OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

OpenClaw: The Viral AI Agent That Became a Security Crisis

OpenClaw — the self-hosted AI agent framework that lets large language models autonomously operate computers, browse the web, execute shell commands, and manage email — has accumulated a staggering security debt since going viral in early 2026. China's National Computer Network Emergency Response Technical Team (CNCERT) issued a formal risk alert on March 10, 2026, citing over 258 disclosed vulnerabilities and ordering state-run enterprises and government agencies to ban its use outright.

Originally launched as Clawdbot in November 2025 by Austrian developer Peter Steinberger, the project was rebranded to Moltbot and then OpenClaw following trademark pressure. The framework stores all credentials, API keys, and environment variables in cleartext under ~/.clawdbot by default — an architectural decision that amplifies every other vulnerability listed below.

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

Discovered by: Mav Levin, depthfirst research team Affected versions: All versions up to v2026.1.24-1 Fixed in: v2026.1.29 (January 30, 2026)

The Control UI accepted a gatewayUrl parameter from the URL query string and auto-connected to it on page load — without user confirmation — transmitting the stored gateway authentication token in the WebSocket connection payload.

The Kill Chain

Victim visits an attacker-crafted URL
Auth token is exfiltrated via the auto-connecting WebSocket within milliseconds
Attacker uses the stolen token for cross-site WebSocket hijacking
exec.approvals.set is disabled — bypassing all sandbox and confirmation prompts
tools.exec.host is patched to gateway — escaping the Docker container
node.invoke executes arbitrary shell commands directly on the host OS

The result is full host-level RCE from a single browser visit. Safety guardrails are irrelevant because the exploit operates at the infrastructure layer, not the LLM layer.

Fix: A gateway URL confirmation modal was added, removing the auto-connect behavior.

ClawJacked — WebSocket Localhost Hijack

Discovered by: Oasis Security Fixed in: v2026.2.26

The OpenClaw gateway binds to localhost and exposes a WebSocket interface. Browser cross-origin policies do not block WebSocket connections to localhost, meaning any website the victim visits can silently open a connection to the local gateway.

Critically, the gateway's rate limiter exempted localhost connections entirely, allowing a malicious JavaScript payload delivered from any compromised or malicious site to brute-force the gateway password at hundreds of attempts per second.

What an Attacker Gains

Once authenticated via the hijacked WebSocket:

Full messaging history (email, Telegram, Discord, etc.)
Files from connected/paired devices
All stored API keys and credentials
Arbitrary shell command execution on the host
No plugins, browser extensions, or user interaction required beyond visiting a malicious page

Prompt Injection: An Unfixable Attack Surface

OpenClaw's connectors — email, web browsing, messaging apps — do not isolate or sanitize content before passing it to the LLM. Injected instructions embedded in emails, web pages, or documents can instruct the agent to:

Silently forward email contents to an attacker-controlled URL
Load and leak environment variables and API credentials one-by-one
Reroute agent communication to attacker-controlled infrastructure
Join attacker-controlled Telegram or Discord groups

PromptArmor researchers identified a particularly insidious variant: when OpenClaw is used via Discord or Telegram, prompt-injected payloads cause the agent to generate a URL, which the messaging app's link-preview mechanism automatically fetches — transmitting the extracted data with no further user interaction required.

ClawHub Supply Chain: 800+ Malicious Skills

The ClawHub community skills registry — OpenClaw's equivalent of a plugin store — has been actively weaponized. In the ClawHavoc campaign:

Initial scan: 341 malicious skills (~12% of the registry)
Updated scans: over 800 malicious skills (~20% of the registry)

Notable malicious skills include bob-p2p-beta and runware. Payloads include:

Payload	Behavior
Atomic macOS Stealer	Credential and cookie theft on macOS
Crypto-miners	Silent CPU/GPU mining on developer machines
Silent data exfiltration	Hardcoded `curl` commands POST data to attacker C2 — invisible to the user

