// Threat Intelligence Report (Historical · Retired April 2026)

OpenClaw (ClawdBot / Moltbot) Vulnerability Assessment

Grounded Guardian February 6, 2026 TLP:CLEAR MITRE ATT&CK Mapped

1. Executive Summary

Status update (April 16, 2026): OpenClaw was retired by Grounded Guardian after a final wave of 9 CVEs surfaced in March 2026. This report is preserved as a historical record of the first major wave of AI-agent abuse in the wild. Do not redeploy.

OpenClaw (formerly ClawdBot, briefly Moltbot) is an open-source autonomous AI agent framework that grew to 30,000+ GitHub stars in January 2026. Created by Peter Steinberger, founder of PSPDFKit/Nutrient, the project enables AI-powered personal assistants that operate directly on user hardware with full system access, including filesystem control, browser automation, shell command execution, and integration with messaging platforms.

This report documents the critical security vulnerabilities, active exploitation patterns, and supply chain compromise vectors identified in the OpenClaw environment between January and February 2026. The findings represent what security researchers are calling the first major wave of AI-agent abuse in the wild, establishing a new exploitation class where threat actors weaponize trust in autonomous AI tooling.

Key Findings

Finding 01

Remote Code Execution

CVE-2026-25157 and CVE-2026-25253: Critical RCE vulnerabilities enabling one-click remote compromise of host systems.

Finding 02

Plaintext Credential Storage

API keys, authentication tokens, user profiles, and conversation memories stored in unencrypted Markdown and JSON files.

Finding 03

Supply Chain Compromise

Malicious VS Code extensions deploying trojans and RATs. Hundreds of malicious skills identified in the ClawHub repository.

Finding 04

Authentication Bypass

Gateway localhost handling flaw allows external attackers to bypass login when behind Nginx reverse proxy.

Finding 05

Indirect Prompt Injection

The agent's ability to read emails and messages creates attack surfaces for unauthorized command injection.

Finding 06

Social Engineering via Trademark Chaos

During the Clawdbot-to-Moltbot rename, threat actors hijacked @clawdbot handles to promote fraudulent $CLAWD tokens to 60,000+ followers.

2. Threat Landscape Analysis

Vulnerability Summary

Vulnerability	Severity	CVE	ATT&CK ID	Status
Remote Code Execution	Critical	`CVE-2026-25157`	T1203	Patched (2026.1.29)
RCE via Exploitation	Critical	`CVE-2026-25253`	T1203	Patched (2026.1.30)
Plaintext Credential Storage	High	N/A	T1552	Design Flaw (Unresolved)
Authentication Bypass	High	N/A	T1556	Partially Mitigated
Exposed Control Interface	High	N/A	T1133	User Misconfiguration
Malicious Skills (Supply Chain)	High	N/A	T1195.002	Ongoing
Fake VS Code Extensions	High	N/A	T1195.002	Active Threat
Indirect Prompt Injection	Medium	N/A	T1059	Architectural Limitation
Crypto Scam (Handle Hijack)	Medium	N/A	T1598	Active Threat

3. MITRE ATT&CK Framework Mapping

3.1 Initial Access

Technique ID	Technique	OpenClaw Context
`T1133`	External Remote Services	Unsecured control interfaces discovered publicly accessible via Shodan scanning
`T1195.002`	Supply Chain: Software	Malicious skills in ClawHub + fake VS Code extensions delivering trojans
`T1598`	Phishing: Software Dependencies	Fake repos, domain typosquatting, hijacked social handles for crypto scams

3.2 Execution

Technique ID	Technique	OpenClaw Context
`T1203`	Exploitation for Client Execution	CVE-2026-25253: One-click RCE for full system compromise
`T1059`	Command and Scripting Interpreter	Skills execute local scripts with full OS permissions; prompt injection triggers unauthorized execution
`T1609`	Abuse of Trusted Relationships	Fake VS Code extension exploits developer trust in marketplace

3.3 Persistence and Credential Access

Technique ID	Technique	OpenClaw Context
`T1552`	Unsecured Credentials	API keys, tokens stored in plaintext Markdown/JSON files
`T1556`	Modify Authentication Process	Localhost handling flaw bypasses auth behind Nginx

3.4 Collection and Exfiltration

Technique ID	Technique	OpenClaw Context
`T1071.001`	Application Layer Protocol: Web	WebSocket backdoors blending with legitimate agent traffic
`Novel`	Cognitive Context Theft	Exfiltration of persistent memory and conversation histories

4. Attack Chain Reconstruction

4.1 Primary Kill Chain: Exposed Gateway to Full Compromise

Stage 1: Reconnaissance

Scan for exposed OpenClaw Control interfaces

Shodan queries reveal publicly accessible instances

Stage 2: Initial Access

Exploit localhost bypass (T1556)

Authentication flaw when deployed behind Nginx reverse proxy

Stage 3: Credential Harvesting

Access plaintext credential files (T1552)

