026 Wiz Research disclosed that Moltbook — an AI-agent social network by Matt Schlicht, deployed with OpenClaw as the backend execution environment — had shipped Supabase to production without Row-Level Security enabled, and with the anon API key visible in client-side JavaScript25. The result: 1.5 million agent authentication tokens, 35,000 email/Twitter handles, and 4,060 private agent-to-agent DMs containing plaintext OpenAI API keys were readable (and writable) by any unauthenticated user.

Moltbook mattered to the OpenClaw ecosystem for two reasons. First, compromised Moltbook tokens could be replayed against any OpenClaw instance that had paired with a Moltbook agent, so the breach cascaded into any household running both. Second, the incident forced a conversation about inter-agent supply chains: it is not enough to audit skills, dependencies, and channels; any other agent your agent talks to is also a trust boundary. Adversa AI's threat model explicitly added "Inter-agent lateral movement via Moltbook and shared channels" as threat class T8 on the back of this incident26.

3. The comparison table

Forty-one rows covering the third-party projects, academic papers, incidents, and proposals that matter most. Risk ratings follow this convention: for red-team tools, the rating reflects operator exposure to the thing the tool exercises; for blue-team tools, it reflects the residual risk of the tool itself.

#NameRoleAttack / Defense surfaceMaturityRiskWhy it matters
01SecureClaw (Adversa AI)Blue56 audit checks + 15 behavioral rules + plugin + skill layersActive · v2.1.0-mvp Feb 2026 · ~325⭐LowFirst tool to formally map controls to seven agentic-AI security frameworks. Reference implementation.
02Claw EABluePolicy-as-code: WPC, scoped tokens, clawproxy receipts, proof bundlesActive · commercialMediumCommercial answer to "prompts aren't enforcement." Closed source.
03ClawVet (MohibShaikh)BlueSix-pass install-time scanner for SKILL.md patternsActive · open · ~580 dl/wkLowCommunity's answer to ClawHavoc. Install-time only; doesn't address post-install drift.
04ClawSecureBlueThree-layer audit; OWASP ASI 10/10 mapped; free tierActive · openLowSlimmer alternative to SecureClaw for smaller installs. Verify self-reported metrics.
05ClawGuard (joergmichno)BluePrompt-injection firewall: 225 patterns, 15 languages, F1=0.983Active · openLowBest purpose-built prompt-injection detector. Pattern-DB gaps are a known bypass class.
06p3nchan/openclaw-skill-policyBlue Prop.Layer-1–4 community skill security policy docActive · open · Feb 2026LowBest operator-facing checklist. Proposes a manifest.json that OpenClaw doesn't yet enforce.
07SlowMist OpenClaw Security Practice GuideDualAgent-facing 13-item nightly audit shell script + red-team matrixActive · open · ~2,787⭐MediumAgent-facing design — self-auditing, but also a ready-made attacker's checklist.
08Snyk mcp-scan + AI-BOMBlueStatic analysis of SKILL.md patterns; AI Bill of MaterialsActive · commercial + openLowCoined the "SKILL.md prerequisite trap" category — AI tricking the human into installing a fake binary.
09Peleke/openclaw-sandboxDualLima VM provisioning + STRIDE Red Team Epic (Issue #44)Early · 0⭐ but high-signalMediumCleanest isolation recipe. STRIDE issue is a planning doc useful to both sides.
10deduu/ClawSandboxRed9-attack benchmark: injection, memory poisoning, priv-esc, exfilStale · Mar 2026 · 4⭐MediumPublished: Gemini 2.5 Flash fell to 7/9 attacks; GPT-5.3 Codex defended 9/9.
11TerminalGravity/openclaw-swarm-security-auditDualMulti-agent red/blue swarm templatePlanning · 0⭐LowInteresting pattern — agents attacking agents. Worth watching; don't deploy yet.
12secureclaw/docs/openclaw-attack-examples.mdRedMITRE ATLAS–mapped attack cookbook inside a defensive toolActiveMediumShips inside a blue tool; reads as a red-team playbook.
13BrokenClaw series (veganmosfet)Red0-click RCE via Gmail; sub-agent sandbox escape; email/web RCE; GPT-5.4 demoActive · 5 parts · Feb–Apr 2026CriticalMost cited primary-research series. Part 2 became CVE-2026-32048.
14HiddenLayer "Claws for Concern"Red ReportFull RCE chain + HEARTBEAT.md persistence + plaintext .env exfil + W^X diagnosisPublished 3 Feb 2026CriticalMost thorough public attack research on the core architecture.
15Oasis Security "ClawJacked"Red ReportWebsite-to-localhost WebSocket takeover; 100s/sec auth brute forcePublished 26 Feb 2026CriticalCompanion to ClawBleed. Browser-to-localhost threat model broken at every layer.
16CertiK OpenClaw Security ReportReportFour-category analysis + "Skill Scanning Is Not a Security Boundary"31 Mar 2026HighCleanest critique of ClawHub's VirusTotal response.
17MITRE ATLAS OpenClaw InvestigationReport4 case studies, 17 techniques, new AML.T0108–T0112 techniquesPublished 9 Feb 2026CriticalHighest-authority threat mapping available.
18Texas A&M "Systematic Taxonomy"Report190 advisories; "Context Manipulation" as sixth Kill Chain stagePublished 31 Mar 2026CriticalStrongest academic critique of the architecture. If you cite one paper, cite this.
19arXiv:2603.23064 "Mind Your HEARTBEAT!"ReportHeartbeat memory pollution; precursor to CVE-2026-41329 (9.9)Published 24 Mar 2026CriticalBackground execution is an attack surface on its own.
