OpenClaw hit 1M monthly searches in early 2026. In the same window, a malicious npm package deployed a RAT stealing macOS credentials, a critical RCE vulnerability exposed 42,900 instances, and a supply chain attack compromised 1,184 skills on the official marketplace. This is the full security picture: what happened, what it means, and what to use instead.
The GhostClaw npm RAT
On March 3, 2026, a package called @openclaw-ai/openclawai appeared on npm under the publisher "openclaw-ai." JFrog security researchers identified it as GhostClaw (internally named GhostLoader), a full-featured Remote Access Trojan targeting developers searching for OpenClaw.
The attack was polished. The dropper displayed animated progress bars and realistic system log output mimicking a legitimate installation. After the fake install completed, it presented a fabricated iCloud Keychain authorization prompt: "OpenClaw needs to securely store credentials." It allowed up to 5 password attempts and validated each one against the real OS authentication mechanism using dscl on macOS.
Once it had your system password, GhostClaw decrypted your macOS Keychain and harvested credentials from Chrome, Edge, Brave, Vivaldi, Opera, Yandex, Firefox, Safari, and Comet. It grabbed crypto wallet seed phrases from Exodus, Electrum, Atomic, Bitcoin Core, Ledger Live, Sparrow, Wasabi, and Trezor Suite. SSH private keys. AWS, Azure, GCP, Kubernetes, and Docker credentials. GitHub CLI tokens. npm configs. iMessage history. Apple Notes. Mail configurations.
The RAT communicated with trackpipe[.]dev as its primary C2 server, with fallback exfiltration through Telegram Bot API and GoFile.io for large archives. It supported remote shell execution with 85-second timeouts, a SOCKS5 proxy, and live browser session cloning via headless Chromium with Chrome DevTools Protocol relay, letting attackers browse as you with your authenticated sessions.
Persistence was thorough: shell hooks in .zshrc, .bashrc, and .bash_profile, cron @reboot entries on Linux, and a background daemon at ~/.cache/.npm_telemetry/monitor.js. Clipboard monitoring ran every 3 seconds, scanning for API keys, private keys, and BIP-39 seed phrases. It beaconed home every 25 seconds with 30% jitter.
The package was downloaded 178 times before npm removed it on March 10, 2026.
GhostClaw: What it stole
macOS Keychain databases (local + iCloud), browser credentials from 9 browsers, credit card autofill data, crypto wallet seed phrases from 8 wallet apps, SSH private keys, cloud credentials (AWS/Azure/GCP/K8s/Docker), GitHub CLI tokens, AI agent configs, iMessage history, Apple Notes, Safari data, and Mail configs. Plus a persistent RAT with SOCKS5 proxy and live browser session cloning.
What OpenClaw Actually Has Access To
OpenClaw runs locally with your user permissions. It is not sandboxed, containerized, or privilege-separated. Here is what it can touch by default.
File System
Full read/write access to everything your user account can touch. Documents, downloads, dotfiles, SSH keys, cloud configs, source code, credentials files.
Shell Commands
Arbitrary command execution. Can install packages, modify system configs, create cron jobs, start background processes, curl data to external servers.
Read, compose, and send emails as you. A prompt-injected agent can forward your inbox to an attacker or send phishing emails from your account.
Calendar & Contacts
Full access to calendar events, attendees, meeting links, and contact lists. Leak meeting content, join links, or attendee information.
Messaging Apps
Discord, Telegram, WhatsApp integration. The agent receives messages from these channels and can respond, making them direct prompt injection vectors.
Browser Automation
Can control browsers, navigate to URLs, fill forms, and interact with web applications using your authenticated sessions.
A traditional LLM chatbot that gets compromised can leak conversation context. An OpenClaw instance that gets compromised becomes a fully privileged agent acting on the attacker's behalf with your credentials, your email, your file system, and your network access. CrowdStrike's assessment: a compromised OpenClaw is "a powerful AI backdoor agent capable of taking orders from adversaries."
CVE-2026-25253: One-Click Remote Code Execution
This vulnerability (CVSS 8.8) allowed any website to take full control of an OpenClaw instance. The attack chain worked like this:
OpenClaw's server did not validate WebSocket origin headers. Any web page could run JavaScript that connected to your local OpenClaw instance. The Control UI automatically trusted a gatewayURL query parameter and sent the stored authentication token over the WebSocket without verifying origin. With the token's operator.admin and operator.approvals scopes, the attacker disabled user confirmation prompts and set tools.exec.host to gateway, escaping the tool container and running commands directly on the host machine.
The entire chain executed in milliseconds after visiting a single malicious web page. No user interaction beyond the initial click.
Researchers found 42,900 OpenClaw instances exposed to the public internet across 82 countries. 15,200 of those were directly vulnerable to this RCE exploit. The vulnerability was patched in v2026.1.29, released January 29, 2026.
ClawHavoc: 1,184 Malicious Skills on the Official Marketplace
In late January 2026, threat actors registered as developers on ClawHub, OpenClaw's official skill marketplace. They uploaded trojanized skills disguised as crypto trading bots, productivity tools, and social media utilities. By February 5, Antiy researchers had identified 1,184 malicious packages linked to 12 publisher accounts. One uploader was responsible for 677 packages alone.
