OpenClaw is the most-starred project in GitHub history — 347,000 stars as of April 2026. It’s an open-source autonomous agent framework that runs locally, connecting to over 20 messaging platforms, executing skills on your hardware. In February, OpenAI acquihired its creator Peter Steinberger. The project moved to a non-profit foundation and stayed MIT-licensed.
It’s also, according to Gartner, “insecure by default.”
As of May 29, 2026, OpenClaw has 454 documented CVEs and growing. Its skill marketplace, ClawHub, was hit with a coordinated campaign that planted 1,184 malicious skills — one in every twelve packages carries a payload, per independent audits. Government cybersecurity agencies in Belgium and China have issued advisories. Enterprise security teams are being advised to block OpenClaw downloads entirely.
This is the state of the framework that millions of builders either use or are considering.
The CVE Count: 454 and Rising
OpenClaw is less than a year old. It logged 8 critical CVEs in its first six weeks. The count has since passed 454, with a systematic academic taxonomy filing 470+ advisories organized by architectural layer and trust-violation type.
Three CVEs deserve specific attention for builders:
CVE-2026-25253 (CVSS 8.8) — One-Click RCE via WebSocket Hijacking
Visiting a malicious webpage is sufficient to trigger this. The attack abuses a WebSocket origin header bypass to steal auth tokens and gain operator-level gateway access. No additional user action required. This is not theoretical — researchers at Oasis Security demonstrated it in a controlled environment.
CVE-2026-32922 (CVSS 9.9) — Critical Privilege Escalation
A 9.9 CVSS score puts this among the most severe vulnerabilities disclosed in the cloud-native ecosystem in 2026. It allows privilege escalation within a running OpenClaw instance, enabling an attacker to move from a limited-permission context to full operator access.
“Claw Chain” — Four Chained Vulnerabilities
Cyera Research disclosed four separate flaws that, when chained together, allow an attacker to achieve data theft, privilege escalation, and persistent backdoor access in sequence. Any one of the four vulnerabilities in isolation has limited scope. Combined, they represent a complete compromise path.
The Marketplace Problem: ClawHavoc
The framework CVEs are one issue. The ClawHub skill marketplace is a separate and arguably more immediate problem.
ClawHub is how OpenClaw users extend the framework — skills for cryptocurrency trading, Google Workspace integration, YouTube utilities, auto-updaters, development helpers. As of May 2026, the marketplace hosts approximately 13,700 skills.
1,184 of those skills are malicious.
The coordinated attack campaign is being tracked as ClawHavoc. Researchers traced 335 of the 1,184 malicious skills to a single coordinated operation. The targeting strategy focused on always-on machines — Mac Minis and similar dedicated hardware that many builders use to run persistent AI agents. These machines are attractive because they run continuously and often have privileged access to local filesystems, messaging accounts, and API credentials.
Attack disguises used:
- Cryptocurrency wallets and Polymarket trading bots (targets builders running financial agents)
- YouTube utilities (broad install surface)
- Google Workspace integrations (credential harvesting target)
- Auto-updaters (persistence mechanism)
Typosquatting was a primary distribution method — skill names designed to closely resemble legitimate packages. A builder quickly scanning the marketplace and selecting the top result is the attack’s intended target.
The ranking manipulation angle: Silverfort documented a ClawHub ranking vulnerability that allowed attackers to manipulate skill popularity scores to place a malicious skill in the number-one position for high-traffic search terms. A skill appearing at the top of results is not a signal of safety.
Recent mitigations ClawHub has shipped:
- Accounts must be at least one week old before posting new skills
- Verified users can report malicious skills
- Skills receiving more than three reports are automatically hidden pending review
These controls help. They do not retroactively fix the 1,184 skills already distributed, and they do not prevent a patient attacker who ages an account before deploying a payload.
The Exposure Picture
SecurityScorecard reported 40,214 OpenClaw instances exposed on the internet. 35–63% of those instances are running configurations flagged as vulnerable — the range reflects different methodology windows, not contradiction.
This is not unusual for developer tooling — builders spin up agents quickly and leave ports open. But the exposure scope, combined with CVE-2026-25253’s one-click RCE, creates a significant attack surface.
What Gartner Says
Gartner has classified OpenClaw as “insecure by default” and “unmanaged with high privileges” in a framework advisory targeting enterprise security teams.
The specific recommendation: block OpenClaw downloads and traffic immediately in enterprise environments.