20arXiv:2603.26221 "Clawed and Dangerous"ReportSurvey: planning + tools + persistent memory + privileged exec27 Mar 2026HighFrames OpenClaw as an archetype, not an outlier.
21arXiv:2604.03131 (Xidian/China Unicom)ReportSecurity evaluation of OpenClaw variants incl. OpenAI distribution3 Apr 2026HighOnly paper evaluating the post-acquisition distribution.
22arXiv:2603.00902v1 "Clawdrain"Red ReportTool-calling-chain stealthy token exhaustion1 Mar 2026MediumBudget-level DoS — cheap, quiet, unpatched.
23arXiv:2604.06550 "SkillSieve"Blue ReportHierarchical triage for detecting malicious skills; 13–26% vuln rateApr 2026HighAcademic counterpart to ClawVet / mcp-scan.
24arXiv:2603.00195 (Bhardwaj)ReportFormal analysis of agentic-AI skill supply chain, ClawHavoc caseFeb/Mar 2026MediumFormal model useful for reasoning about future ClawHub-class attacks.
25JFrog "GhostClaw"Red ReportMalicious npm package @openclaw-ai/openclawai; multi-stage creds/SSH stealerIdentified 8 Mar 2026Criticalnpm scope impersonation not preventable by ClawHub controls.
26@coygeek (GitHub contributor)RedSustained research: #4951, #7768, #8516, #11031, #15313, #53433, #65625Active · Jan–Apr 2026CriticalMost prolific researcher against core repo. Watch their issue feed.
27Jamieson O'Reilly "What Would Elon Do?"RedPublished PoC poisoned skill on ClawdHub; 16 users in 8 hoursCase study 26 Jan 2026 (AML.CS0049)CriticalCanonical published poisoned-skill demonstration. Cited by MITRE ATLAS.
28ClawHavoc supply-chain campaignIncident341–1,184 malicious skills; AMOS, token harvesters, backdoors, keyloggersLate Jan–early Feb 2026CriticalSkills installed before ~10 Feb 2026 should be treated as presumptively compromised.
29Moltbook Supabase breach (Wiz)Incident1.5M agent tokens, 35k handles, 4,060 agent DMs incl. plaintext OpenAI keys2 Feb 2026CriticalNot an OpenClaw code bug — but cleanest demo that inter-agent trust is a real surface.
30CVE-2026-25253 "ClawBleed"Incident1-click RCE via CSWSH; fixed 2026.1.29; exploited in wildDisclosed 31 Jan 2026CriticalCanonical "browser has no CORS on WebSocket to localhost" bug.
31CVE-2026-28472 "ClawJacked"IncidentGateway WS auth bypass; CVSS 9.8; fixed 2026.2.2Feb 2026Critical63% of exposed instances had no auth — the "gate" protecting this bug was absent on most.
32CVE-2026-32048 (sessions_spawn)IncidentCross-agent spawn bypasses sandbox inheritance; fixed 2026.3.120 Mar 2026CriticalMakes sandboxing a false sense of security unless inheritance is enforced end-to-end.
33CVE-2026-32922 (device.token.rotate)Incidentoperator.pairing → operator.admin via rotation race; CVSS 9.9; fixed 2026.3.1129 Mar 2026CriticalAny legitimately paired low-privilege device has a direct path to full admin.
34CVE-2026-41329 (heartbeat sandbox)IncidentHeartbeat context inherits senderIsOwner; CVSS 9.9; fixed 2026.3.3121 Apr 2026CriticalAcademic precursor at arXiv:2603.23064.
35CVE-2026-35629 (channel SSRF)IncidentChannel extensions accept configurable base URLs without SSRF guards9 Apr 2026HighEnables cloud-metadata-endpoint recon from any low-privilege channel.
36April 21 2026 GHSA batch (10 advisories)IncidentMCP env, config mutation, hook session, QQBot SSRF, dotenv override, scope, Feishu, cron, etc.21 Apr 2026HighConsistent with OpenAI acquisition due-diligence audits.
37Gateway default bind 0.0.0.0 (no-auth)Incident Prop.Default listens all interfaces; 135,000+ exposed; 63% no-authOngoing · unchangedCriticalSingle most-cited design defect. All defensive tools ship with "rebind to 127.0.0.1" as step one.
38Issue #22196 — system/user separationProposalRFC for code-level trust boundary at the tool boundaryClosed not_plannedHighClosure cited by critics as evidence of maintainer posture.
39Issue #62939 — structural delimitersProposalRFC for delimiter-based instruction/data separationOpenMediumMost promising open proposal for structural injection defense.
40ClawHub skill "SkillScan" (92.9k installs)Incident RedPlatform-flagged malicious: uploads packages to skillscan.tokauth.com, MAC address, silent auto-updateLive at audit timeCriticalIllustrates the ClawHub trust failure — a scanner-named skill the platform itself flags, still at 92.9k installs.
41zaycv/clawhub malicious skillIncidentBase64 payload in skill Markdown; 7,754 downloads before takedownClosed 13 Mar 2026HighCanonical base64-in-Markdown example. ClawHub didn't display all skill files at discovery time.

4. Red-team inventory

Four pieces of primary research define the red-team record on OpenClaw. Read them in order and the shape of the problem becomes unavoidable.

4.1 Primary research that shaped the record

HiddenLayer, "Claws for Concern," 3 February 2026. Conor McCauley, Kasimir Schulz, Ryan Tracey, and Jason Martin demonstrated a full attack chain: a user asks the agent to summarize a malicious web page; the agent, reading the page, is persuaded to curl -fsSL … | bash; the script appends attacker-controlled instructions to ~/.openclaw/workspace/HEARTBEAT.md, a file that is re-read into the system prompt every session27. Persistent C2, 30-minute heartbeat poll. API keys and tokens are stored in plaintext in ~/.openclaw/.env, so once RCE is achieved, credential exfiltration is a cat away.