API keys, tokens, and auth data stored unencrypted

Stage 4: Execution

Use agent's shell access for arbitrary commands

Full OS-level control through the agent's own capabilities

Stage 5: Cognitive Context Theft

Extract memory files and conversation histories

Novel attack vector: behavioral patterns and decision-making exposed

Stage 6: Persistence

Install malicious skills or modify SOUL.md

Backdoor access through the agent's own configuration system

4.2 Secondary Kill Chain: Supply Chain Compromise

Stage 1: Preparation

Create malicious skill or fake VS Code extension

Weaponized packages designed to appear legitimate

Stage 2: Distribution

Publish to community or VS Code marketplace

Using marketplace trust for wide distribution

Stage 3: Installation

User installs, granting full OS-level permissions

No sandboxing between agent capabilities and host system

Stage 4: Execution

Full system compromise via trusted execution context

Agent's own permission set used against the user

5. Emerging Threat Category: AI Agent Abuse

The OpenClaw incidents establish a new threat category: autonomous AI agent abuse. The defining characteristics are:

Permission Inheritance: AI agents inherit the user's full permission set
Trust Amplification: Persistent memory reduces user skepticism toward agent actions
Action Opacity: Distinguishing legitimate vs. malicious automated operations is extremely difficult
Cognitive Context as Attack Surface: Memory and conversation histories expose behavioral patterns and decision-making processes

Organizations must incorporate autonomous AI agent threat modeling into security frameworks. Evaluate deployments against: principle of least privilege enforcement, credential isolation and encryption, action logging with anomaly detection, supply chain verification, and network segmentation.

Grounded Guardian retired OpenClaw on April 16, 2026 after a final wave of 9 CVEs surfaced in March 2026. The framework should not be reinstalled.

6. Indicators of Compromise

Type	Indicator	Context
VS Code Extension	`clawdbot.clawdbot-agent`	Malware delivery, trojan plus RAT
CVE	`CVE-2026-25157`	Remote Code Execution
CVE	`CVE-2026-25253`	One-click remote compromise
Social Media	`@clawdbot (X/GitHub)`	Crypto scam ($CLAWD token)
Network	`Exposed Control interfaces`	Shodan-discoverable, no auth
File Pattern	`Obfuscated shell scripts`	Supply chain payload delivery
CWE	`CWE-400 (SSE client)`	Denial of service vector

7. Hardening Recommendations

7.1 Immediate Actions (Critical)

Whitelist Tools Explicitly: Default-deny for shell execution capabilities
Verify Gateway Authentication: Ensure gateway.auth.password is set; verify reverse proxy header passing
Update to Latest Version: Minimum version 2026.1.29 for CVE patches
Audit Installed Skills: Remove unverified third-party skills
Rotate All Credentials: Consider all plaintext-stored credentials compromised
Network Isolation: Never expose control interface publicly; deploy behind VPN

7.2 Organizational Policy

AI Agent Deployment Policy: Require security review before any autonomous agent deployment
Action Logging: Implement logging with anomaly detection baselines
Credential Encryption: Require encrypted storage (Vault, AWS Secrets Manager)
IR Playbook Update: Include AI agent compromise scenarios in incident response
Continuous Monitoring: Track emerging CVEs targeting AI agent systems

8. Conclusion

The OpenClaw / ClawdBot incident sequence represents a critical inflection point in AI security. The speed of compromise, from project launch to active CVE exploitation to supply chain poisoning in under six weeks, should serve as a warning to any organization evaluating autonomous AI agent deployment.

The fundamental tension at the heart of AI agent design is that usefulness requires access, and access creates risk. Organizations that begin building AI agent security capabilities now will be positioned to safely use productivity benefits while managing inherent risks.

9. References

1. Tenable. "Agentic AI Security: How to Mitigate Clawdbot/Moltbot/OpenClaw Vulnerabilities." February 3, 2026.

2. CNBC. "From Clawdbot to Moltbot to OpenClaw." February 2, 2026.

3. Security Boulevard. "Critical Vulnerabilities and 6 Immediate Hardening Steps." February 3, 2026.

4. Bolen, S. "OpenClaw: When the AI With Hands Becomes a Digital Minefield." RONIN OWL CTI, February 2026.

5. MITRE ATT&CK Enterprise Framework v14. The MITRE Corporation, 2025.

6. OpenClaw GitHub Repository. github.com/openclaw/openclaw.

7. SlowMist Security Advisory. OpenClaw Deployment Misconfiguration Analysis, January 2026.

Protect Your Business

Not sure how AI agents and tools like this affect your security? Grounded Guardian runs SMB security checkups: 60 minutes, personalized risk report, actionable plan.

Request a Security Checkup

About this Report

Published by Grounded Guardian, the security and AI advisory division of Dyismo Holdings LLC. Grounded Guardian evaluates AI agent frameworks daily, maps findings to MITRE ATT&CK, and publishes internal threat intelligence reports for SMB clients.

Contact: research@dyismo.com | isitsafe.pro