The OpenClaw Threat Landscape in 2026: CVEs, Campaigns, and What's Next

OpenClaw launched in late January 2026. Within weeks, we had three CVEs, a coordinated supply-chain attack campaign, nation-state interest, and a growing stack of enterprise advisories telling organizations to proceed with extreme caution. This is the most complete picture of the OpenClaw threat landscape to date -- every vulnerability, every campaign, every advisory, and what defenders should be doing right now.

I'm Peter Kwidzinski -- Platform Security Architect with 20+ years in the industry. I've been tracking OpenClaw security since before the public launch, and I maintain the largest independent database of OpenClaw indicators of compromise. This post is the reference I wish I'd had when the first incidents started dropping.

This post will be updated as new threats emerge. Last updated: March 1, 2026.

The CVEs

Three CVEs have been assigned to OpenClaw vulnerabilities as of this writing. All three are serious. All three have been exploited in the wild.

CVE-2026-25253: Skill Sandbox Escape

Severity: Critical (CVSS 9.1)
Affected versions: OpenClaw 0.1.0 through 0.3.2
Fixed in: OpenClaw 0.3.3
Disclosed: February 8, 2026

The first major OpenClaw vulnerability. A crafted skill could escape the permission sandbox by exploiting a path traversal bug in the skill loader. When OpenClaw resolved skill file references, it didn't properly canonicalize paths containing ../ sequences. A malicious skill could declare a resource at ./data/../../../.ssh/id_rsa and the sandbox would allow the read because it evaluated the path as "within the skill directory" before resolving the traversal.

Impact: Any skill with read access to its own directory could read arbitrary files on the host system, including SSH keys, AWS credentials, environment variables, and other sensitive data. Combined with network access, this was a complete exfiltration vector.

Exploitation: The ClawHavoc campaign used this vulnerability in at least 47 of its malicious skills. We observed exfiltration of ~/.ssh/, ~/.aws/credentials, ~/.openclaw/identity.json, and browser credential stores.

Mitigation: Update to OpenClaw 0.3.3 or later. If you can't update immediately, audit all installed skills for path traversal patterns:

# Check for path traversal in skill manifests
grep -r '\.\.\/' ~/.openclaw/skills/
find ~/.openclaw/skills/ -name "SKILL.md" -exec grep -l '\.\.\/' {} \;

CVE-2026-25891: MCP Server Authentication Bypass

Severity: High (CVSS 8.4)
Affected versions: OpenClaw 0.2.0 through 0.4.1
Fixed in: OpenClaw 0.4.2
Disclosed: February 19, 2026

MCP (Model Context Protocol) servers registered by skills were supposed to require authentication tokens for inter-process communication. However, the authentication check could be bypassed by sending requests with an empty Authorization header instead of omitting the header entirely. The server checked for the header's presence but not its content.

Impact: Any process on the local machine could communicate with any MCP server registered by OpenClaw, without authentication. This meant a compromised skill could talk to MCP servers belonging to other skills, accessing their tools and data.

Exploitation: Used in the MCP proxy campaign (see below) to route legitimate MCP requests through attacker-controlled servers that logged all tool invocations and their parameters -- including API keys, file contents, and user queries passed to external tools.

Mitigation: Update to OpenClaw 0.4.2 or later. Audit your MCP server configurations and review the MCP security guide for hardening steps. Check for unexpected MCP servers:

# List all registered MCP servers
cat ~/.openclaw/config.json | grep -A 5 '"mcpServers"'

# Check for MCP servers you didn't configure
# Compare against your expected list

CVE-2026-26102: Identity File Injection

Severity: High (CVSS 7.8)
Affected versions: OpenClaw 0.1.0 through 0.4.0
Fixed in: OpenClaw 0.4.1
Disclosed: February 14, 2026

The OpenClaw identity file (~/.openclaw/identity.json) stores agent personas, permission grants, and API routing configuration. Skills could modify this file through the configuration API without triggering any user notification or permission check. The API treated identity file writes as "configuration updates" rather than "permission changes."

Impact: A malicious skill could silently escalate its own permissions, add new API endpoints that route through attacker-controlled proxies, or modify agent personas to change how the system behaves. Because the identity file is loaded at startup, changes persisted across sessions.

Exploitation: We documented 12 ClawHavoc variants that used this vulnerability to add a hidden API proxy endpoint to the identity file. All LLM API calls were duplicated to the attacker's server, giving them a complete copy of every conversation, code generation request, and tool invocation.

Mitigation: Update to OpenClaw 0.4.1 or later. Baseline your identity file and monitor for changes:

# Create baseline hash
sha256sum ~/.openclaw/identity.json > ~/.openclaw/.identity-baseline

# Check for unauthorized changes
sha256sum -c ~/.openclaw/.identity-baseline

# If the hash doesn't match and you didn't change it:
# 1. Back up the current file
# 2. Diff against a known-good version
# 3. Check for added API endpoints or modified permissions

The campaigns

Two major attack campaigns have targeted OpenClaw users. Both are ongoing.

