What caused the OpenClaw security crisis?

A WebSocket RCE (CVE-2026-25253) plus 137 other vulns, ClawHub's 341 malicious skills (12% of registry), and lax governance letting agents run wild with deep perms.

Are OpenClaw agents still safe to use?

Patched instances? Mostly, if updated and skills vetted. Exposed public ones? No — scan and firewall 'em. Governance layer essential for prod.

How do I secure my OpenClaw setup?

Bind to localhost, enable auth, verify skill sigs, monitor runtime, use a proxy for scoping. Patch religiously.

🔒 Security & Privacy

OpenClaw's 135K Exposed Agents: A Ticking Time Bomb

OpenClaw promised autonomous AI magic. Instead, it handed hackers the keys to 135,000 machines.

theAIcatchup Apr 09, 2026 4 min read

Globe dotted with vulnerable OpenClaw AI agent instances

⚡ Key Takeaways

135,000 OpenClaw instances exposed publicly, 63% without auth. 𝕏
ClawHub's 12% malicious skills bypassed vulns via supply chain. 𝕏
Patching insufficient; runtime governance is the real fix needed. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#AI agent vulnerabilities #ClawHub malware #OpenClaw security crisis #supply chain attacks

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Nulldeps: The JS Framework That Erases npm — And Reshapes Web Dev Security

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Anthropic's One-Line Fumble Leaks Billions in Code

Agent Custody: The Missing Link Keeping AI Agents from Becoming Crypto Black Holes

Stay in the loop