One-Click RCE Was Just the Symptom. OpenClaw's Architecture Is the Disease.

When Mav Levin, a founding researcher at DepthFirst, disclosed CVE-2026-25253 in late January 2026, he had found something uncomfortable: a one-click remote code execution flaw in OpenClaw that required nothing more than sending someone a link. A malicious web page could trigger the app's Control UI, capture the user's authentication token, and establish a WebSocket connection to their local instance — all without any interaction beyond clicking. The vulnerability earned an 8.8 on the CVSS scale, placing it firmly in the high-severity range. It was patched on January 30, 2026, and publicly disclosed on February 3. But by then the broader security audit of OpenClaw's ecosystem was already underway, and what it found was not a one-off bug — it was a structural problem.

A Kaspersky audit of the OpenClaw codebase, completed in late January 2026, identified 512 distinct vulnerabilities across the gateway API, skill system, messaging integrations, and core platform. Eight were classified as critical. The figure was large enough to attract coverage from CrowdStrike, Cisco, Trend Micro, and The Hacker News, but the number alone obscures the more important pattern: these were not hypothetical attack scenarios. They were findings in production code running on machines that, by design, had deep access to users' files, browsers, terminals, and credential stores.

The skill marketplace is where that access became a supply chain. ClawHub, OpenClaw's community skill registry, hosts thousands of pre-built automations — markdown files that tell an agent how to perform a specific task. Jason Meller, a researcher at 1Password, was reviewing ClawHub when he noticed the top-downloaded skill at the time was a Twitter integration that looked entirely ordinary. Its first step instructed users to install a prerequisite dependency called "openclaw-core," with install steps that included links labeled "here" and "this link" pointing to what appeared to be documentation. Both links led to malicious infrastructure. The chain was textbook staged delivery: a staging page that got the agent to run a command, an obfuscated payload, a second-stage script, and finally a binary that stripped macOS quarantine attributes so Gatekeeper would not scan it. Meller submitted the binary to VirusTotal. It was confirmed macOS infostealing malware — capable of raiding browser sessions, saved credentials, SSH keys, and developer tokens from any machine it reached. This was not a proof-of-concept. It was a live campaign.

Broader reporting put the scale into focus. According to CyberInsider, hundreds of OpenClaw skills were distributing macOS malware via ClickFix-style instructions in the days following Clawdbot's viral launch. VirusTotal, which subsequently partnered with OpenClaw to scan ClawHub uploads, confirmed the finding: the fastest-growing personal AI agent ecosystem had become a delivery channel for active malware. Separate research by Snyk analyzed 3,984 skills on ClawHub and found that 283 — roughly 7.1% — contained critical security flaws that exposed sensitive credentials in plaintext through the LLM's context window and output logs.

The skill marketplace's problem is structural. A SKILL.md file is markdown, but in an agent ecosystem markdown is executable intent — it can contain shell commands, links to external scripts, and install steps that bypass any permission boundary the framework itself enforces. The Agent Skills specification, an open standard adopted by multiple agent frameworks including OpenAI's Codex, places no restrictions on what a skill's markdown body may contain. MCP, the Model Context Protocol, can gate tool calls at the framework level, but skills do not need to use MCP at all. A malicious skill can route around structured access controls through the simplest possible attack surface: a copy-paste command that looks like documentation.

Researcher Jamieson O'Reilly ran his own experiment to test that dynamic. He published a skill under a provocative hook — "What would Elon do" — and used standard growth tactics to inflate its apparent legitimacy. In his own report, he described the skill climbing to over 4,000 downloads within hours, with real developers across seven countries executing its payload and pinging his server to confirm execution. He had designed it to extract nothing; a real attacker would have had their pick of credentials, session tokens, and filesystem access from each machine. O'Reilly's point was not that OpenClaw users are careless. It was that the signals humans rely on to assess trust — download count, professional presentation, community endorsement — are trivially gamed when the "package" is a markdown file that runs code.

OpenClaw's authentication model compounded the exposure. A Shodan scan by researcher @fmdz387 found nearly a thousand publicly accessible OpenClaw installations running without any authentication. By default, OpenClaw trusts connections from 127.0.0.1 — a reasonable assumption for a local-only service. But when a deployment sits behind a misconfigured reverse proxy, external traffic is forwarded to localhost, and the system hands over full access as if the request were local. O'Reilly separately demonstrated that from one of these exposed instances he could access Anthropic API keys, Telegram bot tokens, Slack credentials, and months of complete chat history, then execute commands with system administrator privileges.

Prompt injection — the class of attack where malicious content embedded in emails, documents, or web pages forces an LLM to take unintended actions — is not unique to OpenClaw. But OpenClaw's design amplifies its impact. The agent reads emails, monitors inboxes, and executes commands on behalf of the user. Matvey Kukuy, CEO of Archestra.AI, demonstrated the practical consequence by sending a prompt-injection email to a linked inbox and asking the agent to check mail; the bot extracted a private key from the machine. In another test, a Reddit user sent an email to themselves containing injection instructions and watched the bot forward the contents of their inbox to a recipient of the attacker's choosing. The attack surface is not theoretical: it is the entirety of the agent's connected world — email, messaging apps, file systems, cloud dashboards.

OpenClaw's response has been substantive, if reactive. The CVE-2026-25253 patch shipped on January 30. The VirusTotal partnership for ClawHub skill scanning was announced February 7 and went live shortly after. The rebranding from Clawdbot to OpenClaw — driven in part by Anthropic's objection to the obvious Claude branding — at least reduced the surface for social engineering through confused identity. These are real steps.

But the underlying architecture question remains open. An agent that can read your email, execute shell commands, and extend its own capabilities is a category of software that does not yet have established security patterns. The vulnerability disclosures, the skill marketplace malware campaign, and the unauthenticated instances are not separate problems — they are the same problem expressed through different doors. OpenClaw's power is genuine. The access it requires to deliver on that power is also genuine. What's still missing is the security layer that makes the tradeoff acceptable for anything other than an isolated machine with nothing worth stealing.