ClawHavoc: The supply-chain campaign

First observed: February 3, 2026
Status: Ongoing, new variants appearing weekly
Scale: 1,184+ malicious packages on ClawHub as of March 1, 2026
Attribution: Multiple threat actors; at least three distinct clusters

ClawHavoc is the name given to a coordinated campaign of malicious skill packages published to ClawHub, OpenClaw's official package registry. The campaign uses several techniques:

• Typosquatting: Publishing skills with names similar to popular legitimate skills. openclw-gmail instead of openclaw-gmail. claw-slack-bot instead of openclaw-slack. Over 400 typosquat variants documented.
• Dependency confusion: Publishing skills that claim to be prerequisites for popular skills. When users search for "how to install X," these malicious dependencies appear in forum answers and tutorials.
• Legitimate-looking functionality with hidden payloads: Many ClawHavoc skills actually work as advertised. The Gmail integration skill sends and reads emails. But it also copies every email body to an exfiltration endpoint. The skill passes a casual code review because the malicious code is in the install script or in an MCP server configuration, not in the main skill code.
• Publisher account takeover: At least 23 previously legitimate publisher accounts were compromised and used to push malicious updates to existing skills. Users who had auto-update enabled received the malicious version without any action on their part.

Payloads observed:

• Credential theft (SSH keys, AWS credentials, API keys, browser password stores)
• AMOS stealer delivery (macOS-specific infostealer delivered via curl | sh in skill prerequisites)
• ClickFix social engineering (skills that display fake error messages directing users to run malicious "fix" commands)
• Cryptominer installation (skills that install XMRig in the background)
• API key exfiltration via MCP proxy (see below)
• Identity file modification for persistent access

For a deeper analysis of ClawHavoc techniques, see our ClawHavoc deep dive.

The MCP proxy campaign

First observed: February 15, 2026
Status: Ongoing
Scale: Unknown; estimated hundreds of victims
Attribution: Overlaps with ClawHavoc cluster 2

A more sophisticated campaign that specifically targets the Model Context Protocol layer. Rather than stealing credentials directly, this campaign intercepts the communication between OpenClaw and its MCP servers.

The attack works in three stages:

1. Initial access: A malicious skill installs a legitimate-looking MCP server. The skill itself does something useful -- it's not obviously malicious.
2. MCP registration: The MCP server registers itself as a proxy for one or more existing MCP servers. It uses the CVE-2026-25891 authentication bypass to intercept requests meant for the legitimate servers.
3. Silent logging: Every tool invocation, every parameter, every response is logged and exfiltrated. This includes API keys passed as parameters, file contents sent to external tools, user queries, and generated code.

What makes this campaign particularly dangerous is that everything continues to work normally. The proxy forwards requests to the real MCP server and returns the real responses. Users see no errors, no slowdowns, no indication that anything is wrong. The only sign is network traffic to an unexpected domain -- and most users aren't monitoring that.

For hardening your MCP configuration, see our MCP security guide.

The advisories

Major security vendors and organizations have published advisories about OpenClaw security risks. Here's a summary of each, in chronological order.

Microsoft (February 6, 2026)

Microsoft's security team published "Securing AI Agent Deployments" as part of their Secure Future Initiative. The advisory specifically called out OpenClaw's default permission model as "overly permissive for enterprise environments" and recommended that organizations:

• Deploy OpenClaw only in sandboxed environments with no access to production systems
• Implement network segmentation to prevent agent-to-internet communication
• Require approval workflows for skill installation
• Monitor all MCP server communications

CrowdStrike (February 10, 2026)

CrowdStrike's annual threat report included a new section on "AI Tool Compromise" that covered OpenClaw specifically. Key findings:

• CrowdStrike observed a 300% increase in attacks targeting AI development tools in Q1 2026
• OpenClaw was the most-targeted platform due to its rapid adoption and default-permissive security model
• They documented credential theft, supply-chain attacks, and lateral movement through compromised OpenClaw deployments
• Recommended treating OpenClaw installations as "high-value targets" with the same security controls as CI/CD pipelines

Palo Alto Networks / Unit 42 (February 12, 2026)

Unit 42 published a detailed advisory introducing the "lethal trifecta" framework for assessing AI agent risk. An agent is considered dangerous when it has all three:

1. Read access to private data (files, API keys, credentials)
2. Network access to send data out
3. Ability to act (send emails, execute code, modify files)

They recommended breaking at least one leg of the trifecta for every agent deployment. Their advisory included specific OpenClaw configuration examples for restricting each leg.