A strongly desirable security policy for systems is W^X (write xor execute). OpenClaw violates this: the instructions executed are also modifiable during execution.HiddenLayer Research

Oasis Security, "ClawJacked," 26 February 2026. The Oasis team showed that any website the user visited while OpenClaw was running could open a WebSocket to localhost:18789, brute-force the auth token at hundreds of attempts per second from browser JavaScript alone (the Gateway's rate limiter exempted localhost), auto-pair as a trusted device, and take over the instance28. No plugins, no extensions, no user interaction beyond visiting the page. OpenClaw patched within 24 hours — impressive for a volunteer-driven project, and a sign of how sharp this particular team's response loop is.

veganmosfet, "BrokenClaw" series, five parts between 2 February and 8 April 202629. Part 1 demonstrated 0-click RCE via the Gmail pub/sub webhook — no user action beyond receiving an email; prompt injection in the email body convinced the agent to clone a malicious .openclaw/extensions/ repo and restart the Gateway. Part 2 showed that the obvious fix (enable the sub-agent sandbox) could be escaped via prompt-injected sessions_spawn calls — the research that later became CVE-2026-32048. Part 3 repeated the RCE through the built-in email reading tool. Part 4 generalised the pipeline: anything the agent fetches from the web is a potential code execution channel. Part 5 tested the same chains against GPT-5.4, confirming the vulnerability class is model-agnostic.

Texas A&M (arXiv:2603.27517), 31 March 2026. Suwansathit, Zhang, and Gu published the most rigorous academic critique to date30. Three key findings: three independently moderate advisories compose into a complete unauthenticated RCE; the exec allowlist encodes a closed-world assumption that command identity is recoverable by lexical parsing — "invalidated by line continuation, busybox multiplexing, and GNU long-option abbreviation in independent and non-overlapping ways"; a malicious skill executed a two-stage dropper entirely within the LLM context, bypassing the exec pipeline entirely. They propose "Context Manipulation" as a sixth Kill Chain stage with no analog in MITRE ATT&CK.

4.2 The supply-chain campaigns

Two named campaigns matter. ClawHavoc (§2.1) is the registry-level campaign; GhostClaw is the npm-level one. JFrog Security Research identified a live malicious package @openclaw-ai/openclawai on npm, masquerading as the official OpenClaw Installer and exploiting scope-name visual similarity. The multi-stage payload stole credentials, env variables, and SSH keys31. The defense is simple and unsatisfying: install OpenClaw only via the unscoped package openclaw, verify the npm registry owner before running any @openclaw* package, and never run npm install scripts without reading them.

Separately, the zaycv/clawhub skill distributed malware via a base64 payload embedded in its Markdown; 7,754 downloads before GitHub issue #108 closed it on 13 March 202632. At the time of discovery, ClawHub's UI did not display every file in a skill package, which is why the injection point was not auditable before install — an ergonomics-is-security finding that the registry has since partially remediated.

4.3 The prolific community researcher

GitHub user @coygeek has — as of this writing — filed seven confirmed security issues against openclaw/openclaw, spanning the browser control server (#7768 DNS rebinding, #15313 /evaluate ACE, #8516 arbitrary file write), extension auto-load (#11031), config redaction (#53433), and the default empty-token LAN bind in the Podman installer (#65625)33. The important observation is that watching a single account's public GitHub issue feed is an unusually high-signal OSINT stream for what's about to be patched.

4.4 Red-team harnesses

deduu/ClawSandbox is a small adversarial benchmark — nine attack types against a fixed system prompt — and its most useful published result is a model comparison: Gemini 2.5 Flash fell to 7/9 attacks, GPT-5.3 Codex defended 9/934. Peleke/openclaw-sandbox is a Lima VM provisioning recipe for running the Gateway in isolation, and it ships a P0-priority STRIDE Red Team Epic (Issue #44) that enumerates every bypass an attacker would try against the Gateway35. Classic low-star, high-signal repository. TerminalGravity/openclaw-swarm-security-audit36 is an experimental multi-agent Claude swarm running red-team and blue-team roles in parallel. The pattern is worth watching; the implementation is not yet worth deploying.

4.5 Academic attack research worth knowing

Beyond Texas A&M's taxonomy (§4.1), the two most useful offensive academic works are arXiv:2603.23064 "Mind Your HEARTBEAT!" (NTU / A*STAR / JHU)37, which predicted CVE-2026-41329 and demonstrates silent memory pollution via the background execution loop, and arXiv:2603.00902v1 "Clawdrain"38, which shows how tool-calling loops can drain API budget without triggering safety stops — a cheap, quiet DoS that maps to OWASP ASI08 (cascading failures) and for which no standard mitigation exists.

5. Blue-team inventory

Every serious defensive tool has converged on a variant of the same idea: don't trust any one layer. The ecosystem's consensus stack has four.

5.1 The layered-enforcement consensus

SecureClaw (Adversa AI) ships the clearest version: a code-layer plugin that performs 56 audit checks on a live install (gateway bind, credential storage, sandbox config, file permissions, dependency CVEs) and applies five hardening modules; and a parallel skill layer with 15 behavioral rules (~1,230 tokens injected into the system prompt) that handle the things infrastructure alone cannot — injection awareness, PII scanning, command-integrity monitoring, inter-agent communication rules, and a kill-switch that blocks OpenClaw from starting if SecureClaw itself is disabled39. The framework mapping — 10/10 OWASP ASI, 10/14 MITRE ATLAS agentic TTPs, 13/18 CoSAI Secure-by-Design, 4/4 MITRE ATLAS OpenClaw case studies — is the most thorough in the ecosystem.

