OpenClaw's growth has been extraordinary. But with 180,000 GitHub stars and deployments in 82 countries comes a less comfortable reality: the project has become a target. And governments have started paying attention.
This article covers the security landscape as of February 2026 — the vulnerabilities discovered, the government responses, the corporate bans, and what the new foundation structure might mean for security governance going forward.
The Vulnerability That Changed the Conversation
In early February 2026, researchers disclosed CVE-2026-25253, a critical one-click remote code execution vulnerability with a CVSS score of 8.8 (High).
The flaw was in OpenClaw's Control UI. The UI automatically trusted any gateway URL passed as a query parameter and opened a WebSocket connection that included the user's stored authentication token. An attacker could craft a malicious link that, when clicked by a logged-in user, would:
- 1.Redirect the Control UI to an attacker-controlled gateway
- 2.Exfiltrate the authentication token via the WebSocket handshake
- 3.Use the stolen token to execute arbitrary commands on the victim's OpenClaw instance
The barrier to exploitation was low. No special tools needed — just a crafted URL sent via email, chat, or social media. The patch landed in v2026.1.29 on January 30, 2026. No confirmed exploitation in the wild was reported, but the simplicity of the attack vector raised alarms.
The Numbers: 42,900 Exposed Instances
SecurityScorecard's STRIKE team conducted a global scan and found 42,900 OpenClaw instances exposed to the public internet across 82 countries. Of those, 15,200 were vulnerable to remote code execution — meaning they hadn't been patched or were running with default configurations that left them open.
To put that in perspective: 15,200 machines that anyone on the internet could potentially take over with a single HTTP request.
Separately, researchers at Giskard demonstrated data leakage and prompt injection vulnerabilities in deployed instances. They showed that a carefully crafted prompt could extract private API keys, environment variables, and other secrets from a running OpenClaw agent. In their tests, private keys were extracted in under five minutes.
Perhaps most concerning: 93% of publicly exposed instances had critical authentication bypass vulnerabilities. The default setup, it turns out, is not secure enough for public exposure — something the documentation now warns about explicitly.
The Malicious Skills Problem
Bitdefender's research team analyzed ClawHub, OpenClaw's public skill registry, and found approximately 900 malicious skills out of roughly 4,500 total — about 20% of all published packages.
These malicious skills ranged from credential stealers disguised as utility tools to backdoors that gave attackers persistent access to the host machine. Some were sophisticated enough to pass casual code review, using obfuscated payloads that only activated after installation.
This echoes problems seen in npm, PyPI, and other package registries, but with higher stakes: OpenClaw skills often run with system-level permissions and access to messaging accounts, API keys, and personal data.
China's Response: MIIT Warning
China's Ministry of Industry and Information Technology (MIIT) issued a security advisory specifically about OpenClaw, warning companies to review how their instances are exposed to public networks. The advisory stopped short of an outright ban but recommended:
- •Auditing all OpenClaw deployments for public exposure
- •Implementing network segmentation to isolate OpenClaw instances
- •Reviewing installed skills for known malicious packages
- •Updating to the latest patched version
This is notable because China has simultaneously embraced OpenClaw at the platform level — Alibaba Cloud, Tencent Cloud, Volcano Engine, and Baidu have all launched OpenClaw hosting services. The MIIT warning signals that the government sees both the opportunity and the risk.
South Korea's Response: Corporate Bans
South Korea took a more aggressive stance. Multiple major tech companies issued internal bans:
- •Kakao announced restrictions on OpenClaw use on work devices to protect information assets
- •Naver issued an internal ban on OpenClaw entirely
- •Karrot (당근마켓) completely blocked access to OpenClaw
The Korean response was driven by concerns about data exfiltration — specifically, the risk that an AI agent with access to corporate systems could leak sensitive information through its messaging integrations. When your AI assistant can read your Slack, your email, and your calendar, and then relay information through WhatsApp or Telegram, the attack surface for corporate espionage expands dramatically.
What the Foundation Transition Means for Security
On February 14, 2026, OpenClaw creator Peter Steinberger announced he was joining OpenAI, and the project would transition to an independent 501(c)(3) foundation with OpenAI's backing.
For security, this raises both hopes and questions:
The optimistic case: A foundation structure with corporate backing could fund dedicated security engineers, establish a formal security response team, implement mandatory skill review processes for ClawHub, and conduct regular security audits. These are things that a solo maintainer or volunteer community struggle to sustain.
The cautious case: OpenAI's involvement creates a potential conflict of interest. Will security decisions be made purely on technical merit, or will commercial considerations influence what gets disclosed and when? The foundation's independence will be tested the first time a major vulnerability affects OpenAI's own interests.
- •A funded, full-time security team with public disclosure policies
- •Mandatory code signing and review for ClawHub skills
- •Automated vulnerability scanning in the CI/CD pipeline
- •A bug bounty program with meaningful payouts
- •Regular third-party security audits with published results
What Users Should Do Now
If you're running OpenClaw, the immediate steps are straightforward:
- 1.**Update**: Make sure you're on v2026.2.21 or later
- 2.**Don't expose to the public internet**: Use a VPN or SSH tunnel for remote access
- 3.**Audit your skills**: Review every installed skill, especially those from unknown authors
- 4.**Enable authentication**: Don't run with default credentials
- 5.**Monitor access logs**: Watch for unusual connection patterns
- 6.**Network segmentation**: Isolate your OpenClaw instance from sensitive systems
The Bigger Picture
OpenClaw's security challenges aren't unique — they're the inevitable growing pains of any open-source project that goes from weekend hack to critical infrastructure in three months. npm had malicious packages. Docker Hub had cryptominers. PyPI had typosquatting attacks.
What's different here is the stakes. OpenClaw agents have access to messaging accounts, email, calendars, smart home devices, and potentially corporate systems. A compromised OpenClaw instance isn't just a hacked server — it's a compromised digital life.
The foundation transition is the project's best chance to build the security infrastructure it needs. Whether that potential is realized depends on how seriously the new governance structure takes security as a first-class concern, not an afterthought.
We'll continue tracking this space and reporting on developments as they happen.