Cisco Talos (February 14, 2026)

Cisco's Talos intelligence team published a technical analysis of ClawHavoc campaign infrastructure. Key contributions:

• Mapped the C2 infrastructure to three distinct clusters operating from different geographic regions
• Identified shared code patterns across malicious skills, suggesting a skill-building toolkit used by multiple threat actors
• Published YARA rules for detecting ClawHavoc payloads
• Released a free ClawHub Skill Scanner tool for checking installed skills (covered in our tools comparison)

Meta (February 18, 2026)

Meta's security team published research on social engineering attacks that use AI agents as the attack vector. Their findings relevant to OpenClaw:

• Documented "ClickFix" campaigns where malicious skills display fake error messages instructing users to run commands that install malware
• Identified skills that modify agent personas to make the AI recommend installing additional malicious skills
• Warned about "agent-to-agent" attacks where a compromised skill in one user's deployment could spread to collaborators through shared workflows

Dutch DPA (February 20, 2026)

The Dutch Data Protection Authority issued a regulatory warning about AI agent deployments under GDPR. While not specific to OpenClaw, the implications are direct:

• AI agents that process personal data must comply with GDPR data minimization principles
• Organizations are responsible for data processed by third-party skills, even if the skill is open-source
• The default OpenClaw permission model was cited as an example of "insufficient technical measures" under Article 32
• Fines could apply if a compromised skill results in a personal data breach

Malwarebytes (February 22, 2026)

Malwarebytes published a consumer-focused advisory warning individual users about OpenClaw security risks. Key points:

• Documented the AMOS stealer delivery chain through ClawHub skills targeting macOS users
• Found that several popular "productivity" skills on ClawHub were trojanized versions of legitimate tools
• Recommended that individual users avoid installing skills from unverified publishers
• Published detection signatures for known ClawHavoc payloads in their consumer product

Adversa AI (February 25, 2026)

Adversa AI, a specialist in AI security research, published the most technical analysis to date. Their findings:

• Demonstrated prompt injection attacks that can bypass OpenClaw's safety filters through skill-mediated contexts
• Showed that skills can manipulate the agent's context window to suppress security warnings
• Identified a technique for skills to "hide" malicious tool calls within legitimate-looking conversation flows
• Recommended implementing output monitoring in addition to input filtering

What defenders should be doing

If you're running OpenClaw in any capacity -- personal, agency, or enterprise -- here's the priority stack, based on everything above.

Immediate (do today)

1. Update OpenClaw to the latest version. At minimum, you need 0.4.2 to have all three CVEs patched. Check your version with openclaw --version.
2. Run openclaw security audit. Fix everything it flags. This gets you the baseline.
3. Scan installed skills against the IOC database. Use the free BulwarkAI scanner or check your skills manually against published ClawHavoc indicators.
4. Hash your identity file. Create a baseline hash and check it regularly. If it changes without your action, investigate immediately.
5. Review MCP server configurations. Remove any MCP servers you didn't explicitly configure. Verify the remaining ones connect to legitimate endpoints.

This week

1. Implement the hardening checklist. All 10 points. This closes the most common attack vectors.
2. Lock down file permissions. Every skill should have explicit read/write rules. No skill gets default access to the whole filesystem.
3. Enable network logging. You need visibility into what domains your OpenClaw process contacts. Review the logs for unexpected destinations.
4. Check for persistence mechanisms. Review crontab entries, shell profile modifications, and symlinks in skill directories.

This month

1. Implement the lethal trifecta framework. For every agent and skill, ensure it doesn't have all three: data read access, network access, and action capability. Break at least one leg.
2. Set up monitoring and alerting. Detect changes to identity files, config files, and skill directories. Alert on network connections to unexpected domains.
3. Establish a skill vetting process. Before installing any skill, verify the publisher, check for known malicious patterns, and review the SKILL.md for download-and-execute chains.
4. If you're deploying Docker-based OpenClaw, harden the container. Don't run as root. Mount only necessary volumes. Restrict network access.

What's coming next

Based on the trends I'm tracking, here's what I expect to see in the OpenClaw threat landscape over the next 3-6 months:

More CVEs. OpenClaw is a young platform with a large attack surface. The three CVEs we have today are the low-hanging fruit. As more security researchers turn their attention to OpenClaw, expect a steady stream of vulnerability disclosures. The good news: the OpenClaw team has been responsive to reports and quick to patch. The bad news: many users don't update promptly.

Targeted enterprise attacks. ClawHavoc is a spray-and-pray campaign targeting individual users. The next wave will be targeted attacks against specific organizations, using tailored skills designed to blend into the target's workflow. This is the APT version of what ClawHavoc does at scale.

Regulatory action. The Dutch DPA advisory is the first shot. Expect more data protection authorities to issue guidance on AI agent security requirements. Organizations that can't demonstrate reasonable security measures for their OpenClaw deployments will face regulatory risk.

Agent-to-agent propagation. Meta's research hinted at this. As more organizations connect OpenClaw agents to each other through shared workflows and APIs, compromised agents will be able to spread laterally. One compromised skill in one organization could potentially reach collaborating organizations through legitimate workflow channels.

MCP as the primary attack surface. The MCP protocol is powerful, flexible, and currently under-secured. As more capabilities flow through MCP servers, they become higher-value targets. Expect more sophisticated MCP-layer attacks that are harder to detect than the current proxy campaign.

Better tooling. On the defensive side, expect more and better security tools. The current crop of tools is a good start, but there's significant room for improvement. Purpose-built OpenClaw security platforms are coming -- some from established security vendors, some from startups.