What happened with OpenClaw?

OpenClaw was an open source AI coding assistant that grew to 180,000 users in three weeks. A critical remote code execution vulnerability was discovered, followed by a supply chain attack through 800 malicious plugins, and 30,000 instances found exposed on the public internet without authentication.

What was the OpenClaw CVE-2026-25253 vulnerability?

CVE-2026-25253 was a remote code execution vulnerability in OpenClaw core. It allowed attackers to execute arbitrary commands on any machine running OpenClaw by embedding shell commands in prompts. The vulnerability existed from the first release due to missing input sanitization.

How did the OpenClaw supply chain attack work?

Attackers uploaded over 800 trojanized plugins to the OpenClaw plugin registry, which had no review process. These plugins had legitimate names and real functionality but contained hidden payloads that exfiltrated credentials, installed crypto miners, or established remote access.

Is Claude Code more secure than OpenClaw?

Yes. Claude Code uses hooks for programmatic guardrails, permission prompts for risky operations, authenticated remote sessions that expire, and MCP servers instead of an unreviewed plugin registry. Security is built into the architecture rather than added after the fact.

What should businesses learn from the OpenClaw incident?

Use AI agents from vendors who prioritize security. Audit permissions explicitly. Do not assume self-hosted means secure. Avoid plugin ecosystems without governance. And never expose an AI agent endpoint to the public internet without authentication.

OpenClaw: The Open-Source AI Assistant That Went From Viral to Security Nightmare in 3 Weeks

March 3, 2026 — By Rahul Lalia

TL;DR: When an AI agent can touch everything you can, security later is not a plan. It is a breach waiting to happen.

In January 2026, an open source AI coding assistant called OpenClaw went viral. Zero to 180,000 users in three weeks. GitHub stars climbing by thousands per day. Tech Twitter could not stop talking about it. The pitch was compelling: a free, self-hosted alternative to Claude Code and GitHub Copilot that you could run on your own hardware with full control.

Three weeks later, a critical security vulnerability was discovered. Then a supply chain attack hit. Then researchers found 30,000 exposed instances running without authentication on the public internet. The project that was supposed to give developers freedom became a case study in what happens when AI agent security is an afterthought.

This matters to anyone using AI coding agents right now. Not because you should avoid them, but because the OpenClaw incident reveals exactly what to look for and what to avoid when giving an AI tool access to your files, your code, and your systems.

What OpenClaw was

OpenClaw was an open source AI assistant that could read your codebase, write code, run terminal commands, manage files, and interact with external APIs. Sound familiar? That is essentially what Claude Code does. The difference was that OpenClaw was self-hosted, open source, and free.

The project positioned itself as the democratized alternative. You did not need an Anthropic subscription or an API key from a major provider to use it. You ran it on your own machine or your own server, pointed it at a local language model or any API endpoint, and it worked. For developers who wanted full control over their AI tools without vendor lock-in or monthly subscriptions, it was exactly what they were looking for. The appeal was real. The security model was not.

The core architecture was a Python-based autonomous agent with a plugin system. Plugins extended its capabilities: code analysis, terminal access, web browsing, database queries, file management. Anyone could build a plugin and share it through the OpenClaw plugin registry. This extensibility was a key selling point. It was also the entry point for the supply chain attack that would compromise thousands of installations.

The viral growth

OpenClaw hit 50,000 GitHub stars in its first week. By week two, it was at 120,000 users. By week three, 180,000. The growth was driven by a perfect storm: AI coding agents were the hottest category in developer tools, the project was free, and self-hosting appealed to the growing number of developers concerned about sending their code to third-party APIs.

Tutorial videos flooded YouTube. Blog posts appeared on every tech site. Self-hosting guides proliferated. Community-built plugins multiplied daily. The plugin registry went from 50 plugins at launch to over 2,000 by week three.

What nobody asked during this growth sprint: who is reviewing these plugins? What access do they have? What happens when a bad actor submits a malicious one? In hindsight, the questions were obvious. In the moment, everyone was too excited about what the tool could do to think about what it could be made to do.

