OpenClaw Faces Token Burn and Security Backlash

💡OpenClaw's security flops & token costs kill hype—lessons for agent builders on real-world risks.
⚡ 30-Second TL;DR
What Changed
Token usage skyrockets from full-chain agent tasks, multi-step reasoning, and massive context prompts
Why It Matters
OpenClaw's troubles highlight agent deployment challenges, deterring non-experts and pressuring Chinese AI firms like Zhipu. It tempers Agent era hype, shifting focus to enterprise-safe alternatives. Developers must prioritize security in open-source agents.
What To Do Next
Audit your OpenClaw setup for exposed ports and restrict Skills to trusted sources before local deployment.
🧠 Deep Insight
Web-grounded analysis with 9 cited sources.
🔑 Enhanced Key Takeaways
- •CVE-2026-25253 (CVSS 8.8) enables remote code execution via malicious webpages that steal gateway authentication tokens through WebSocket hijacking, exploitable even on localhost instances.[1][2][3]
- •ClawHub marketplace suffered a supply chain attack called ClawHavoc, with 341 malicious skills (12% of total) distributing keyloggers and stealers like Atomic Stealer on macOS.[5][6]
- •Over 135,000 OpenClaw instances exposed publicly with authentication disabled by default, alongside plaintext storage of API keys targeted by infostealers like RedLine and Lumma.[1][6]
🔮 Future ImplicationsAI analysis grounded in cited sources
⏳ Timeline
📎 Sources (9)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
- pacgenesis.com — Openclaw Security Risks What Security Teams Need to Know About AI Agents Like Openclaw in 2026
- hackers-arise.com — Cve 2026 25253 How Malicious Links Can Steal Authentication Tokens and Compromise Openclaw AI Systems
- runzero.com — Openclaw
- sentinelone.com — Cve 2026 25593
- reco.ai — Openclaw the AI Agent Security Crisis Unfolding Right Now
- adminbyrequest.com — Openclaw Went From Viral AI Agent to Security Crisis in Just Three Weeks
- flypix.ai — Openclaw Security Guide
- nvd.nist.gov — Cve 2026 27486
- darkreading.com — Critical Openclaw Vulnerability AI Agent Risks
Weekly AI Recap
Read this week's curated digest of top AI events →
👉Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: 虎嗅 ↗


