TL;DR
- Critical Vulnerability: OpenClaw issued three high-impact security advisories, including CVE-2026-25253, which enables one-click remote code execution.
- Malicious Ecosystem: Koi Security identified 341 malicious skills on ClawHub that install Atomic Stealer malware on macOS systems.
- API Cost Crisis: Users reported burning through $20 in API tokens overnight, with projected monthly costs reaching $750 for simple operations.
- Public Exposure: Censys tracked over 21,000 OpenClaw instances exposed on the public Internet as of January 31, 2026.
OpenClaw, a new and extremely viral autonomous AI assistant, has exposed users to steep API costs and high-severity security vulnerabilities.
Ex-xAI developer Benjamin De Kraker reported burning through $20 in API tokens overnight while the assistant simply checked the time every 30 minutes. De Kraker’s heartbeat cron job sent approximately 120,000 tokens of context to Anthropic’s Claude Opus 4.5 model with each check, costing roughly $0.75 per execution. Across 25 checks, the bill totaled nearly $20. He calculated that running reminders over a month could cost around $750.
Infrastructure risks have drawn sharp criticism. “OpenClaw is a security dumpster fire,” Laurie Voss, Head of Developer Relations at Arize and Founding CTO of npm, wrote on LinkedIn.
What Is OpenClaw?
OpenClaw launched in November 2025 as an autonomous AI assistant based on the Pi coding agent. Previously known as Clawdbot, then Moltbot, the project attracted attention from developers Simon Willison and Andrej Karpathy with large social media followings among AI enthusiasts.
OpenClaw’s GitHub repository crossed 149,000 stars as of February 2. This viral adoption, however, came at a steep cost. Combined with minimal security vetting, the platform creates an attack surface that scales faster than security controls can adapt.
For malicious actors, this presents an opportunity to compromise thousands of instances before patches propagate.
Critical Vulnerabilities Discovered
OpenClaw issued three high-impact security advisories in the past three days: one-click remote code execution and two command injection vulnerabilities. CVE-2026-25253, a high-severity flaw with a CVSS score of 8.8, is a token exfiltration vulnerability that leads to full gateway compromise.
Mav Levin of depthfirst security firm discovered the vulnerability, which exploits cross-site WebSocket hijacking because OpenClaw’s server doesn’t validate the WebSocket origin header.
Peter Steinberger, OpenClaw creator and maintainer, explained the technical mechanism in a security advisory.
“The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload. Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.”
Peter Steinberger, OpenClaw creator and maintainer
The vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection. OpenClaw addressed the vulnerability in version 2026.1.29 released on January 30.
This WebSocket origin validation failure represents a fundamental architectural oversight that allows a single malicious link to compromise local development environments.
Malicious Skills Target Users
Beyond the platform’s own vulnerabilities, attackers have weaponized its extension ecosystem. Koi Security identified 341 malicious skills (OpenClaw extensions) submitted to ClawHub in a security audit of 2,857 skills.
335 malicious skills use fake pre-requisites to install Atomic Stealer (AMOS) malware on macOS. Atomic Stealer is a commodity stealer available for $500-1000/month that can harvest data from macOS hosts. Security researchers codenamed the malicious campaign ClawHavoc.
Oren Yomtov, a Koi Security researcher, described the social engineering tactics attackers use.
“You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro. The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first.”
Oren Yomtov, Koi Security researcher
ClawHub only requires publishers to have a GitHub account one week old or older. This 11.9% malicious skill rate shows the week-old account requirement provides virtually no barrier, positioning ClawHub as an ideal distribution vector for commodity malware targeting developers.
Widespread Public Exposure
As these security issues mounted, the platform’s footprint expanded dramatically. Censys tracked OpenClaw’s growth from roughly 1,000 instances to over 21,000 in under a week during late January.
As of January 31, Censys identified 21,639 exposed OpenClaw instances on the public Internet. Over 30% of identified instances appear to be running on Alibaba Cloud infrastructure. Meanwhile, the United States hosts the largest share of visible OpenClaw deployments, followed by China and Singapore.
This 21-fold growth demonstrates how developer tools with minimal deployment friction create expansive attack surfaces before security practices catch up.
The concentration on Alibaba Cloud suggests coordinated experimentation or potential bot farm operations. The geographic distribution spanning US, China, and Singapore creates jurisdictional challenges for coordinated incident response.
Mitigation Efforts
In response to mounting criticism, Peter Steinberger rolled out a reporting feature allowing signed-in users to flag skills, with skills having more than 3 unique reports auto-hidden by default. Security researcher Jamieson O’Reilly detailed how it would be trivial to backdoor a skill posted to ClawHub.
Cyberstorm.MU contributed to OpenClaw’s code with a commit that will make TLS 1.3 the default cryptographic protocol for the gateway.
These reactive measures address immediate threats but leave unresolved the dual challenge of securing a rapidly adopted platform while preventing runaway API costs.
The pattern echoes broader security challenges facing AI-powered tools, a combination that may ultimately limit OpenClaw’s viability for production use.
