The February Security Storm: Zero-Click Exploits, Supply Chain Attacks, and How OpenClaw Responded

A Week That Changed Everything

Between February 24 and March 2, 2026, OpenClaw confronted a cascade of security incidents that tested the project's resilience, its community's trust, and its ability to respond under pressure. This post is a complete accounting of what happened, how the team responded, and what has changed as a result.

Incident 1: The Zero-Click WebSocket Hijack (CVE-2026-25253)

What Happened

On February 26, security researchers disclosed a critical zero-interaction vulnerability: any malicious website could silently seize full control of a user's OpenClaw agent without requiring any user action — no clicks, no plugins, no extensions.

How It Worked

1. 1.A user visits a webpage containing malicious JavaScript
2. 2.The script opens a WebSocket connection to the OpenClaw gateway on localhost
3. 3.The script brute-forces the gateway password at hundreds of attempts per second
4. 4.The gateway's rate limiter completely exempted localhost connections — failed attempts were not counted, throttled, or logged
5. 5.Once authenticated, the script silently registers as a trusted device
6. 6.The attacker gains full control: read messages, execute commands, access files, exfiltrate API keys

The Response

The OpenClaw security team classified this as high severity (CVSS 8.8) and shipped a patch in version 2026.2.25 within 24 hours of disclosure. The fix:

• •Removed the localhost exemption from rate limiting
• •Added WebSocket origin checking
• •Introduced connection attempt logging for all sources
• •Required re-authentication for new device registrations

Impact

There is no confirmed evidence of exploitation in the wild prior to disclosure, but the vulnerability window was approximately 6 weeks (from when the localhost exemption was introduced in v2026.1.12).

Incident 2: The ClawHub Supply Chain Crisis

What Happened

In parallel with the WebSocket vulnerability, security researchers from multiple firms published findings showing that approximately 20% of all skills listed on ClawHub — 341 out of roughly 1,700 — were malicious or contained suspicious behavior.

What the Malicious Skills Did

• •Data exfiltration: Silently uploading environment variables, API keys, and conversation logs to external servers
• •Credential harvesting: Capturing authentication tokens for connected services (Slack, Discord, Gmail)
• •Backdoor installation: Establishing persistent reverse shells on the host system
• •Prompt injection: Manipulating the agent's behavior to serve the attacker's goals while appearing normal to the user

The Response

OpenClaw integrated VirusTotal scanning into the ClawHub submission pipeline. Every new skill and every skill update is now:

1. 1.Scanned by VirusTotal's multi-engine analysis
2. 2.Subjected to static code analysis for known malicious patterns
3. 3.Reviewed by a human moderator before publication (for skills requesting elevated permissions)
4. 4.Tagged with a trust score visible to users before installation

Additionally, all 341 identified malicious skills were removed, their publishers were banned, and affected users were notified.

Incident 3: The Config File Infostealer

What Happened

A separate campaign targeted OpenClaw users through social engineering: fake "optimization guides" and "performance tools" distributed via GitHub, Reddit, and Chinese developer forums contained infostealers that specifically targeted:

• •OpenClaw configuration files (.clawrc, config.yaml)
• •Gateway authentication tokens
• •API keys stored in environment variables
• •Conversation history databases

The Response

The team published a security advisory with detection scripts and recommended that all affected users rotate their API keys and gateway passwords immediately.

What Changed

The February security storm was a wake-up call. Here is what has changed since:

Technical Changes - **Localhost is no longer trusted**: All connections are rate-limited and logged equally - **VirusTotal integration**: Mandatory scanning for all ClawHub submissions - **Skill sandboxing improvements**: Skills now run in more restrictive sandboxes with explicit permission grants - **Security headers**: WebSocket connections now validate Origin headers

Process Changes - **24-hour SLA**: The team has committed to a 24-hour response time for critical security reports - **Bug bounty expansion**: The existing bounty program was expanded with higher payouts for agent-specific vulnerabilities - **Security audit**: A third-party security audit of the gateway and skill execution engine is underway

Community Changes - **Security channel**: A dedicated `#security` channel on Discord for real-time vulnerability discussion - **Skill trust indicators**: ClawHub now shows verification status, scan results, and community trust scores

Lessons Learned

1. 1.Localhost is not a security boundary. Any application listening on localhost is reachable by any webpage the user visits. This is a well-known fact in web security, but it was overlooked in OpenClaw's gateway design.

1. 2.Marketplace trust requires active verification. A permissionless skill marketplace will be abused. The cost of moderation is always lower than the cost of a breach.

1. 3.Speed matters more than perfection. The 24-hour patch for CVE-2026-25253 was not perfect — it was improved in subsequent releases — but it closed the critical attack vector immediately.

1. 4.Transparency builds trust. Publishing this full timeline, including the mistakes, is part of how we earn the community's confidence.

We are committed to making OpenClaw the most secure self-hosted AI agent platform available. If you discover a vulnerability, please report it through our security disclosure process.