Most competing tools are skill-only, meaning the security logic lives inside the agent's context window as natural language instructions. The problem is that skills can be overridden by prompt injection.Alex Polyakov, Adversa AI

The argument is right, but it does not reach all the way to enforcement. The skill layer is still LLM-directive: the model must choose to follow the rules. SecureClaw's v2.1 release notes admit that "weaker models may misclassify red-line commands" and that injected guide text can itself be tampered with by prompt injection.

Claw EA goes a step further toward machine enforcement40. A Work Policy Contract (WPC) is a signed, hash-addressed policy that defines what the agent may do; a Cryptographic Scoped Token (CST) bounds a single run; clawproxy sits in front of the model call and emits Ed25519-signed receipts; each job yields a proof bundle that can be verified independently. The pitch is that "safety lives in prompts" is a fallacy; the enforcement layer should be below the model. The combination — SecureClaw for configuration + behavior and Claw EA (or a home-grown equivalent) for policy-as-code — is the closest thing to a defensive reference architecture.

5.2 Skill-level scanning

ClawVet (MohibShaikh)41 is the most downloaded open-source SKILL.md scanner, with six analysis passes: RCE patterns, credential theft, prompt injection, typosquat proximity, social-engineering markers, and network-egress detection. It runs at install time. It does not solve the post-install drift problem (skills that start clean and phone home later). ClawSecure42 is a lighter, OWASP-ASI-aligned scanner with a three-layer audit protocol and a free tier. ClawGuard (joergmichno)43 is a prompt-injection firewall with 225 detection patterns and a claimed F1 of 0.983 across 15 languages. All are useful; all are vulnerable to the standard critique that a regex-based scanner loses to trivial obfuscation (base64, dynamic require, runtime code assembly), which is why Snyk's mcp-scan44 is a useful complement. Snyk's Liran Tal named the new attack category: "SKILL.md prerequisite trap" — an instruction file that tells the AI to instruct the user to install a fabricated utility.

5.3 Operator-facing policies and playbooks

p3nchan/openclaw-skill-policy45 is the best operator-facing checklist: four layers — source trust, static analysis, permission declaration (proposes a manifest.json of fs/network/tool/env requirements), and runtime enforcement (sandbox-exec, firejail, bubblewrap; hard blocks on ~/.ssh, ~/.gnupg, ~/.aws, ~/.config/gh). The current OpenClaw runtime does not enforce layers 3–4; the doc makes the gap explicit.

SlowMist's openclaw-security-practice-guide46 is the highest-starred operator guide (~2,787⭐). The distinguishing feature is that it is agent-facing: the 13-item nightly audit is designed to be invoked by OpenClaw itself as a verification task. The upside is a self-auditing agent. The downside is that a compromised agent now has a clear enumeration of every check it is supposed to pass — and therefore of every control an attacker needs to bypass.

5.4 Hardening defaults

Every defensive tool ships the same first hardening step: rebind the Gateway from 0.0.0.0:18789 to 127.0.0.1 and force authentication. SecurityScorecard's STRIKE dashboard at declawed.io found 135,000+ internet-exposed instances, 63% of them running with no authentication at all47.

Think of it like hiring a worker with a criminal history of identity theft who knows how to code well and might take instructions from anyone.Jeremy Turner, SecurityScorecard STRIKE

The harder layer is per-agent network namespacing. The r/LocalLLaMA consensus is that the long-term fix is zero-trust architecture at the agent boundary: default-deny network egress, credentials injected at runtime (never baked into the agent's environment), a forward proxy that logs every outbound request, and per-agent container network namespaces48. None of this is an OpenClaw-specific tool; it is a deployment pattern the ecosystem's credible voices consistently recommend.

6. Dual-use tools and proposals

Several tools do not cleanly fall on one side. adversa-ai/secureclaw is a defensive plugin that ships a file — docs/openclaw-attack-examples.md — which is effectively an adversarial playbook mapped to MITRE ATLAS. The tool itself reduces attack surface; the documentation inside it expands the attacker's available knowledge. This is the standard dual-use property of any mature defensive tool (Metasploit, Ghidra, BloodHound). SlowMist's guide is dual-use by design: the agent-facing audit is a defender's tool, but because it enumerates every check, it gives attackers the same checklist. Peleke/openclaw-sandbox is a defensive VM recipe that ships with a STRIDE red-team planning epic.

Proposals in the core repo worth knowing

  • Issue #22196 — "No code-level enforcement distinguishing system messages from user-crafted lookalikes." Closed as not_planned. Repeatedly cited as evidence of the project's architectural posture on the hardest problem.
  • Issue #62939 — "Prompt injection defense at tool result and message boundaries (structural delimiter proposal)." Open. Most promising active proposal for a structural fix.
  • Issue #8093 — RFC: Security Hardening Architecture. Community proposal; limited traction.
  • PR #1827fix(security): prevent prompt injection via external hooks (gmail, webhook). Merged, 549 additions. Direct response to BrokenClaw Part 1.
  • PR #57782 — Indirect prompt injection hardening by @pyn3rd. Merged.

7. Incidents and the MITRE ATLAS OpenClaw Investigation

The MITRE ATLAS OpenClaw Investigation (publication ID PR-26-00176-1, dated 9 February 2026) is the single most authoritative document in the record.

It reviews four case studies and extracts 17 distinct techniques across the ATLAS matrix; three of those are techniques new to ATLAS v5.5.0, directly added because of OpenClaw observations — AI Agent Tool Poisoning (AML.T0108 / T0110), AI Supply Chain Rug Pull (AML.T0109), AI Supply Chain Reputation Inflation (AML.T0111), and the Machine Compromise series (AML.T0112-family)4950.