China's CNCERT Warning and Government Ban

On March 10, 2026, CNCERT and China's Ministry of Industry and Information Technology (MIIT) issued a joint alert:

Over 40,000 OpenClaw instances are exposed on the public internet
An estimated 60%+ are vulnerable to immediate takeover
"Inherently weak default security configurations" and privileged OS access cited as primary risks
Prompt injection flagged as a core attack vector
"Misoperation" risk highlighted — the agent may misinterpret commands and delete production data or emails
Government agencies and major banks ordered to restrict use
State-run enterprises barred from running OpenClaw apps on office computers

China's reaction mirrors concerns previously raised about other viral AI tools with wide OS-level permissions and poor default hardening.

Vulnerability Summary

CVE / Issue	CVSS	Fixed Version	Status
CVE-2026-25253 (1-Click RCE)	8.8	v2026.1.29	Patched
ClawJacked (WebSocket hijack)	High	v2026.2.26	Patched
Malicious ClawHub skills	—	Version-independent	Ongoing — registry hygiene

Beyond these, a full audit disclosed 512 total vulnerabilities, with 8 classified as Critical.

Recommendations

If you are running OpenClaw in any capacity:

Update to v2026.2.26 or later immediately
Rotate all stored credentials — auth tokens, API keys, SSH keys — after updating
Run agents with minimal OS permissions — never grant "god mode" or unrestricted file/network access
Do not expose the Control UI or gateway port to the internet or untrusted networks
Audit installed skills against the ClawHavoc IOC list before running any skill
Treat the gateway host as sensitive infrastructure — apply appropriate network segmentation and logging
Disable email and messaging connectors in environments handling sensitive data until the registry situation stabilizes
Do not connect OpenClaw to accounts containing sensitive production data while supply chain risk remains unresolved

Sources

OpenClaw: The Viral AI Agent That Became a Security Crisis

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

Discovered by: Mav Levin, depthfirst research team Affected versions: All versions up to v2026.1.24-1 Fixed in: v2026.1.29 (January 30, 2026)

The Kill Chain

Victim visits an attacker-crafted URL
Auth token is exfiltrated via the auto-connecting WebSocket within milliseconds
Attacker uses the stolen token for cross-site WebSocket hijacking
exec.approvals.set is disabled — bypassing all sandbox and confirmation prompts
tools.exec.host is patched to gateway — escaping the Docker container
node.invoke executes arbitrary shell commands directly on the host OS

The result is full host-level RCE from a single browser visit. Safety guardrails are irrelevant because the exploit operates at the infrastructure layer, not the LLM layer.

Fix: A gateway URL confirmation modal was added, removing the auto-connect behavior.

ClawJacked — WebSocket Localhost Hijack

Discovered by: Oasis Security Fixed in: v2026.2.26

What an Attacker Gains

Once authenticated via the hijacked WebSocket:

Full messaging history (email, Telegram, Discord, etc.)
Files from connected/paired devices
All stored API keys and credentials
Arbitrary shell command execution on the host
No plugins, browser extensions, or user interaction required beyond visiting a malicious page

Prompt Injection: An Unfixable Attack Surface

Silently forward email contents to an attacker-controlled URL
Load and leak environment variables and API credentials one-by-one
Reroute agent communication to attacker-controlled infrastructure
Join attacker-controlled Telegram or Discord groups

ClawHub Supply Chain: 800+ Malicious Skills

The ClawHub community skills registry — OpenClaw's equivalent of a plugin store — has been actively weaponized. In the ClawHavoc campaign:

Initial scan: 341 malicious skills (~12% of the registry)
Updated scans: over 800 malicious skills (~20% of the registry)

Notable malicious skills include bob-p2p-beta and runware. Payloads include:

Payload	Behavior
Atomic macOS Stealer	Credential and cookie theft on macOS
Crypto-miners	Silent CPU/GPU mining on developer machines
Silent data exfiltration	Hardcoded `curl` commands POST data to attacker C2 — invisible to the user