This advisory is aimed at IT and security teams, not individual builders. But if you are building an AI product that runs OpenClaw on company infrastructure, that advisory is now part of the procurement and security review conversation you will have with enterprise customers.
The Enterprise Alternative: NemoClaw (NVIDIA)
NVIDIA is building NemoClaw — an OpenClaw-based runtime with enterprise security controls layered on top.
Key differences from the upstream OpenClaw project:
- Kernel-level isolation: Agent skill execution runs in sandboxed processes with enforced permission boundaries
- Policy enforcement: Behavioral guardrails that can be configured per agent, not per skill
- Local privacy router: Powered by Nemotron-3 models, routes sensitive data away from cloud LLM endpoints
- Governance layer: Audit logging, access controls, and integration with enterprise identity systems
NemoClaw is described as an early-stage alpha. It is not production-ready as of May 2026. NVIDIA has been accelerating distribution to corporate partners ahead of a broader release.
Microsoft Agent 365 is also relevant here: Microsoft’s enterprise AI governance product includes detection for OpenClaw agents running on Windows devices. IT administrators can see which devices are running OpenClaw, block execution paths, and enforce policy through Intune. This is Microsoft responding to OpenClaw’s enterprise presence by giving security teams visibility and control, not by blocking the framework outright.
The Action Checklist for Builders
If you run OpenClaw in production:
-
Audit your ClawHub skills immediately. Cross-reference any installed skill against the ClawHavoc skill list (tracked at the GitHub jgamblin/OpenClawCVEs repository and CyberPress reporting). If a skill was installed from ClawHub before May 2026 without verification, assume it should be re-validated.
-
Patch CVE-2026-25253 first. The WebSocket origin header bypass is the highest-priority remediation — it requires no attacker foothold beyond getting you to visit a malicious page. Verify your OpenClaw version includes the fix.
-
Audit internet exposure. If your OpenClaw instance has any external-facing port open, it’s on SecurityScorecard’s list and on attacker radar. Close external access unless you have a specific requirement for it.
-
Review skill permissions. OpenClaw skills by default have broad filesystem and network access. If a skill doesn’t need a specific permission, remove it.
-
Check your credential storage. Gartner’s “insecure by default” characterization includes plaintext credential storage in early versions. Verify how your installation stores API keys and access tokens.
If you are evaluating OpenClaw:
The framework’s capabilities are real — the 347,000 stars reflect genuine utility. The security track record is also real. The calculus for builders at this stage:
- Personal projects and development environments: OpenClaw remains viable with careful skill hygiene and no exposed ports.
- Enterprise or team environments: Wait for NemoClaw to reach production readiness, or use a different agent framework (LangChain, AutoGen, Microsoft Agent Framework) with explicit security controls built in from the start.
- Anything touching customer data or financial systems: The CVE-2026-32922 privilege escalation and ClawHavoc targeting of financial agent machines should be disqualifying until the framework’s security posture improves.
If you are building something that targets OpenClaw users:
If your MCP server or tool is distributed via ClawHub or designed for OpenClaw environments, the security crisis in the ecosystem affects your users regardless of your own security posture. Clearly documenting your installation source, signing your packages, and recommending users verify your skill against a known-good hash are now table-stakes practices.
Context: The Foundation Model Has Changed Owners
One additional factor builders evaluating OpenClaw should weigh: the project’s governance changed in February 2026 when OpenAI acquihired Peter Steinberger. OpenClaw now sits in a non-profit foundation with OpenAI as a sponsor but not a controller. The MIT license remains in place.
OpenAI’s relationship to the project creates an interesting tension. OpenAI is simultaneously the closest thing OpenClaw has to a corporate sponsor and the company whose products (Codex, ChatGPT Agent) most directly compete with OpenClaw’s use cases. How that tension resolves over the next 12 months — whether OpenAI invests in hardening the foundation’s security response, or whether investment flows primarily toward the competitive products — will substantially affect the long-term viability of the open-source framework.
For now, the security posture of the framework is what it is: 454 CVEs, 1,184 poisoned marketplace skills, and an enterprise block advisory from the world’s largest analyst firm.
Build accordingly.
Updated May 30, 2026. CVE tracking: jgamblin/OpenClawCVEs on GitHub. ClawHavoc campaign reporting via CyberPress and Hacker News. NemoClaw status via Tom’s Hardware and TechCrunch. Gartner advisory summary via Sangfor and Remio.