The four case studies

AML.CS0048 — Exposed OpenClaw Control Interfaces

Date of incident 25 January 2026. A researcher identified hundreds of internet-exposed Control UIs with no authentication. Reading the configuration file harvested credentials for all connected applications; prompting the agent via the chat interface produced root-level execution inside the container. No exploit code was required. The attack surface was the combination of no authentication and a capable skill framework — the agent's own features, turned against it51.

AML.CS0049 — Supply Chain Compromise via Poisoned ClawdBot Skill

Date 26 January 2026, actor Jamieson O'Reilly, type exercise. O'Reilly published a skill named "What Would Elon Do?" to ClawdHub. The skill's rules/logic.md contained a prompt injection that caused the backend (Claude Code running as the OpenClaw agent) to execute a curl to clawdhub-skill.com — a domain deliberately registered to impersonate the legitimate registry. Sixteen users downloaded and triggered the skill within eight hours52.

AML.CS0050 — OpenClaw 1-Click Remote Code Execution

Date 1 February 2026, actor DepthFirst / Ethiack, CVE-2026-25253. The full ClawBleed chain described in §2.253.

AML.CS0051 — Still Under Investigation

as of the 9 February 2026 PDF. The attack-graph table describes a fourth scenario involving AI Supply Chain Compromise via model-level attack. No separate case-study page was found at atlas.mitre.org/studies/AML.CS0051; treat this case study as unverified in full pending publication of the standalone page.

The CVE table

A compact reference for the CVEs that matter to operators (all verified in NVD, GHSA, or VulnCheck):

CVENicknameCVSSClassFixed inExploited?
CVE-2026-25253ClawBleed8.8 H1-click RCE / CSWSH2026.1.29Yes (confirmed)
CVE-2026-27002Priv-esc (SentinelOne ref)No
CVE-2026-28472ClawJacked9.8 CWS auth bypass2026.2.2No
CVE-2026-320489.9 C / 7.5 HCross-agent sandbox escape2026.3.1No
CVE-2026-329158.8 HLeaf subagent boundary bypass2026.3.11No
CVE-2026-329229.9 CPriv-esc via device.token.rotate2026.3.11PoC exists
CVE-2026-335798.1–9.8Pair-approval path injection2026.3.28PoC exists
CVE-2026-356297.4 HChannel-extension SSRF2026.3.25No
CVE-2026-35653Authorization bypass (SentinelOne ref)No
CVE-2026-413299.9 CHeartbeat sandbox bypass2026.3.31No

On top of the CVEs, the openclaw/openclaw repo's Security Advisories page lists at least a dozen further GHSAs, including GHSA-56pc-6hvp-4gv4 (path traversal via $include), GHSA-7wv4-cc7p-jhxc (workspace .env can inject runtime-control variables), GHSA-m3mh-3mpg-37hw (install-phase arbitrary code execution), GHSA-4564-pvr2-qq4h (shell injection in macOS keychain write), GHSA-h9g4-589h-68xv (auth bypass in sandbox browser bridge), GHSA-xw4p-pw82-hqr7 (sandbox skill-mirroring path traversal), GHSA-3fqr-4cg8-h96q (CSRF via loopback browser mutation endpoints), and the 21 April 2026 coordinated batch of ten54.

8. Narrative analysis

8.1 The biggest risks in the ecosystem

Four risks dominate the record, in rough order of severity.

First, indirect prompt injection remains unsolved and unpatchable. Every major research group — HiddenLayer, Adversa AI, Oasis Security, Snyk, Texas A&M, the OpenClaw maintainers themselves in Issue #22196 — agrees that the LLM cannot enforce access control once untrusted content is in its context window. Patches close specific ingress points (Gmail webhook, email tool, web fetch) but the underlying property — that the model treats instructions and data identically at the attention layer — does not patch. Every skill, every channel, every tool result, every retrieved document is a potential injection point. The Texas A&M paper's "Context Manipulation" sixth-stage Kill Chain is the right framing: in an OpenClaw-class attack, controlling what the model believes is sufficient to induce arbitrary tool calls.

Second, the default configuration is indefensible for any sensitive deployment. The Gateway binding to 0.0.0.0:18789 with no mandatory authentication is the direct cause of 135,000+ internet-exposed instances. Plaintext storage of API keys and tokens in ~/.openclaw/.env makes any successful RCE also a full credential-theft event. Both are design choices, not user errors. SecureClaw, Claw EA, ClawVet, ClawSecure, and p3nchan's skill policy all ship with "rebind to 127.0.0.1" as step one — the ecosystem has effectively voted on the default with its tooling.

Third, ClawHub is a supply-chain liability. Between 13% and 41.7% of audited skills contain security vulnerabilities. Approximately 1 in 9 skills are actively malicious by Antiy CERT's February 2026 count. The attacker innovation — the SKILL.md prerequisite trap, agent-driven social engineering, base64-in-Markdown, registry impersonation via clawdhub-skill.com, npm scope impersonation via @openclaw-ai/openclawai — is outpacing ClawHub's moderation capacity. Until the registry operates a verified-publisher system with mandatory manifest declarations and a public takedown log, the correct operator posture is: assume any skill you didn't write is presumptively hostile.

Fourth, the cross-layer composition problem. Texas A&M's key finding is not about any one CVE; it is that OpenClaw's dominant architectural pattern — per-layer, per-call-site trust enforcement — makes cross-layer composition attacks "systematically resistant to layer-local remediation." Three independently moderate vulnerabilities compose into a complete unauthenticated RCE. You cannot patch this with any one commit. It is the shape of the codebase.