![Timeline chart showing OpenClaw growth from 50K to 180K users in 3 weeks, then crash after CVE disclosure and supply chain attack](Three weeks up. One weekend down. The growth curve that turned into a security timeline.)

The first crack: CVE-2026-25253

On February 14, 2026, security researcher Marcus Chen published CVE-2026-25253. It was a remote code execution vulnerability in OpenClaw's core agent. The vulnerability allowed an attacker to execute arbitrary commands on any machine running OpenClaw by sending a specially crafted prompt through the API.

The root cause was straightforward. OpenClaw's terminal execution module did not properly sanitize inputs before passing them to the shell. An attacker could embed shell commands inside what looked like a normal prompt. When OpenClaw processed the prompt, it executed the embedded commands with whatever permissions the OpenClaw process had.

If you were running OpenClaw as your regular user (which most people were), the attacker had full access to your files, your SSH keys, your environment variables, your API tokens, everything your user account could touch. And because OpenClaw was designed for developers, the machines running it often had access to production systems, private repositories, and cloud provider credentials. The blast radius was enormous.

The vulnerability existed from the first release. It was not a regression introduced by a later update. It was a fundamental design oversight baked into the original architecture. The team had built a powerful agent execution framework and shipped it without input sanitization on the most dangerous capability it offered: running arbitrary terminal commands. The irony is that sanitizing shell inputs is one of the most well-documented security practices in software engineering. It is covered in every security course, every OWASP guide, every secure coding standard. It was simply never done.

The supply chain attack

While the CVE was bad, the supply chain attack was worse.

Starting around February 10, before the CVE was even published, malicious actors began uploading trojanized plugins to the OpenClaw plugin registry. These plugins had legitimate-sounding names: "Advanced Code Analyzer," "Performance Optimizer Pro," "Security Scanner Plus." They provided real functionality. They also contained hidden payloads.

The payloads varied. Some exfiltrated environment variables (which often contain API keys and database credentials). Some installed crypto miners. Some established reverse shells, giving the attacker persistent remote access. Some exfiltrated git histories and SSH keys.

By the time the community discovered the attack, over 800 malicious plugins had been uploaded. An estimated 12,000 installations had at least one compromised plugin. The damage was done. Thousands of developers had unknowingly given attackers access to their development environments, source code, and credentials. Some discovered the compromise through unusual cloud bills from crypto miners. Others discovered it when credentials appeared in paste sites.

The plugin registry had no review process. Anyone could upload a plugin. There was no code signing, no automated scanning, no manual review. Plugins were installed with the same permissions as the OpenClaw agent itself, which meant they had full file system access, full terminal access, and full network access.

30,000 exposed instances

The third problem was the simplest and the most preventable. Researchers scanning the internet found approximately 30,000 OpenClaw instances running on public IP addresses without authentication. No password. No API key. No firewall. Just an open endpoint that anyone on the internet could send commands to.

These were not sophisticated attackers exploiting complex vulnerabilities. These were instances that their owners had made publicly accessible, often unintentionally, by following deployment guides that did not emphasize security configuration. Many were running on cloud VMs with default security groups that allowed all inbound traffic.

An attacker did not need the CVE to compromise these instances. They just needed to find them (trivial with tools like Shodan or Censys that scan the entire internet in hours) and send a prompt. The agent would execute whatever instructions it received without question. Read files, exfiltrate data, install malware, pivot to internal networks, anything. These were effectively remote access trojans that the owners had voluntarily installed and exposed to the internet.

Why this matters for AI agent security

OpenClaw's failures were not unique to OpenClaw. They are the same risks that exist in any AI agent that can access your file system, run commands, and connect to external services. The difference is how mature tools handle these risks.

Terminal execution without sandboxing. Any AI agent that runs commands needs guardrails. Claude Code addresses this through hooks that can block dangerous commands before they execute, permission prompts that require your approval for risky operations, and the principle of least privilege where it asks before doing anything destructive.

Plugin systems without review. Claude Code uses MCP servers for external integrations. MCP servers are not anonymous plugins from a registry. They are explicitly configured by the user, run locally, and have documented capabilities. You know exactly what each one can do because you set it up.