The attack exploited a fundamental architectural weakness: OpenClaw processes SKILL.md files as trusted instruction sources. Attackers embedded adversarial instructions directly in these files, and the agent followed them without user awareness. Payloads included staged malware downloads, reverse shells via Python system calls, and direct data exfiltration. On macOS, payloads tied to the Atomic macOS Stealer (AMOS) stole browser credentials, Keychains, Telegram data, SSH keys, and crypto wallets.
Koi Security disclosed the campaign on February 1, 2026. By that point, over 9,000 installations had been compromised.
ClawHub's trust model is the vulnerability
OpenClaw treats skill files as trusted instructions. There is no capability-based access control, no code review gate, no sandboxing for third-party skills. Any skill can execute arbitrary commands with your full user permissions. 12% of skills audited on ClawHub were malicious.
Prompt Injection in Autonomous Agents
Prompt injection against a chatbot is annoying. Prompt injection against an autonomous agent with file system, email, and shell access is an active compromise.
Cisco researchers built a proof-of-concept malicious skill called "What Would Elon Do?" that instructed OpenClaw to execute curl commands sending data to an external server, while simultaneously injecting prompts to bypass the agent's safety guidelines. The user never saw any of it.
The Archestra AI CEO demonstrated a simpler version: send a normal-looking email to an OpenClaw user. Hidden instructions in the email told the agent to export all saved passwords to an external URL. The agent complied. The demo took under five minutes from email to full credential exfiltration.
CrowdStrike documented a more advanced scenario: attackers poisoned a public AI social network with wallet-draining instructions hidden in user posts. When OpenClaw agents ingested those posts through their social media integrations, they followed the embedded instructions.
The difference between a chatbot and an autonomous agent: the chatbot tells you what it would do. The agent does it. OpenClaw can send emails, transfer files, run shell commands, and interact with external services. A successful prompt injection gives the attacker all of those capabilities.
The email attack in 5 minutes
1. Attacker sends a normal-looking email with hidden instructions. 2. OpenClaw's email integration ingests the message. 3. Hidden prompt tells the agent to export saved passwords to an external URL. 4. The agent executes the command with your system permissions. 5. Credentials are exfiltrated. The user sees nothing unusual. This was demonstrated live by the CEO of Archestra AI.
China's Security Warning
CNCERT, China's national internet emergency response center, issued a formal security alert warning government agencies against OpenClaw deployments. Their monitoring found that OpenClaw instances under default configurations were "highly susceptible to cyberattacks and information leakage." The alert urged organizations to audit public network exposure and implement strong identity authentication.
The warning carried particular weight because OpenClaw's downloads from Chinese IP addresses were surging. At the same time, local governments in Shenzhen and other tech hubs were promoting OpenClaw as an innovation and industry platform. State media outlet Global Times ran its own security warning piece, and CGTN (China's international broadcaster) published a separate alert.
The tension is notable: one arm of the government promotes the technology while another warns against using it. The security concerns center on unauthorized data leakage, the risk that misconfigured instances could be taken over, and the possibility that sensitive data could flow to external servers without organizational awareness.
What the Security Industry Concluded
The major security vendors reached similar conclusions independently.
Malwarebytes
'Until the core architecture is rewritten for security-first isolation, no one should be running this tool.' Recommended running only in a dedicated VM or container, never on your main machine.
Kaspersky
Independently classified OpenClaw as 'unsafe for use.' Highlighted 512 vulnerabilities found in the January 2026 audit, 8 critical. Warned that Moltbot/Clawdbot rebranding did not address core issues.
CrowdStrike
Published enterprise detection and remediation guidance. Treats OpenClaw deployments as potential 'backdoor agents.' Recommends scanning for npm installations, DNS monitoring to openclaw.ai, and full removal.
Microsoft Security
Published 'Running OpenClaw Safely' guide focused on identity, isolation, and runtime risk. Acknowledges the tool requires significant hardening before any production use.
The January 2026 security audit found 512 vulnerabilities. Eight were critical. OpenClaw's own documentation states there is no "perfectly secure" setup. Infostealer malware families like Zestix have already been updated to specifically target OpenClaw configurations and stored credentials.
Safer Alternatives
The right alternative depends on what you were using OpenClaw for.
| Tool | Execution Environment | File Access | Email Access | Sandboxing | Network Isolation | Risk Level |
|---|---|---|---|---|---|---|
| OpenClaw | Your machine, your user | Full | Full | None | None | Critical |
| Claude Computer Use | Cloud-isolated VM | Scoped to VM | None | VM sandbox | VM-level | Low |
| Devin | Sandboxed cloud env | Scoped to workspace | None | Full sandbox | Full isolation | Low |
| Claude Code | Your terminal | Project directory | None | Permission prompts | None (scoped access) | Low-Medium |
| IronClaw | WASM sandbox | Capability-gated | None | WASM isolation | Per-tool | Low |
| NanoClaw | Container per session | Container-scoped | None | Container | Container-level | Low |
For Autonomous Task Completion
Claude Computer Use
Runs in cloud-isolated VMs. The agent interacts with a virtual desktop, not your real machine. Your files, credentials, and email are never accessible. Anthropic maintains SOC2-compliant infrastructure.
