In early February 2026, OpenClaw (formerly known as Clawdbot and Moltbot) became a viral sensation, amassing over 145,000 GitHub stars. However, a series of reports from Security.com, The Verge, and Bloomberg reveal that its rapid rise has created a “security dumpster fire.”

The following article summarizes the current state of OpenClaw, the “ClawHub” ecosystem, and the specific security risks currently making headlines.

The OpenClaw Crisis: When “Jarvis” Becomes a Security Nightmare

For a few weeks, OpenClaw was the darling of the tech world. Created by Peter Steinberger, it promised a “24/7 Jarvis” experience—an open-source AI agent that lives on your local machine (typically a Mac Mini) and handles everything from booking flights to managing your Slack via WhatsApp.

But according to recent investigations, that same autonomy has turned OpenClaw into what security experts call an “AI-Enabled Zero-Day Apocalypse Cannon.”

1. The “ClawHub” Supply Chain Attack

The biggest story of the past 48 hours is the discovery of ClawHavoc, a coordinated malware campaign targeting OpenClaw users through its extension marketplace, ClawHub.

• The Scale: Security researchers at Koi Security—using their own OpenClaw bot named “Alex”—audited the marketplace and found 341 malicious “skills” (extensions).
• The Lure: These malicious skills masquerade as high-demand tools like “Solana Wallet Tracker,” “YouTube Summarize Pro,” and “Google Workspace Integrations.”
• The Payload: Many of these skills trick users into running “prerequisite” shell scripts that install Atomic Stealer (AMOS). This malware specifically targets macOS users to exfiltrate Keychain passwords, browser cookies, and over 60 types of cryptocurrency wallets.

2. A “Lethal Trifecta” of Vulnerabilities

Security experts, including those interviewed by Bloomberg, warn that OpenClaw’s very design is inherently risky. They cite a “Lethal Trifecta” that makes it a perfect target for hackers:

1. Access to Private Data: The agent is designed to read your emails, files, and messages.
2. Untrusted Content: It processes raw data from the web (like summarizing a malicious webpage).
3. Actionable Agency: It has the power to run shell commands and execute code on your behalf.

When these three meet, an attacker doesn’t even need a “bug” in the software. They can simply send you an email that the AI reads, which then “tricks” the AI into running a command that uploads your password file to a remote server—a process known as Time-Shifted Prompt Injection.

3. Critical Flaws: CVE-2026-25253

Beyond the malicious community extensions, the core OpenClaw software itself has been hit with critical vulnerabilities.

• RCE Vulnerability: A recently patched flaw (CVE-2026-25253) allowed for “one-click” Remote Code Execution. An attacker could exfiltrate authentication tokens via an exposed WebSocket, leading to a complete system takeover.
• Plaintext Leaks: Cisco Blogs reported that OpenClaw has been found leaking API keys and credentials in plaintext, which are then easily harvested by any malicious “skill” a user might install.

4. Why the Mac Mini is the Target

The “OpenClaw meta” involves running the agent on a dedicated, always-on machine like a Mac Mini. This makes the target especially lucrative for hackers:

• Persistence: Unlike a laptop that closes, a Mac Mini server stays on 24/7, giving a “Reverse Shell” backdoor constant access to a home or office network.
• High-Value Data: These machines often serve as hubs for personal and professional data, making them a “one-stop shop” for data exfiltration.

The Verdict: Proceed with Extreme Caution

While Peter Steinberger has introduced a “Reporting” feature to flag malicious skills on ClawHub, the ecosystem remains “open by default” and largely unvetted.

The Current Recommendation:

If you are running OpenClaw, security firms suggest sandboxing the agent immediately. Do not give it “Full System Access,” avoid any third-party skills that require “copy-pasting” terminal commands, and use tools like Clawdex to scan your existing extensions for known malware signatures.

OpenClaw represents the future of AI productivity—but for now, it is a future that arrives without guardrails.