8.2 The most promising defenses

The defensive state of the art converges on a stack with four layers, each required, none sufficient.

  1. Deployment isolation. A dedicated VM or physical host. Gateway rebound to 127.0.0.1; remote access only via VPN or Tailscale. Default-deny network egress, per-agent container network namespaces, forward proxy that logs every outbound request. Credentials injected at runtime by a secrets manager. Read-only SOUL.md and AGENTS.md. Peleke/openclaw-sandbox is the cleanest open recipe.
  2. Configuration hardening. SecureClaw's 56 audit checks are the most complete, with framework mappings operators can point at in a compliance conversation. ClawSecure is a lighter alternative. Run on first install and in a nightly audit loop.
  3. Policy-as-code execution. Claw EA's WPC + CST + clawproxy pattern is the best-articulated commercial answer. A home-grown equivalent — an OPA policy in front of the tool dispatcher, a signed JSON policy artifact hashed into every run, an immutable audit log — is possible for small deployments. The important property is that the enforcement point sits below the model, not inside it.
  4. Skill scanning and runtime rules. ClawVet at install time; ClawGuard for prompt-injection firewall; Snyk mcp-scan for SKILL.md-prerequisite-trap detection; SecureClaw's 15 behavioral rules for in-context guardrails. None of these solve prompt injection; all of them raise the cost of common exploits.

No serious advocate of any of these tools claims prompt injection is solved. The goal is blast-radius reduction: turn a successful prompt injection from full host compromise into a failed tool call with an alert.

8.3 Overhyped and dangerous projects

Skills that name-drop security. ClawHub's own "Security" category includes a skill called SkillScan with 92.9k nominal installs and 0 current active users. The platform itself flags it as malicious: it uploads submitted skill packages to skillscan.tokauth.com, collects the host MAC address, and silent-auto-updates daily. NeoGriffin Security presents a package.json version mismatch against the registry listing and requires an unexplained payment-wallet environment variable. "Security Scanner" wraps nmap and nuclei without any author attribution. Treat security-branded skills with the same skepticism as security-branded browser extensions.

Marketing-grade "AI security" wrappers. AI.com's Super Bowl claim of being "the world's first easy-to-use and secure implementation of OpenClaw" was called "vaporware" by Simon Willison in February 202656. The signal to watch for is whether the vendor has published a threat model and mapping against OWASP ASI or MITRE ATLAS that lists unaddressed items, not just covered ones.

Abandoned forks and lookalike projects. The Clawdbot → Moltbot rename (forced by trademark conflict) left abandoned @clawdbot handles on X and GitHub that scammers seized within seconds. A fake $CLAWD Solana token pumped to a $16 million market cap before collapsing; fake "Clawdbot Agent" VS Code extensions that installed ScreenConnect-based RATs were published57. Any package, handle, or extension bearing a name adjacent to OpenClaw / ClawHub / Moltbot / Clawdbot should be verified against the official repo's README links before install.

8.4 Practical advice for safely experimenting

For a researcher or operator who wants to work with third-party OpenClaw tooling and not get owned:

  1. Pick your lab first. Dedicated VM. Default-deny egress. Separate cloud account with no credentials in common with your personal or work accounts. Treat every credential the agent might access as disposable.
  2. Rebind the Gateway before you install anything. 127.0.0.1:18789, mandatory auth token, Tailscale for remote.
  3. Install OpenClaw only via the unscoped openclaw npm package. Verify the publisher. Never npm install a scoped @openclaw* package without reading its README, package.json, and install scripts.
  4. Run SecureClaw's 56-check audit at first install and nightly. Fix the findings; commit a clean baseline.
  5. Treat ClawHub as a source of things to read, not things to install. Download locally, open every file, run ClawVet + ClawGuard + mcp-scan. If a skill reads ~/.ssh, ~/.aws, or ~/.config/gh, it doesn't.
  6. Enforce policy below the model. Claw EA, or OPA-in-front-of-tool-dispatch. Policy artifact hashed and bound to each run. The model does not get to modify the policy.
  7. Watch @coygeek's issue feed and the openclaw/openclaw/security/advisories page weekly. The cheapest OSINT in the ecosystem.
  8. Subscribe to the veganmosfet BrokenClaw blog, the Adversa AI research feed, and the MITRE ATLAS changelog. These three sources produced most of the record you rely on.
  9. Assume compromise on any install that ran before approximately 10 February 2026, or on any instance that was internet-exposed at any point. Rotate all credentials.
  10. Read adversa-ai/secureclaw/docs/openclaw-attack-examples.md cover to cover. The best single red-team playbook, published by the author of the best defensive tool. That is not an accident.

9. What the ecosystem is missing

A last inventory, because the gaps are as load-bearing as the present tools.

  • A verified-publisher system on ClawHub. Install counts are manipulable (AML.T0111); the 4.8 average rating carries no signal; no cryptographic identity on the publisher side.
  • A public takedown log. When a skill is removed for malicious content, no public record exists of what was removed, when, or why.
  • A mandatory permission manifest. p3nchan's Layer 3 — a manifest.json declaring fs/network/tool/env requirements — has no platform enforcement today. Feature Request #28298 tracks the gap.
  • A CISA KEV entry for CVE-2026-25253. Despite NVD tagging the DepthFirst PoC as an Exploit and the CVE being confirmed exploited in the wild, no CISA KEV catalog inclusion was confirmed.
  • A formal OWASP ASI case study. OpenClaw is the archetypal "lethal trifecta" agent (planning + tools + persistent memory) and yet no standalone OWASP ASI case study publication exists for it.
  • A bug bounty. OpenClaw has no formal bounty program. Given the volume of incoming research and the OpenAI acquisition, this is the single most tractable maintainer-side change.
  • A reference hardened distribution. The closest thing today is the combination of SecureClaw + Claw EA + Peleke's VM + p3nchan's skill policy. A distribution that ships with those defaults applied, signed, and versioned would be a useful community artifact.