China's CNCERT Warning and Government Ban

On March 10, 2026, CNCERT and China's Ministry of Industry and Information Technology (MIIT) issued a joint alert:

Over 40,000 OpenClaw instances are exposed on the public internet
An estimated 60%+ are vulnerable to immediate takeover
"Inherently weak default security configurations" and privileged OS access cited as primary risks
Prompt injection flagged as a core attack vector
"Misoperation" risk highlighted — the agent may misinterpret commands and delete production data or emails
Government agencies and major banks ordered to restrict use
State-run enterprises barred from running OpenClaw apps on office computers

China's reaction mirrors concerns previously raised about other viral AI tools with wide OS-level permissions and poor default hardening.

Vulnerability Summary

CVE / Issue	CVSS	Fixed Version	Status
CVE-2026-25253 (1-Click RCE)	8.8	v2026.1.29	Patched
ClawJacked (WebSocket hijack)	High	v2026.2.26	Patched
Malicious ClawHub skills	—	Version-independent	Ongoing — registry hygiene

Beyond these, a full audit disclosed 512 total vulnerabilities, with 8 classified as Critical.

Recommendations

If you are running OpenClaw in any capacity:

Update to v2026.2.26 or later immediately
Rotate all stored credentials — auth tokens, API keys, SSH keys — after updating
Run agents with minimal OS permissions — never grant "god mode" or unrestricted file/network access
Do not expose the Control UI or gateway port to the internet or untrusted networks
Audit installed skills against the ClawHavoc IOC list before running any skill
Treat the gateway host as sensitive infrastructure — apply appropriate network segmentation and logging
Disable email and messaging connectors in environments handling sensitive data until the registry situation stabilizes
Do not connect OpenClaw to accounts containing sensitive production data while supply chain risk remains unresolved

OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

OpenClaw: The Viral AI Agent That Became a Security Crisis

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

The Kill Chain

ClawJacked — WebSocket Localhost Hijack

What an Attacker Gains

Prompt Injection: An Unfixable Attack Surface

ClawHub Supply Chain: 800+ Malicious Skills

China's CNCERT Warning and Government Ban

Vulnerability Summary

Recommendations

Sources

AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cline CLI Supply Chain Attack Installs Unauthorized

Paid AI Accounts Are Now a Hot Underground Commodity

OpenClaw AI Agent Flaws Enable Prompt Injection, 1-Click

OpenClaw: The Viral AI Agent That Became a Security Crisis

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

The Kill Chain

ClawJacked — WebSocket Localhost Hijack

What an Attacker Gains

Prompt Injection: An Unfixable Attack Surface

ClawHub Supply Chain: 800+ Malicious Skills

China's CNCERT Warning and Government Ban

Vulnerability Summary

Recommendations

Sources

AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Cline CLI Supply Chain Attack Installs Unauthorized

Paid AI Accounts Are Now a Hot Underground Commodity

OpenClaw: The Viral AI Agent That Became a Security Crisis

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

The Kill Chain

ClawJacked — WebSocket Localhost Hijack

What an Attacker Gains

Prompt Injection: An Unfixable Attack Surface

ClawHub Supply Chain: 800+ Malicious Skills

China's CNCERT Warning and Government Ban

Vulnerability Summary

Recommendations

Sources

Related Reading

OpenClaw: The Viral AI Agent That Became a Security Crisis

CVE-2026-25253 — 1-Click RCE via Auth Token Exfiltration (CVSS 8.8)

The Kill Chain

ClawJacked — WebSocket Localhost Hijack

What an Attacker Gains

Prompt Injection: An Unfixable Attack Surface

ClawHub Supply Chain: 800+ Malicious Skills

China's CNCERT Warning and Government Ban

Vulnerability Summary

Recommendations

Sources

Related Reading