SECURITY STATUS — JUNE 2026
● Active CVEs: CVE-2026-25253 (CVSS 8.8), CVE-2026-32922 (CVSS 9.9), CVE-2026-32846 (CVSS 8.7), CVE-2026-32056 (CVSS 8.8)
● ClawHub malicious skills: 1,184 confirmed malicious out of ~10,700 total (11%+)
● Exposed instances: 30,000-42,000 publicly accessible instances, 93% without authentication
● Update to: Version 2026.3.28 or later immediately if running OpenClaw
● Safe current version: 2026.3.28+ patches CVE-2026-33579 (Privilege Escalation)
What Is OpenClaw and Why Does It Matter
OpenClaw (formerly Clawdbot, then Moltbot) is an open-source, self-hosted autonomous AI agent that runs locally on a user's system. It integrates with messaging apps (WhatsApp, Telegram, Discord, iMessage), calendars, developer tools, and email. It can autonomously execute shell commands, read and write files, browse the web, control browsers, manage calendars, run scheduled automations, and execute arbitrary code on the host system. Users extend its capabilities through "skills" — installable plugins available on the ClawHub marketplace.
OpenClaw became the most-starred project on GitHub in January 2026, surpassing React in stars within 24 hours of release and triggering a Mac mini shortage in several US stores. That unprecedented adoption speed — combined with OpenClaw's extraordinarily broad system access — created the conditions for the largest AI agent security crisis of 2026. A January 2026 security audit identified 512 vulnerabilities in the product, 8 classified as critical.
What Check Point Found — June 22 Threat Intelligence Report
Check Point Research's June 22, 2026 Threat Intelligence Report specifically identified OpenClaw AI agent flaws where hidden contacts and phishing emails could trigger prompt injections, code execution, and data leaks. The attack chain works as follows: an attacker sends a crafted email or a message via a connected contact to an OpenClaw user's inbox. The email contains an indirect prompt injection — instructions embedded in the content that the AI agent reads and follows as if they were from the user. The agent then executes the attacker's instructions with full system permissions, including exfiltrating credentials, sending emails on the user's behalf, or executing arbitrary code.
This is not a theoretical attack. Researcher Jamieson O'Reilly documented gaining access to Anthropic API keys, Telegram bot tokens, Slack accounts, and months of complete chat histories through OpenClaw's exposed administrative interfaces. He was able to send messages on behalf of the user and execute commands with full system administrator privileges. Another documented attack: an email with a prompt injection payload sent to a connected inbox caused the bot to "leak" the victim's emails to the attacker's server — silently, with no user awareness.
The Full CVE List — Every Confirmed Vulnerability
| CVE |
CVSS |
Type |
Impact |
| CVE-2026-32922 |
9.9 |
Scope Validation Bypass |
Token rotation exploit granting full administrative privileges |
| CVE-2026-25253 |
8.8 |
WebSocket Hijacking (ClawBleed) |
Zero-click Remote Code Execution via browser pivot / authentication token theft |
| CVE-2026-32056 |
8.8 |
OS Command Injection |
Bypass of command allowlist via HOME/ZDOTDIR environment variables |
| CVE-2026-32846 |
8.7 |
Path Traversal |
Arbitrary file read bypassing sandbox validation |
| CVE-2026-33579 |
TBD |
Privilege Escalation |
Patched in v2026.3.28 — update immediately if not on this version |
The ClawHub Supply Chain Attack — 1,184 Malicious Skills
The most alarming finding beyond the direct CVEs: the ClawHub skill marketplace — where OpenClaw users download plugins to extend the agent's capabilities — was systematically infiltrated. Antiy CERT confirmed 1,184 malicious skills across ClawHub out of approximately 10,700 total — roughly 11% of the entire marketplace. These malicious skills perform two types of attacks:
Active data exfiltration: Malicious skills install a curl command that silently sends data to an external server controlled by the skill author. The network call happens without user awareness or notification. Cisco's research demonstrated this with the "What Would Elon Do?" skill, which explicitly instructs the agent to exfiltrate data to an external server.
Direct prompt injection via skill installation: Malicious skills conduct a direct prompt injection to force the assistant to bypass its internal safety guidelines and execute commands without asking. Once installed, the skill permanently alters how the agent responds to future instructions.
A separate supply chain attack called ClawHavoc distributed malicious GitHub repositories posing as OpenClaw installers, primarily delivering Atomic macOS Stealer and Vidar Stealer via ClickFix-style instructions. One malicious repository became the top-rated suggestion in Bing's AI search results for "OpenClaw Windows" — meaning users actively searching for OpenClaw on Bing were directed to a malware installer.
Who Is at Risk and What to Do Right Now
If you are running OpenClaw:
- Update immediately to version 2026.3.28 or later
- If your gateway port (18789) is accessible from the internet — you are vulnerable to CVE-2026-25253 right now
- Place your instance behind a VPN or private network — never expose OpenClaw directly to the internet
- Review all installed ClawHub skills and remove any not sourced from verified publishers
- Rotate all API keys and tokens accessible to your OpenClaw instance immediately
- Run in a container with no workspace access by default and strict tool allowlists
If you are an enterprise evaluating AI agents:
OpenClaw's security issues are not unique to OpenClaw — they reflect structural risks in any AI agent with broad system access and a skill/plugin marketplace. The ClawHub attack is a supply chain attack that could apply to any agent ecosystem with community-contributed plugins. Before deploying any AI agent with elevated system permissions, apply principle-of-least-privilege, container isolation, and skill allowlisting. OpenClaw's own documentation admits: "There is no perfectly secure setup."
Frequently Asked Questions
Is OpenClaw safe to use in 2026?
Not in its default configuration. OpenClaw can be made safer through container isolation, private network deployment, strict skill allowlisting, and version 2026.3.28+. But OpenClaw's own documentation states there is no "perfectly secure" setup. For enterprise use, the security overhead required to run OpenClaw safely exceeds what most teams can implement — managed alternatives or more restricted agent frameworks are advisable. For personal use on a dedicated machine behind a VPN with no sensitive credentials accessible, it is less risky but still not risk-free.
What is prompt injection and why can't it be fully prevented?
Prompt injection is an attack where malicious content embedded in data the agent processes — emails, documents, web pages, images — causes the AI to follow attacker instructions instead of user instructions. It cannot be fully prevented because LLMs process instructions and data in the same context window — there is no architectural separation between "trusted instructions" and "untrusted content." The best mitigation is limiting the agent's permissions so that even a successful injection cannot cause significant damage — principle-of-least-privilege applied to AI agents.
Are skills on ClawHub safe to install?
Not by default. Security audits found 11%+ of ClawHub skills were malicious as of early 2026. Always review the source code of a skill before installing it. Only install skills from publishers with verified GitHub histories. Disable automatic skill updates — a skill that is safe today could be compromised in a future update if the publisher account is compromised. Apply a strict allowlist: only install skills you specifically need and have reviewed.
Sources: Check Point Research June 22 Threat Intelligence Report · Hive Security OpenClaw analysis · The Hacker News · Related: Five Eyes AI cyber warning June 2026 · June 23 AI news