OpenClaw AI agents are rapidly becoming a critical security vulnerability, with infostealers now actively targeting the framework to gain unauthorized access to over 28,000 systems. What started as an experimental AI tool has evolved into what security researchers call the biggest insider threat of 2026, as attackers weaponize stolen agent configurations to bypass traditional security defenses.
Key Takeaways
- OpenClaw AI agents enable infostealers to harvest gateway tokens and cryptographic keys from victim systems
- Over 28,000 systems compromised, with 53% granting attackers root or privileged access
- Moltbook ecosystem exploded to 900,000 active agents in just three days, facilitating credential trading
- ClawHub marketplace contains 341 malicious skills enabling supply chain attacks
- First confirmed live supply chain attack using OpenClaw-based agents occurred in March 2026
How OpenClaw Became a Trojan Horse for Hackers
OpenClaw is an open-source AI agent framework that runs on everyday hardware, designed to automate planning, web browsing, form filling, and adaptive workflows. The problem: it was deployed at scale without security safeguards, and infostealers discovered it contains a goldmine of sensitive data. When attackers steal an OpenClaw configuration, they do not just grab a password—they grab what Hudson Rock researchers call a mirror of the victim’s digital life.
The openclaw.json file serves as the central nervous system for each agent, containing gateway tokens, workspace paths, and email addresses. Stolen gateway.auth.token files allow attackers to connect remotely to a victim’s local OpenClaw instance if the port is exposed, or to impersonate the user in authenticated requests to the AI gateway. In one confirmed case, infostealers exfiltrated complete OpenClaw environments alongside device.json files containing private cryptographic keys and soul/memory files that outline agent behavior and personal context. This marks a significant shift: infostealers have moved beyond stealing browser credentials to harvesting the identities of personal AI agents.
The Scale of Compromise: 28,000 Systems and Growing
Security researchers estimate that over 28,000 systems have been compromised via exposed OpenClaw agents, with 53% of unauthorized installations granting attackers root or privileged access. This is not a theoretical risk—it is happening now. Attackers with stolen gateway tokens gain full admin control of the victim’s gateway and can execute any command on the machine remotely.
The attack path is methodical. Infostealers first harvest raw credentials from infostealer logs—URLs, logins, passwords, session cookies—to gain initial network access. They then use stolen session cookies to bypass multi-factor authentication and log into company inboxes from home IP addresses, making the access appear legitimate. Once inside, they scan emails, Slack chats, and Jira tickets for AWS keys, private keys, and database credentials. OpenClaw configurations become additional targets, providing access to AI infrastructure that companies often assume is isolated.
Moltbook and the Weaponized Agent Ecosystem
The threat accelerated dramatically with the launch of Moltbook on February 1, 2026—a network designed for agents to chat, share skills, and coordinate autonomously. In just three days, Moltbook grew from zero agents to 900,000 active agents, creating a marketplace where attackers can trade stolen credentials and share malicious tools. This explosive growth signals that AI agent compromise has become a coordinated, profitable attack vector.
ClawHub, the marketplace for agent plugins called skills, now hosts 341 malicious extensions. These fake skills—like a deceptive GPU optimizer—plant infostealers and enable supply chain attacks where compromised agents spread malware to other systems. Unlike traditional malware distribution, these attacks exploit trust relationships between agents, making detection significantly harder.
Known Vulnerabilities and Live Attacks
A remote code execution flaw, CVE-2026-25253, exists in OpenClaw itself. More urgently, the first confirmed use of OpenClaw-based AI agents in a live supply chain attack occurred in March 2026. This was not a proof-of-concept or a lab demonstration—it was a real attack in production environments, signaling that threat actors have moved from reconnaissance to active exploitation.
Traditional infostealers like Var and Luma have already pivoted to target OpenClaw alongside browser credentials. As Hudson Rock noted, the incentive for malware authors to build specialized AI-stealer modules will only grow as AI agents transition from experimental tools to daily business essentials.
Why Traditional Defenses Fail Against OpenClaw Compromise
OpenClaw compromise is particularly dangerous because it bypasses the security layers companies have invested in. A stolen gateway token grants access to authenticated AI infrastructure without triggering typical intrusion detection systems. The attacker does not need to crack passwords or exploit network vulnerabilities—they simply use a legitimate authentication token harvested by an infostealer.
This represents a fundamental shift in attack surface. Companies can patch their firewalls, enforce strong passwords, and deploy endpoint detection—but if an infostealer harvests an OpenClaw configuration from a home machine, all of that security becomes irrelevant. The attacker already has the keys to the kingdom.
What Organizations Should Do Now
The immediate step is to audit OpenClaw deployments and ensure no instances are exposed to the internet without authentication and encryption. Organizations running OpenClaw should rotate gateway tokens immediately and monitor for unauthorized agent activity. The gateway.auth.token should be treated with the same sensitivity as a database password or AWS access key.
Beyond OpenClaw, this incident highlights a broader risk: as AI agents become more integrated into workflows, they become more valuable targets for attackers. The skills and plugins installed on agents should be treated as supply chain risks, reviewed for provenance, and monitored for suspicious behavior. Moltbook’s rapid growth shows that a single compromised agent can serve as a vector to propagate malware across an entire network of agents.
Does OpenClaw have a patch for CVE-2026-25253?
The research brief confirms the existence of CVE-2026-25253 as a remote code execution flaw in OpenClaw, but does not specify patch availability or timeline. Organizations should check OpenClaw’s official security advisories and update to the latest version immediately.
Can infostealers steal OpenClaw configurations from air-gapped machines?
Infostealers typically operate through browser-based malware or supply chain compromises. An air-gapped machine running OpenClaw would be protected from remote infostealer campaigns, but could still be compromised if an attacker gains local access through other means, such as a malicious USB device or compromised software update.
Is OpenClaw still safe to use?
OpenClaw itself is a legitimate framework, but its security depends entirely on deployment practices. If your OpenClaw instance is not exposed to the internet, if gateway tokens are properly secured, and if installed skills are vetted, the risk is manageable. However, given the active exploitation landscape and the 28,000+ confirmed compromises, organizations should treat OpenClaw deployments as high-value targets requiring enterprise-grade security controls.
The OpenClaw compromise represents a watershed moment in AI security. As agents become more autonomous and more integrated into business operations, they become more valuable targets. The 28,000 compromised systems are not a warning—they are a reality check. Organizations betting on AI agent adoption need to build security into their agent infrastructure from day one, not retrofit it after infostealers have already harvested their configurations.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
