Threat Research

The Security Implications of OpenClaw and Autonomous AI Agents

Kandji.io
The Security Implications of OpenClaw and Autonomous AI Agents

OpenClaw is an agentic AI platform that runs locally with deep system access and an extensible third‑party “skill” ecosystem, enabling file management, workflow automation, and direct shell command execution. Security researchers have identified widespread malicious skills (notably the ClawHavoc campaign) and critical vulnerabilities such as CVE-2026-25253 that enable credential theft, data exfiltration, and remote code execution, prompting mitigations like VirusTotal scanning, Clawdex detection, and blocking via Iru. #OpenClaw #ClawHavoc

Keypoints

  • OpenClaw is an agentic AI system that runs locally with access to OS resources, local apps, and network services, and supports third‑party skills from the ClawHub marketplace.
  • Agents routinely have access to local files, credentials, API keys, and connected services, making them high-value targets for data exfiltration and credential theft.
  • Security researchers at Koi identified 341 malicious skills (335 from the ClawHavoc campaign) that delivered credential stealers and malware like Atomic macOS stealers (AMOS).
  • CVE-2026-25253 allowed remote code execution via a single malicious link, demonstrating how vulnerable agentic systems can be to RCE and token theft.
  • Malicious or compromised skills can persist, run under the guise of legitimate automation, and evade traditional EDR, DLP, and network monitoring tools.
  • Mitigations include marketplace scanning (VirusTotal integration), specialized scanners like Clawdex, fleet detection via tools compatible with Iru/MDM, and outright blocking of OpenClaw on managed devices.
  • Enterprises should apply governance, risk assessments, usage policies, continuous monitoring, and hardening to manage agentic AI risk and supply chain exposure from ClawHub skills.

MITRE Techniques

  • [T1567 ] Exfiltration Over Web Service – Agents can transmit sensitive files and tokens to external services as part of normal workflows, enabling stealthy exfiltration (‘Agents can read and transmit confidential files, authentication tokens, source code, customer data, or internal documents to external services. Because network access is a normal part of agent workflows, data exfiltration may occur without triggering alerts.’)
  • [T1003 ] OS Credential Dumping – Malicious skills delivered credential stealers designed to harvest private keys, SSH credentials, and stored secrets (‘they delivered credential stealers and malware designed to harvest private keys, SSH credentials, and browser-stored secrets.’)
  • [T1555 ] Credentials from Web Browsers – Skills targeted browser‑stored secrets as part of credential theft operations (‘…browser-stored secrets.’)
  • [T1059 ] Command and Scripting Interpreter – OpenClaw agents can execute direct shell commands and scripts, which attackers can abuse to run arbitrary commands (‘designed to execute tasks for users with little ongoing human involvement, including file management, workflow automation, and direct shell command execution.’)
  • [T1204.002 ] User Execution: Malicious Link – A high‑severity vulnerability allowed remote code execution via a single malicious link that hijacked running instances (‘CVE-2026-25253, a high-severity vulnerability, enabled remote code execution through a single malicious link.’)
  • [T1195 ] Supply Chain Compromise – The ClawHub marketplace was abused to distribute seemingly legitimate skills that contained malicious logic, reaching many users (‘Skills distributed through the marketplace may appear legitimate but include malicious behavior.’)
  • [T1036 ] Masquerading – Malicious skills operated under the appearance of legitimate automation to evade detection and user suspicion (‘these skills can operate continuously under the appearance of legitimate automation.’)
  • [T1547 ] Boot or Logon Autostart Execution – Third‑party skills and hidden logic enabled persistence and continuous operation on hosts (‘hidden logic that enables data theft, remote access, or persistent backdoors.’)
  • [T1078 ] Valid Accounts – Harvested credentials and authentication tokens were reused to access connected services and move laterally once control was established (‘allowing attackers to harvest credentials, reuse tokens, or access connected services once control is established.’)
  • [T1562 ] Impair Defenses – Autonomous actions and skill behavior could bypass auditing and monitoring, leaving incomplete logs and reducing detection efficacy (‘autonomous actions may bypass auditing mechanisms, leave incomplete logs, or violate regulatory requirements’)

Indicators of Compromise

  • [Skill names ] Malicious ClawHub skills used for delivery – base-agent, bybit-agent, and other cryptocurrency‑branded extensions
  • [Malware names ] Identified stealers and malware delivered by skills – AMOS (Atomic macOS stealer) and generic credential stealers
  • [Campaign ] Marketplace campaign attribution – ClawHavoc (335 skills linked to this campaign)
  • [Process name ] Local agent/service identifiers – ai.openclaw.gateway (used to surface command-line installations)
  • [Vulnerability ] Exploitable CVE used for RCE – CVE-2026-25253 (remote code execution via a malicious link)
  • [Marketplace ] Distribution channel and provenance – ClawHub marketplace (used to publish and distribute third‑party skills)

Read more: https://the-sequence.com/openclaw-security-risks-autonomous-ai-agents