OpenClaw AI assistant surge sparks major security fears

Security researchers have raised concerns about OpenClaw, an open-source agentic AI assistant that can take actions across real systems. Recent analysis links the project's rapid adoption to risks including exposed control interfaces, malicious developer tooling, and a fast-moving ecosystem of unvetted extensions.

Unlike mainstream chatbot services, OpenClaw runs locally as an automation layer with access to user accounts and connected services. Users interact with it through chat apps including WhatsApp, Telegram, Slack, Discord and iMessage. It can read and send messages, manage calendars, run workflow automations, and carry out tasks through integrated tools.

At the centre of the system is a locally running Gateway service that brokers communication between chat interfaces, the AI model, and additional tools known as "skills". The Gateway exposes APIs over a WebSocket interface, including on TCP port 18789. Project documentation describes it as a local service, or one that should be accessed only through secured tunnels.

Researchers say the security model shifts when a conversational agent combines three traits: access to sensitive information such as credentials and tokens; exposure to untrusted input through messaging channels; and the ability to take external actions such as running commands, reading files, and communicating outward.

Internet Exposure

Investigations have focused on cases where OpenClaw instances were reachable from the public internet. Censys reported a sharp increase in publicly exposed instances, rising from around 1,000 to more than 21,000 in under a week. Although OpenClaw is intended to run locally or behind protective access methods, many users appear to have exposed the Gateway directly online.

Pillar Security described a honeypot designed to mimic an OpenClaw Gateway under earlier project names. It recorded protocol-aware exploitation activity within minutes or hours. Attackers treated the Gateway as an API service rather than an AI chatbot, targeting the control plane through the WebSocket API on TCP port 18789.

Observed activity included attempts to connect as a legitimate client by spoofing the Control UI. Pillar also described deployments that allowed unauthenticated access when users did not set authentication values. It noted cases where reverse proxies caused the Gateway to treat proxied traffic as localhost, enabling authentication bypass unless trusted proxy settings were configured.

Attackers also attempted protocol downgrades and probed for command execution and file access using JSON-RPC-style payloads. Examples captured by Pillar included commands such as whoami and attempts to read system files and session logs. Targeting also included credential harvesting, with interest in API keys, chat tokens, gateway credentials, and conversation history.

Ecosystem Abuse

Security concerns extend beyond Gateway exposure. Aikido documented a malicious Visual Studio Code Marketplace extension called "ClawdBot Agent". The extension impersonated OpenClaw branding, ran automatically when VS Code started, and installed a remote-access payload on Windows.

Aikido's analysis found that the extension registered an on-start trigger and pulled configuration from attacker infrastructure. It dropped an executable identified as ConnectWise ScreenConnect, a legitimate remote management tool, configured to connect back to an attacker-controlled relay. Aikido also described fallback mechanisms involving a Rust-based DLL used for sideloading and additional retrieval options if primary infrastructure failed.

A separate risk involves third-party "skills". These packages can add functions to the assistant, but once enabled they also execute code and can access the filesystem and network. Researchers said this makes skills an attractive route for supply-chain attacks, particularly during spikes of community interest.

Tom's Hardware reported that 14 malicious skills were uploaded to ClawHub over a short period. They reportedly masqueraded as cryptowallet automation tools and used social engineering during setup, including instructions encouraging users to run obfuscated terminal commands that fetched and executed remote scripts. The reported intent was to harvest browser data and cryptowallet information across Windows and macOS.

Malwarebytes described an impersonation campaign following an OpenClaw name change in its earlier branding history. It reported typosquat domains and a cloned GitHub repository impersonating the creator. The cloned repository did not initially include malware, which reduced suspicion during early evaluation and increased the chance that users would later add API keys and tokens.

Risk Controls

Researchers have outlined practical controls for individuals and companies experimenting with agentic assistants. A key priority is keeping the Gateway bound to local access, or using secured tunnels rather than exposing it directly. Another is treating inbound messages as untrusted input, especially in group chats or channels where unknown users can send prompts.

Guidance also focuses on extensions. Skills and editor extensions should be treated as executable dependencies, not harmless add-ons. That includes code review, provenance checks, and avoiding "copy and paste" setup steps from untrusted sources.

For organisations, analysts have stressed the likelihood of unsanctioned internal use by developers, making visibility central. Security teams can look for newly exposed gateways, unusual bot identities, and new OAuth grants. They can also model agent deployments as privileged identities and log agent actions. Credential scope and least privilege remain key controls, given the access an agent may gain to email, messaging, and developer tools.

Researchers expect the next phase of risk to centre on whether secure defaults reduce public exposure and whether stronger trust mechanisms emerge for skills and extensions. They also anticipate continued attention on prompt injection and social engineering through chat-based interfaces, especially where an agent has broad permissions and persistent memory.