Unverified leads (flagged in-line above)

  • AML.CS0051 standalone case-study page at atlas.mitre.org not located at crawl time.
  • Specific Johann Rehberger / Embrace The Red post naming "OpenClaw" not located; general agentic-AI prompt-injection work is directly relevant but not OpenClaw-specific.
  • CVE-2026-22708 attributed to OpenClaw in Adversa AI's 5 Feb 2026 post; SentinelOne attributes the same CVE ID to Cursor AI. Attack technique is real; the CVE ID is potentially misattributed.
  • jgamblin/OpenClawCVEs tracker existence confirmed by reference; 137-advisory count not directly crawl-verified.
  • Kaspersky's 512-vulnerability / 8-critical count referenced in Growexx; no primary Kaspersky URL retrieved.
  • Microsoft Defender team's explicit warning referenced in Growexx; no primary Microsoft URL retrieved.
  • Black Hat USA 2026 / DEF CON 33 / USENIX Security 2026 OpenClaw-specific talks — not located as of 23 Apr 2026 (summer conference agendas not yet published).
  • CISA KEV inclusion for CVE-2026-25253 not confirmed despite NVD Exploit tagging.

10. Closing

If you strip the ClawHavoc numbers and the CVE list down to a single observation, it is this: OpenClaw was built fast, for an audience that wanted a personal AI assistant that felt instantaneous and omni-channel, and the design choices that made it feel that way — a Gateway on 0.0.0.0 with no auth, plaintext credentials, an agent that happily executes tool calls on behalf of anyone who can inject a sentence into its context window — are exactly the choices that produced the 2026 security record. The corrective is not to ban the project or to claim agentic AI is doomed; it is to build, buy, or steal a layered architecture that assumes the model will be convinced of whatever the last untrusted content said, and to keep the blast radius of that conviction small.

That is the story the third-party ecosystem has been writing. SecureClaw and Claw EA represent the defensive steel; BrokenClaw and the Texas A&M taxonomy represent the offensive cartography; MITRE ATLAS represents the framing; ClawHub represents the problem that is not yet solved. A cautious operator, in April 2026, can run OpenClaw responsibly. A cautious operator has to want to. The ecosystem is no longer short of the tools to do it; it is still short of the defaults that would make doing it feel natural.

