OpenClaw Users Report Data Loss Fears

💡Real OpenClaw pitfalls: data wipes, privacy breaches – security must-read
⚡ 30-Second TL;DR
What Changed
Users spent thousands on tokens; auto-executes without confirmation, e.g., video compression installs software unasked.
Why It Matters
Highlights agent autonomy risks, prompting safer designs; slows OpenClaw adoption amid hype to caution.
What To Do Next
Install OpenClaw in a VM sandbox and audit skills from official repos before running.
🧠 Deep Insight
Web-grounded analysis with 7 cited sources.
🔑 Enhanced Key Takeaways
- •OpenClaw experienced explosive growth, gaining 25,000 GitHub stars in one day during late January 2026 and reaching 201,000 stars total, marking it as one of the fastest-growing open-source projects in GitHub history.[1][2][6]
- •Security researchers identified over 135,000 publicly exposed OpenClaw instances across 82 countries, with more than 50,000 exploitable via RCE and over 30,000 lacking authentication, scanned by firms like Censys, Bitsight, and SecurityScorecard.[1][2][5][6]
- •The ClawHavoc supply-chain campaign initially placed 341 malicious skills (12% of ClawHub registry), later expanding to over 800 (~20%), many delivering Atomic macOS Stealer (AMOS) while disguised as utilities like crypto tools.[1][5]
- •OpenClaw stores API keys, OAuth tokens, Slack credentials, and chat histories in plaintext files like ~/.openclaw/, targeted by infostealers such as AMOS, RedLine, Lumma, and Vidar, with enterprise Shadow AI deployments confirmed via Bitdefender telemetry.[1][3]
🛠️ Technical Deep Dive
- •CVE-2026-25253 (CVSS 8.8) enables one-click RCE via malicious JavaScript on a webpage that lures the agent, leaking the gateway authentication token for full admin control; exploitable on localhost instances as browser initiates outbound connection; patched in v2026.1.29 (Jan 29, 2026) and related ClawJacked flaw in v2026.2.25 (Feb 26, 2026).[1][2][3]
- •Default configuration disables authentication, accepts unverified WebSocket connections without origin checks, and lacks rate limiting on login attempts, exposing new installs to immediate internet access.[2][3]
- •Proof-of-concept exploit available on GitHub (ethiack/moltbot-1click-rce) abuses unvalidated WebSocket parameter for session hijacking and arbitrary command execution.[5]
- •Exposed mDNS services in 15.31% of scanned instances (3,746 out of 24,478) reveal host information; ClawHub skills lack pre-installation vetting, enabling malware distribution.[1][5]
🔮 Future ImplicationsAI analysis grounded in cited sources
⏳ Timeline
📎 Sources (7)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
- conscia.com — The Openclaw Security Crisis
- adminbyrequest.com — Openclaw Went From Viral AI Agent to Security Crisis in Just Three Weeks
- pacgenesis.com — Openclaw Security Risks What Security Teams Need to Know About AI Agents Like Openclaw in 2026
- securityweek.com — Openclaw Vulnerability Allowed Malicious Websites to Hijack AI Agents
- cyera.com — The Openclaw Security Saga How AI Adoption Outpaced Security Boundaries
- heimdalsecurity.com — Openclaw Incidents AI Adoption Risk
- darkreading.com — Critical Openclaw Vulnerability AI Agent Risks
Weekly AI Recap
Read this week's curated digest of top AI events →
👉Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: 虎嗅 ↗