Devin
Fully sandboxed cloud environments. Each session gets its own IDE, browser, and terminal. Manages repos, writes tests, deploys code autonomously. Starting at $500/month, positioned for enterprise teams.
For Coding Agents
Claude Code
Operates in your terminal with explicit permission prompts for file operations. No email, calendar, or messaging access. SOC2-compliant data handling. Does one thing well: code.
Codex CLI
OpenAI's coding agent. Runs in git worktrees with deterministic, reviewable workflows. No access to personal data or messaging platforms. Scoped to your codebase.
For Self-Hosted with Security
IronClaw
Rust-based agent by NEAR AI. All untrusted tools run inside WebAssembly sandboxes with capability-based permissions. Credentials stored in encrypted vaults inside TEEs. The AI model never sees your actual keys.
NanoClaw
Container-first architecture. Every session runs in an isolated container. Your agent cannot touch your filesystem. Minimal attack surface by design.
ZeroClaw
Built in Rust, privacy-first. Under 5MB RAM. Strict sandbox mode enforces 100% local execution by default. No external network access unless explicitly allowed.
If You Must Use OpenClaw: Hardening Checklist
Minimum security measures
- Run in a dedicated VM or container. Never on your primary machine, never as your primary user.
- Never expose the OpenClaw port to the public internet. Use Tailscale, a VPN, or SSH tunnel for remote access.
- Update to at least v2026.1.29 (patches CVE-2026-25253, removes password-less mode).
- Audit every skill before installation. Read the SKILL.md for hidden instructions and check the publisher's history on ClawHub.
- Disable email, calendar, and messaging integrations unless you have a specific, justified use case.
- Use a model with strong instruction-following (Claude, GPT-5.4) to reduce prompt injection success rates.
- Monitor outbound network connections for unexpected destinations. Block all egress except known-good endpoints.
- Do not store real credentials in OpenClaw's config. Use a separate credential manager with short-lived tokens.
- Rotate any API keys or credentials that were ever stored in an OpenClaw configuration.
Frequently Asked Questions
Is OpenClaw safe to use?
Not without significant hardening. OpenClaw has had a critical RCE vulnerability (CVE-2026-25253, CVSS 8.8), a supply chain attack that compromised 1,184 skills on ClawHub, and a malicious npm package (GhostClaw) that deployed a RAT stealing macOS credentials. Malwarebytes and Kaspersky both concluded the tool should not run on primary machines. If you must use it, run it in a dedicated VM, never expose the port publicly, and audit every skill.
What was the OpenClaw npm RAT (GhostClaw)?
GhostClaw was a malicious npm package (@openclaw-ai/openclawai) uploaded on March 3, 2026 that impersonated the official OpenClaw installer. It displayed a fake CLI with animated progress bars, prompted for your system password through a fabricated Keychain dialog, then stole browser credentials from 9 browsers, crypto wallet seed phrases from 8 wallet apps, SSH keys, cloud credentials (AWS/Azure/GCP), iMessage history, and Apple Notes. It installed a persistent RAT with SOCKS5 proxy and live browser session cloning.
What is CVE-2026-25253?
A critical remote code execution vulnerability (CVSS 8.8) in OpenClaw. The server did not validate WebSocket origin headers, allowing any website to steal authentication tokens and execute arbitrary commands on the host machine. Over 42,900 exposed instances were found globally, 15,200 directly vulnerable. Patched in v2026.1.29.
What is the ClawHavoc supply chain attack?
ClawHavoc was a campaign where threat actors uploaded 1,184 malicious skills to ClawHub, OpenClaw's official marketplace. The skills embedded adversarial instructions in SKILL.md files and distributed the Atomic macOS Stealer. Over 9,000 installations were compromised before disclosure on February 1, 2026.
What are the safest alternatives to OpenClaw?
For sandboxed autonomous agents: Claude Computer Use (cloud-isolated VMs) and Devin (fully sandboxed cloud environments). For coding agents without email/calendar access: Claude Code and Codex. For self-hosted with real security: IronClaw (WebAssembly sandboxes), NanoClaw (container isolation), and ZeroClaw (strict sandbox mode).
Can OpenClaw be prompt-injected?
Yes. Unlike chatbots, a prompt-injected OpenClaw instance can execute the attacker's instructions: send emails, exfiltrate files, run shell commands. Cisco researchers demonstrated silent data exfiltration via a malicious skill. Archestra AI's CEO demonstrated full credential theft via a single email in under five minutes. CrowdStrike documented attacks through poisoned social media posts.
Want AI That's Scoped to Code, Not Your Inbox?
WarpGrep is a coding agent that searches and edits your codebase. It does not read your email, manage your calendar, or connect to your messaging apps. 8 parallel tool calls per turn, sub-6s responses, scoped to your project directory.