OpenClaw: Agentic AI in the wild — Architecture, adoption and emerging security risks

OpenClaw rapidly scaled from a local open-source personal AI assistant into a widely deployed agentic platform whose Gateway, stateful memory, and executable “skills” created new high‑privilege attack surfaces when exposed or abused. Multiple teams observed internet‑exposed Gateways, reverse‑proxy auth bypasses, malicious VS Code extensions and trojanized skills that harvested tokens, deployed remote‑access implants and exfiltrated data. #OpenClaw #Clawdbot

Keypoints

OpenClaw is a local-first, stateful agent platform with a Gateway (WebSocket API on TCP/18789), persistent memory, and extensible executable “skills” that can access filesystem, network and credentials.
Researchers and defenders (Pillar Security, Censys, Aikido, Malwarebytes, Tom’s Hardware, Acronis, Cisco) observed rapid, real‑world exploitation paths including unauthenticated Gateway access, reverse‑proxy trust bypasses and protocol downgrade attempts.
Pillar Security’s honeypot showed attackers connected directly to the Gateway API (TCP/18789) to execute commands, read files (e.g., /etc/os-release, session logs) and harvest tokens, bypassing any need for prompt injection.
Aikido documented a malicious VS Code extension named “ClawdBot Agent” that auto‑activated on startup and installed a preconfigured ConnectWise ScreenConnect implant, with fallback payload delivery (DLL sideloading, Dropbox) for resilience.
ClawHub hosted malicious skills that ran real code; social engineering encouraged users to run obfuscated one‑liners that fetched and executed remote scripts to harvest browser/cryptowallet data on Windows and macOS.
Recommended mitigations include keeping the Gateway local or behind secure tunnels, treating skills like signed packages, using least‑privilege tokens/accounts, logging agent actions, and scanning/allowlisting skills in enterprise environments.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – Attackers targeted the Gateway API exposed on TCP/18789 as a remotely exploitable control plane rather than via prompt injection (‘many attackers skipped prompt injection entirely and went straight to the gateway’s WebSocket API on TCP/18789, treating it like a remotely exploitable control plane’).
[T1574 ] Hijack Execution Flow – DLL sideloading was used as a fallback to deliver payloads and maintain execution (‘A Rust-based DLL (DWrite.dll) used DLL sideloading and could fetch payloads from Dropbox if primary infrastructure failed’).
[T1204 ] User Execution – Social engineering prompted users to run obfuscated terminal one‑liners that fetched and executed remote scripts during skill setup (‘Prompts to run obfuscated terminal one-liners that fetched and executed remote scripts’).
[T1195 ] Supply Chain Compromise – Attackers abused the open ecosystem (malicious marketplace extensions, cloned repos, malicious skills) to deliver implants and backdoors without needing to compromise OpenClaw itself (‘Attackers didn’t need to compromise OpenClaw itself; they hijacked the attention wave and delivered malware through an adjacent distribution channel’).
[T1105 ] Ingress Tool Transfer – Malicious components and configs were pulled from attacker infrastructure and cloud file hosts (Dropbox) to install remote access tools (‘could fetch payloads from Dropbox… It pulls a config from attacker infrastructure’).
[T1547 ] Boot or Logon Autostart Execution – The VS Code extension registered startup activation to run automatically on launch (‘the extension registers an automatic startup trigger (activationEvents: [“onStartupFinished”]) so it runs every time VS Code starts’).
[T1552 ] Unsecured Credentials – Attackers harvested LLM API keys, chat tokens, gateway credentials and conversation history from misconfigured or exposed deployments (‘Credential and token harvesting (LLM API keys, chat tokens, gateway creds), plus conversation history’).
[T1059 ] Command and Scripting Interpreter – Attackers invoked command execution and file‑access handlers via JSON‑RPC / MCP-style “tool exec/read” payloads (e.g., whoami, reading /etc/os-release) (‘Command + file-access probes using JSON-RPC “tool exec/read” patterns (examples Pillar captured include whoami, reading /etc/os-release)’).
[T1005 ] Data from Local System – Attackers attempted to read local session logs and other files (e.g., ~/.clawdbot/…/sessions/*.jsonl) to exfiltrate sensitive data and conversation history (‘attempts to list/read session logs under ~/.clawdbot/…/sessions/*.jsonl’).
[T1041 ] Exfiltration Over C2 Channel – The dropped remote access tool (ConnectWise ScreenConnect) was configured to “phone home” to an attacker relay host for command/control and data exfiltration (‘the dropped Code.exe was identified as ConnectWise ScreenConnect… configured to connect to the attacker’s relay server, so victims “phone home” immediately’).

Indicators of Compromise

[Port ] exposed OpenClaw Gateway – TCP/18789 (WebSocket API used by Gateway), targeted by automated probes and attacks.
[Domain ] attacker relay host used by implanted ScreenConnect – meeting.bulletmailer[.]net:8041 (Aikido extracted this relay host and port as part of embedded settings).
[File name ] dropped or referenced payloads – Code.exe (ConnectWise ScreenConnect), DWrite.dll (Rust-based DLL used for sideloading), run.bat (fallback execution script).
[File path ] probed session and system files – examples include ~/.clawdbot/…/sessions/*.jsonl (session logs) and /etc/os-release (system info read during probes).
[Extension / package ] malicious VS Code extension and ClawHub skills – “ClawdBot Agent” (malicious VS Code extension), and multiple malicious skills on ClawHub masquerading as cryptowallet tools.
[Repository / domain impersonation ] cloned or typosquat resources – cloned GitHub repo impersonating the creator and typosquat domains used in impersonation campaigns (Malwarebytes reporting on clones and typosquats).