OpenClaw is rarely out of the news, but not necessarily under that name. This ‘autonomous personal assistant’ started life as Clawdbot, changed its name to Moltbot, and is now OpenClaw. All references to any of these names refer to the same product.
On February 14, 2026, Peter Steinberger – the developer of OpenClaw – announced he is joining OpenAI. OpenClaw is transitioning into the OpenClaw Foundation with OpenAI providing financial and technical support. The most continuous and consistent news, however, remains OpenClaw’s security failings.
It combines a popular and valuable service to its users with an almost magnetic attraction for attackers. In a January blog, Cisco Talos describes OpenClaw as “groundbreaking”: a dream for busy professionals, but “an absolute nightmare” from a security perspective.
Security
OpenClaw cannot be criticized over recent attempts to improve its security. Firstly, CVE-2026-25157 was fixed on January 25 in version 2026.1.25. Next, a one-click RCE vulnerability (CVE-2026-25253) was disclosed by Depthfirst on February 1, but had been patched by OpenClaw on January 29 with version 2026.1.29. Depthfirst and Snyk quickly discovered it was an incomplete fix, and the Docker sandbox could still be bypassed (CVE-2026-24763). This, too, was quickly fixed in version 2026.1.30.
Version 2026.1.30 also fixed two other outstanding CVEs: CVE-2026-25593, and CVE-2026-25475. The speed of these fixes may indicate a desire or need to get all its security ducks in a row before joining OpenAI as the OpenClaw Foundation. As of writing, the latest version is 2026.2.17, and there are no known unfixed CVEs for OpenClaw.
But that doesn’t mean that continuing to use OpenClaw is automatically safe. Firstly, there exists a huge number of older versions still being used. Anything older than version 2026.1.30 is still vulnerable to at least some of these CVEs; and attackers are still exploiting them.
Secondly, OpenClaw remains subject to the many common AI agent misconfiguration vulnerabilities – and again, this is almost certainly a high number. These issues are known, but not well handled. Many examples, with advice, are discussed in a January LinkedIn article by Jamieson O’Reilly (hacker/pentester and founder at Dvuln), Hacking Clawdbot and Eating Lobster Souls. He starts by equating OpenClaw to a personal butler and ends with “The butler is brilliant. Just make sure he remembers to lock the door.”
The question is, how many users know what and where those doors exist, and how many are tech savvy enough to close them? Probably not enough.
Solutions
OpenClaw is too useful to ignore – even Sam Altman seems to have faith in it. But many of its users are not using it securely. So, what are the solutions for the ongoing insecure use of a wildly popular and useful virtual assistant? The obvious answers (‘ensure you use the latest version and manually configure the software fully and accurately’) simply are not working.
An AI agent supply chain attack, dubbed ClawHavoc, was discovered by Koi Security in late January this year. Attackers uploaded multiple professional-looking skill baits into ClawHub, the official marketplace for new ‘skills’ (plugins) that give OpenClaw new abilities. The baits’ documentation said users would need to install a helper agent to proceed. But the helper agent installed the Atomic Stealer infostealer, which included OpenClaw API keys in its data theft. These give the attacker full remote control over OpenClaw and all the services it connects to.
In fact, if any infostealer is installed, it could (and still can) steal these API keys from any OpenClaw deployment pre-dating Feb 1 of this year.
On January 3, 2026, Censys blogged, “Of course, not everyone follows the cautious path, and some have opted for a more ‘open’ interpretation of OpenClaw, placing instances directly on the public Internet. As of 31 January 2026, Censys has identified 21,639 exposed instances.”
Note that nothing included in this discussion predates 2026. It is all very recent and largely active.
Alex Polyakov, founder and CTO at continuous AI red teaming firm Adversa AI, has given up on hoping that repeated advisories and warnings might solve the OpenClaw security problems. He has taken a different route, developing a free and open source software tool (SecureClaw) that can be installed to audit the current state of individual deployments and is available on GitHub.
“Until now,” he explains, “the approach has been ‘here’s what’s wrong’, but with no actionable end-to-end defensive tooling. SecureClaw is the first open-source security solution purpose-built for OpenClaw.”
The tool runs 55 automated audit and hardening checks covering all documented threat classes; and maps protections to the 10 OWASP Agentic Security Initiative top 10 categories, to MITRE ATLAS, and to CoSAI Agentic AI Security. It operates as both a code-level plugin and a behavioral skill, teaching the agent to recognize attacks; and covers specific known incidents, such as CVE-2026-25253, ClawHavoc IoCs, Moltbook-style exposure, and credential harvesting patterns.
Polyakov is honest about it. “We don’t claim to ‘solve’ prompt injection – that’s an unsolved problem across the entire AI industry. But we do make it significantly harder through multi-layer defense.”
Whatever route is chosen to secure this personal assistant – and with apologies to Lionel Shriver – one thing is very clear: We need to talk about OpenClaw, because it is committing mass carnage on the internet and too few users are really listening.
Related: Vulnerability Allows Hackers to Hijack OpenClaw AI Assistant
Related: Rethinking Security for Agentic AI
Related: Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks
Related: AI Agent Security Firm Vijil Raises $17 Million
