{"id":261990,"date":"2026-03-02T16:34:05","date_gmt":"2026-03-02T07:34:05","guid":{"rendered":"https:\/\/designcopy.net\/en\/?p=261990"},"modified":"2026-04-04T13:29:17","modified_gmt":"2026-04-04T04:29:17","slug":"openclaw-security-clawhavoc-hardening","status":"publish","type":"post","link":"https:\/\/designcopy.net\/en\/openclaw-security-clawhavoc-hardening\/","title":{"rendered":"Securing Your AI Agent in 2026: ClawHavoc, CVE-2026-25253, and How We Hardened Our Setup"},"content":{"rendered":"

The OpenClaw Security Situation in 2026<\/h2>\n

OpenClaw isn\u2019t a toy project anymore. With 430,000+ lines of code across its core repository, this is a full operating system for AI agents \u2014 and every line is a potential entry point for attackers.<\/p>\n

The numbers tell the story. Over 200,000 GitHub stars make OpenClaw the single most visible AI agent framework on the planet, and that visibility paints a target on every installation.<\/p>\n

\n

⚠️ Warning<\/p>\n

Palo Alto Networks Unit 42 has flagged OpenClaw as a \u201csecurity nightmare for enterprises\u201d due to its expansive attack surface, local execution model, and plugin ecosystem that lacks sufficient vetting. (see Google’s SEO Starter Guide<\/a>)<\/p>\n<\/div>\n

Attackers don\u2019t need to find a zero-day when users willingly install third-party skills from a marketplace with minimal review processes. That\u2019s exactly what happened in January 2026.<\/p>\n

\n

MALICIOUS SKILLS DISCOVERED ON CLAWHUB<\/p>\n

1,184<\/p>\n

Koi Security Research, February 2026<\/p>\n<\/div>\n

If you\u2019re running OpenClaw in production \u2014 or even on your personal machine \u2014 OpenClaw security should be your first concern, not an afterthought. Here\u2019s what happened, what\u2019s still vulnerable, and the exact config changes we made to lock things down.<\/p>\n

ClawHavoc \u2014 The Supply Chain Attack That Shook ClawHub<\/h2>\n

Between January 27 and February 5, 2026, twelve author accounts uploaded 1,184 malicious skills to the ClawHub marketplace. It was the largest coordinated supply chain attack against an AI agent ecosystem to date.<\/p>\n

The operation was methodical. Each author ID appeared legitimate, with profile pictures, commit histories, and documentation that mimicked popular existing skills.<\/p>\n

Here\u2019s how the timeline unfolded:<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Date<\/th>\nEvent<\/th>\n<\/tr>\n<\/thead>\n
Jan 27<\/strong><\/td>\nFirst batch of 89 malicious skills uploaded under 3 author IDs<\/td>\n<\/tr>\n
Jan 29<\/strong><\/td>\nSecond wave \u2014 4 new author IDs, 340+ additional skills<\/td>\n<\/tr>\n
Feb 1<\/strong><\/td>\nCommunity reports begin appearing on GitHub Issues<\/td>\n<\/tr>\n
Feb 3<\/strong><\/td>\nKoi Security publishes initial advisory<\/td>\n<\/tr>\n
Feb 5<\/strong><\/td>\nClawHub pulls all 1,184 skills; author accounts suspended<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Of those 1,184 skills, 341 carried Atomic Stealer (AMOS) malware<\/strong> \u2014 a macOS info-stealer that targets browser credentials, crypto wallets, and keychain data.<\/p>\n

The attack vector was brutally simple. Each malicious skill included a README with a fake \u201cPrerequisites\u201d section that told users to paste a command into their terminal. The command looked like a dependency installer but actually downloaded and executed the AMOS payload.<\/p>\n

No exploit needed. No zero-day required. Just social engineering through trusted documentation.<\/p>\n

\n

\u201cSupply chain attacks against AI agent marketplaces are the new npm typosquatting. The difference is that AI skills often request system-level permissions by design, which makes the blast radius significantly larger.\u201d<\/p>\n

\u2014 Koi Security Research Team, ClawHavoc Advisory, 2026<\/p>\n<\/blockquote>\n

The lesson here isn\u2019t \u201cdon\u2019t use ClawHub.\u201d It\u2019s that any skill you install runs with your agent\u2019s full permissions<\/strong>. Audit everything. Read the source. If a README asks you to paste terminal commands, treat it as a red flag.<\/p>\n

\n

Running OpenClaw in Production?<\/h3>\n

Read our full token optimization guide to reduce costs while maintaining security. Read the pillar post \u2192<\/i><\/a><\/p>\n<\/div>\n

CVE-2026-25253 \u2014 1-Click RCE via WebSocket<\/h2>\n

While ClawHavoc relied on social engineering, CVE-2026-25253 was a pure technical exploit. It required zero user interaction beyond visiting a malicious webpage.<\/p>\n

The vulnerability targeted OpenClaw\u2019s local WebSocket server. By default, OpenClaw exposes a WebSocket on localhost<\/code> that accepts commands from browser extensions and local integrations. The problem: it didn\u2019t validate the origin of incoming connections.<\/strong><\/p>\n

\n

⚠️ Warning<\/p>\n

CVE-2026-25253 allowed any website to connect to your local OpenClaw instance and execute arbitrary commands with your user\u2019s permissions. If you\u2019re running OpenClaw versions prior to v0.2.62, update immediately.<\/p>\n<\/div>\n

The attack chain worked like this:<\/p>\n

    \n
  1. Victim visits a malicious webpage<\/strong> (or a legitimate page with injected JavaScript)<\/li>\n
  2. JavaScript on the page opens a WebSocket<\/strong> connection to ws:\/\/localhost:3000<\/code><\/li>\n
  3. The attacker sends OpenClaw commands<\/strong> through the WebSocket \u2014 tool calls, file operations, shell commands<\/li>\n
  4. OpenClaw executes them<\/strong> without checking where the request came from<\/li>\n<\/ol>\n

    That\u2019s full remote code execution through a browser tab. The attacker didn\u2019t need to be on your network. They didn\u2019t need you to install anything. One page visit was enough.<\/p>\n

    The fix landed in OpenClaw v0.2.62<\/strong>, which added origin validation and token-based authentication to the WebSocket server. But if you\u2019re running a gateway (which most multi-device setups do), you\u2019ll want additional hardening \u2014 we cover that in the config section below. (see Ahrefs’ SEO fundamentals<\/a>)<\/p>\n

    The \u201c3 AM Vulnerability\u201d \u2014 Why Heartbeats Are a Risk<\/h2>\n

    OpenClaw\u2019s heartbeat feature is powerful. Every N minutes, your agent wakes up and processes incoming data: emails, messages, web mentions, RSS feeds. It\u2019s the backbone of autonomous agent behavior.<\/p>\n

    It\u2019s also the biggest OpenClaw security hole that nobody talks about.<\/p>\n

    Here\u2019s why. When the heartbeat fires at 3 AM, it processes content automatically. There\u2019s no human reviewing the emails it reads. No one checking the webpages it summarizes. No one catching the Slack message that contains a carefully crafted prompt injection.<\/p>\n

    \n

    💡 Pro Tip<\/p>\n

    An attacker who knows you run OpenClaw heartbeat can email you a prompt injection at 2:59 AM. Your agent processes it at 3:00 AM. By the time you wake up, the damage is done.<\/p>\n<\/div>\n

    This risk multiplies dramatically based on your model choice. Here\u2019s the critical distinction most users miss:<\/p>\n

    API models vs. local models for heartbeat:<\/strong><\/p>\n