Authentication as an afterthought. Claude Code's Remote Control feature generates unique, authenticated URLs for remote sessions. When the session ends, the URL expires. There is no persistent endpoint. There is no way to access a Claude Code session without the authenticated URL.

Speed over security culture. This is the meta lesson. OpenClaw prioritized growth and features over security. The plugin registry launched without review. The terminal execution launched without sanitization. The deployment guides launched without security hardening. Every shortcut made the growth faster and the breach worse.

![Split comparison showing OpenClaw open plugin registry with no review versus Claude Code MCP servers with explicit user configuration](Left: anyone can upload anything. Right: you configure exactly what connects. One is a security model. The other is a liability.)

What businesses should learn from this

Do not run AI agents you do not trust with production data. If an AI agent has access to your code, your API keys, your databases, it needs to be from a vendor or project that takes security seriously. OpenClaw proved that popularity is not a proxy for security. 180,000 users does not mean 180,000 safe installations. Evaluate the security practices of any AI agent before giving it access to your development environment. Check for documented security architecture, responsible disclosure processes, and evidence that security is treated as a priority rather than a PR statement.

Audit the permissions you give AI tools. What files can it access? What commands can it run? What services can it connect to? At RSL/A, our CLAUDE.md file explicitly defines permissions. Read access to everything. Write access to project files. Confirmation required for destructive operations and external communications.

Self-hosted does not mean secure. The open source community often assumes that self-hosting is inherently more secure than using a hosted service. OpenClaw proved the opposite. Self-hosting moves the security responsibility to you. If you do not have the expertise to configure firewalls, manage certificates, update dependencies, and harden a deployment, the hosted version from a security-focused vendor is almost certainly safer. "I control the server" is only an advantage if you actually secure the server.

Plugin ecosystems need governance. Any system that allows third-party extensions needs a review process. Code signing. Automated scanning. Permission boundaries. Without these, a plugin registry is just a distribution channel for malware with extra steps. The npm ecosystem learned this lesson years ago with event-stream and ua-parser-js. OpenClaw repeated the same mistake in a context where the consequences were even worse because plugins had system-level access.

![Sticky note with four lessons: 1. Trust vendor security record 2. Audit permissions 3. Self-hosted is not auto-secure 4. Plugins need governance](Four lessons. None of them are surprising in hindsight. All of them were ignored during the hype cycle.)

Where OpenClaw is now

The OpenClaw team responded quickly after the disclosure. They patched CVE-2026-25253 within 48 hours, purged the malicious plugins, implemented basic code scanning for the registry, and published security hardening guides. To their credit, they were transparent about the incident and the lessons learned.

The project continues to exist and has a smaller but more security-conscious community. Many of the 180,000 users moved to commercial alternatives like Claude Code and Cursor. Some returned after the security improvements were verified by independent auditors. The project added a permissions system with granular access controls, improved input sanitization across all execution paths, and introduced plugin sandboxing that limits what plugins can access on the host system.

But the damage to trust was real and lasting. And the 12,000 installations that ran compromised plugins had to assume their credentials, code, and data were fully exposed. The cleanup cost in aggregate was significant. Rotating API keys, auditing repositories for unauthorized changes, scanning for persistent backdoors, and in some cases rebuilding development environments from scratch.

The bottom line

OpenClaw is a cautionary tale about what happens when AI agent development prioritizes features and growth over security fundamentals. The technology was impressive. The execution on security was catastrophic.

For anyone using AI coding agents today, the lessons are clear and non-negotiable. Use tools from established vendors who treat security as a core feature, not a patch. Configure permissions explicitly and deliberately. Use guardrails like hooks and CLAUDE.md files. And never, under any circumstances, expose an AI agent endpoint to the public internet without authentication.

The AI agents that win long-term will not be the ones with the most features or the lowest price. They will be the ones that are powerful and safe. Security is not a feature you add later. It is a foundation you build on from the start. OpenClaw is proof of what happens when you get that order wrong. If you want help setting up secure AI development workflows, RSL/A builds Claude Code environments with proper guardrails from day one.