Primary sources

  1. Laurie Voss, LinkedIn post, 2026. Via The Register, "DIY AI bot farm OpenClaw is a security 'dumpster fire'," 3 Feb 2026. theregister.co.uk/2026/02/03/openclaw_security_problems · linkedin.com/posts/seldo
  2. Andrej Karpathy, via The Register same article; reported X post x.com/karpathy/status/2017442712388309406
  3. Ars Technica, "OpenClaw gives users yet another reason to be freaked out about security," 3 Apr 2026. arstechnica.com/security/2026/04
  4. Simon Willison, "openclaw" tag, 15 Feb 2026. blog.simonwillison.net/2026/Feb/15/openclaw · LiveMint / Bloomberg (Parmy Olson), "OpenClaw is an OpenAI security nightmare," 25 Feb 2026. livemint.com/opinion/online-views/openclaw-openai
  5. OpenClaw README, github.com/openclaw/openclaw (retrieved 23 Apr 2026, v2026.4.22).
  6. OpenClaw docs home, docs.openclaw.ai
  7. OpenClaw docs, Tools section (tool inventory); Sandboxing default allow/deny quoted in repo README.
  8. OpenClaw README, "Security defaults" section.
  9. OpenClaw docs, Skills: docs.openclaw.ai/tools/skills · Skills Config: docs.openclaw.ai/tools/skills-config · CLI Skills: docs.openclaw.ai/cli/skills
  10. OpenClaw docs, Skills "Security notes" block. docs.openclaw.ai/skills
  11. ClawHub homepage, clawhub.ai (retrieved 23 Apr 2026).
  12. OpenClaw docs, Skills "Format (AgentSkills + Pi-compatible)" section.
  13. The Hacker News, "Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users," 2 Feb 2026. thehackernews.com/2026/02 · ClawHub incident page claw-hub.net/clawhub-havoc-incident · eSecurity Planet esecurityplanet.com/threats
  14. Antiy CERT count, via Growexx.com OpenClaw Skills Development Guide (2026 Edition), 10 Mar 2026. growexx.com/blog/openclaw-skills-2026
  15. Snyk Research, "ClawHub Malicious Google Skill / ToxicSkills report," 10 Feb 2026. snyk.io/blog/clawhub-malicious-google-skill
  16. Hou & Yang, "SkillSieve," arXiv:2604.06550, Apr 2026. arxiv.org/pdf/2604.06550
  17. MITRE ATLAS data changelog, v5.5.0 (30 Mar 2026). github.com/mitre-atlas/atlas-data
  18. CertiK OpenClaw Security Report, 31 Mar 2026. certik.com/blog/openclaw-security-report · "Skill Scanning Is Not a Security Boundary," www-cn.certik.com/blog
  19. NVD, CVE-2026-25253. nvd.nist.gov/vuln/detail/CVE-2026-25253
  20. GHSA-g8p2-7wf7-98mq. github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
  21. DepthFirst, "1-click RCE to steal your Moltbot data and keys." depthfirst.com/post/1-click-rce-moltbot
  22. Ethiack, "One-click RCE Moltbot." ethiack.com/news/blog/one-click-rce-moltbot
  23. Blink Blog, "OpenClaw 2026 CVE Complete Timeline & Security History." blink.new/blog/openclaw-2026-cve-timeline
  24. Sploitus, CVE-2026-25253 PoC. sploitus.com/exploit?id=84AE8E47
  25. Wiz Research, "Exposed Moltbook database reveals millions of API keys," 2 Feb 2026. wiz.io/blog/exposed-moltbook-database
  26. Adversa AI, "OpenClaw AI Agent Security Threats Mapped to OWASP / MITRE," 19 Feb 2026. adversa.ai/blog/openclaw-ai-agent-security-threats
  27. HiddenLayer, "Exploring the Security Risks of AI Assistants like OpenClaw" (aka "Claws for Concern"), 3 Feb 2026. hiddenlayer.com/research/openclaw
  28. Oasis Security, "OpenClaw Vulnerability (ClawJacked)," 26 Feb 2026 (updated 31 Mar 2026). oasis.security/blog/openclaw-vulnerability
  29. veganmosfet "BrokenClaw" series, Parts 1–5, 2 Feb – 8 Apr 2026. Part 1 · Part 2 · Part 3 · Part 4 · Part 5
  30. Suwansathit, Zhang & Gu, "A Systematic Taxonomy of Security Vulnerabilities in the OpenClaw AI Agent Framework," arXiv:2603.27517, 31 Mar 2026. arxiv.org/html/2603.27517
  31. JFrog Security Research, "GhostClaw Unmasked," 8 Mar 2026. research.jfrog.com/post/ghostclaw-unmasked
  32. openclaw/clawhub Issue #108. github.com/openclaw/clawhub/issues/108
  33. @coygeek issue stream: #4951 · #7768 · #8516 · #11031 · #15313 · #53433 · #65625
  34. deduu/ClawSandbox. github.com/deduu/ClawSandbox
  35. Peleke/openclaw-sandbox + Issue #44 STRIDE Red Team Epic. github.com/Peleke/openclaw-sandbox · /issues/44
  36. TerminalGravity/openclaw-swarm-security-audit. github.com/TerminalGravity/openclaw-swarm-security-audit
  37. "Mind Your HEARTBEAT!" arXiv:2603.23064, 24–25 Mar 2026. arxiv.org/abs/2603.23064
  38. Dong, Feng & Wang, "Clawdrain: Exploiting Tool-Calling Chains for Stealthy Token Exhaustion in OpenClaw Agents," arXiv:2603.00902v1, 1 Mar 2026. arxiv.org/abs/2603.00902v1
  39. adversa-ai/secureclaw, github.com/adversa-ai/secureclaw · Help Net Security, "SecureClaw: Dual-stack open-source security plugin and skill for OpenClaw," 18 Feb 2026. helpnetsecurity.com/2026/02/18/secureclaw · Adversa launch post adversa.ai/blog/adversa-ai-launches-secureclaw
  40. Claw EA, Agent Supply Chain Security page. clawea.com/agent-supply-chain-security · clawea.com
  41. MohibShaikh/clawvet. github.com/MohibShaikh/clawvet · HN thread news.ycombinator.com/item?id=47370624
  42. ClawSecure/clawsecure-openclaw-security. github.com/ClawSecure/clawsecure-openclaw-security
  43. joergmichno/clawguard. togithub.com/joergmichno/clawguard
  44. Snyk mcp-scan + AI-BOM, Snyk blog reference above (cite 15).
  45. p3nchan/openclaw-skill-policy. github.com/p3nchan/openclaw-skill-policy
  46. slowmist/openclaw-security-practice-guide. github.com/slowmist/openclaw-security-practice-guide
  47. The Register, "More than 135,000 OpenClaw instances exposed to internet in latest vibe-coded disaster," 9 Feb 2026. theregister.com/2026/02/09/openclaw_instances_exposed · SecurityScorecard STRIKE dashboard declawed.io
  48. r/LocalLLaMA threads: "Every OpenClaw security vulnerability documented in one place," reddit.com/r/LocalLLaMA/.../1r81vw2 · "We tested what actually stops attacks on OpenClaw," reddit.com/r/LocalLLaMA/.../1r71x3j
  49. MITRE ATLAS OpenClaw Investigation (PR-26-00176-1), 9 Feb 2026. mitre.org/news-insights/publication/mitre-atlas-openclaw-investigation · PDF mitre.org PR-26-00176-1 PDF · CTID post ctid.mitre.org/blog/2026/02/09
  50. MITRE ATLAS data changelog v5.5.0 (30 Mar 2026), same as cite 17.
  51. AML.CS0048 summary via startupdefense.io mirror (direct atlas.mitre.org page returned 404 at crawl time; PDF is primary). startupdefense.io/mitre-atlas-case-studies
  52. AML.CS0049 "Supply Chain Compromise via Poisoned ClawdBot Skill." Mirror startupdefense.io/.../aml-cs0049
  53. AML.CS0050 "OpenClaw 1-Click Remote Code Execution." startupdefense.io/.../aml-cs0050
  54. openclaw/openclaw Security Advisories index. github.com/openclaw/openclaw/security/advisories
  55. Vikas Agarwal, "OpenClaw Skills Development Guide for Developers (2026 Edition)," Growexx, 10 Mar 2026. growexx.com/blog/openclaw-skills-2026
  56. Simon Willison, same as cite 4.
  57. Adversa AI, "OpenClaw Security 101: Vulnerabilities & Hardening 2026," 5 Feb 2026. adversa.ai/blog/openclaw-security-101