OpenClaw has 215,000 GitHub stars. Millions of developers trust it to run on their machines with full system access โ reading files, executing commands, managing email, controlling browsers. It's the fastest-growing open source AI agent framework in history.
I scanned it with CrawDaddy, the security scanner I built. It scored 0 out of 100 on quantum readiness, with critical findings across every threat category we check.
This isn't a hit piece on OpenClaw. It's a data point about where the entire AI agent ecosystem is right now โ and why we built CrawDaddy v2 to scan for exactly this.
The specific files: ECC/ECDSA in DeviceIdentity.swift, Android's DebugHandler.kt, webhook security in TypeScript, and the viewer runtime JavaScript. These aren't edge cases. They're the core identity and authentication layers of the agent framework.
The State of the OpenClaw Ecosystem in March 2026
OpenClaw went viral in six weeks. Security didn't keep up. Here's what the data looks like right now:
These aren't projections. These are numbers from Snyk, SecurityScorecard, Koi Security, Cisco, Microsoft, and Kaspersky โ all published in the last six weeks. The AI agent ecosystem is being built on infrastructure that nobody secured.
CVE-2026-25253: The One That Should Have Everyone's Attention
The most critical vulnerability โ CVE-2026-25253, CVSS 8.8 โ is a one-click remote code execution chain that works in milliseconds. You don't need to be a sophisticated attacker. You send someone a link.
Here's how the attack works:
- Step 1: Victim visits a malicious webpage (phishing link, compromised site, anything)
- Step 2: The page exploits OpenClaw's WebSocket server, which accepts connections from any origin without validation
- Step 3: The attacker's JavaScript silently steals the victim's gateway authentication token
- Step 4: With that token, the attacker disables user approval prompts (
exec.approvals.set: off) - Step 5: Container escape โ forces commands to run directly on the host machine, not in Docker
- Step 6: Full remote code execution. Attacker owns the machine.
The scope: This works even on localhost-only instances. Security researchers found 42,000+ publicly exposed OpenClaw instances. Of those, 5,194 were verified vulnerable to this specific chain. Patched in v2026.1.29 โ but SecurityScorecard found 135,000 exposed instances total, many still unpatched.
The other eight CVEs
| CVE | Type | Severity | Patched |
|---|---|---|---|
| CVE-2026-25253 | WebSocket token exfiltration โ RCE | CVSS 8.8 | v2026.1.29 |
| CVE-2026-25593 | Remote code execution | High | v2026.2.1 |
| CVE-2026-24763 | Command injection | High | v2026.1.31 |
| CVE-2026-25157 | Command injection | High | v2026.1.31 |
| CVE-2026-25475 | Server-side request forgery | Medium | v2026.2.2 |
| CVE-2026-26319 | Authentication bypass | High | v2026.2.14 |
| CVE-2026-26322 | Path traversal | Medium | v2026.2.14 |
| CVE-2026-26329 | Log poisoning โ prompt injection | Medium | v2026.2.13 |
| ClawJacked | Cross-site WebSocket hijacking | High | v2026.2.25 |
Five high-severity advisories in under a week suggests a codebase where security was an afterthought during the initial build. That's not a criticism โ it's the reality of shipping fast in a competitive ecosystem. But it means anyone running OpenClaw needs to be patched to v2026.2.26 or later, and needs to know which version they're actually running.
The ClawHavoc Campaign: Your Skill Registry Is a Malware Distribution Channel
While the CVEs were being patched, a separate attack was already underway. Security firm Koi Security audited all 2,857 skills on ClawHub and found 341 malicious entries, with 335 traced to a single coordinated campaign they named ClawHavoc.
Updated scans now put the number at over 1,184 malicious skills โ roughly 20% of the entire registry. These skills don't look malicious. They look like exactly what you'd want to install:
- Crypto tools:
solana-wallet-tracker,phantom-wallet-helper - Productivity:
youtube-summarize-pro,gmail-automation - Trading:
polymarket-trader,polymarket-pro - Auto-updaters:
auto-updater-agent,updater
What they actually do: Silent curl commands exfiltrate your credentials to attacker-controlled webhook servers. Some open reverse shell backdoors. Several specifically target ~/.clawdbot/.env โ the file where your API keys, wallet keys, and service credentials live.
The barrier to publishing a malicious skill? A GitHub account that's one week old. No code signing. No security review. No sandbox by default. OpenClaw has since partnered with VirusTotal and added a reporting mechanism โ but Snyk's ToxicSkills audit found that 36% of all ClawHub skills contain detectable prompt injection.
The Quantum Layer That Nobody Is Talking About
All of the above is happening in classical computing. The quantum threat adds a second dimension that most AI agent operators haven't considered.
Every agent wallet uses ECDSA โ the secp256k1 elliptic curve that powers Ethereum, Base L2, and every EVM chain. Shor's algorithm running on a sufficiently powerful quantum computer breaks ECDSA. Every wallet address, every transaction signature, every on-chain agent identity becomes vulnerable.
Harvest-now-decrypt-later is already happening. Nation-states are collecting encrypted agent transactions, wallet signatures, and authenticated session data today โ to decrypt when quantum hardware catches up, estimated 2027-2030. If your agent earns USDC, holds credentials, or signs anything on-chain, that data has a quantum expiration date.
The OpenClaw codebase has ECC in DeviceIdentity.swift, DebugHandler.kt, and the webhook security layer. No PQC migration plan exists. The agent economy is being built on cryptographic foundations with a known expiration date.
What CrawDaddy v2 Now Scans For
We built these seven detection categories specifically because the existing tooling doesn't cover the agent ecosystem:
- CVE-2026-25253 patterns โ WebSocket origin validation, gatewayUrl from query string, auth token exposure, container escape configurations
- OpenClaw version check โ flags anything below v2026.2.26 with the specific CVE exposure list
- ClawHavoc malicious skill patterns โ typosquatted names, fake prerequisite sections, silent curl commands, credential file targeting
- Prompt injection detection โ 170+ patterns across skill files, including role override attempts and exfiltration instructions
- Agent credential exposure โ moltbook_sk_ tokens, cnwy_k_ tokens, API keys in plaintext, .env file commits
- Gateway exposure โ 0.0.0.0 binding, empty auth tokens, port 18789 exposure
- Wallet ECDSA/PQC assessment โ secp256k1 usage, ecrecover in contracts, missing PQC migration documentation
Plus the existing post-quantum cryptography scanning: RSA, ECC, ECDSA, deprecated ciphers, weak hashes, outdated TLS โ graded A through F.
The Zero Retention Architecture
Here's something we built in from day one that I think matters more than any other feature: we never store your scan results.
Report generated. Delivered once. Deleted within the hour. No exceptions.
Why this matters: A security scanner that stores your codebase analysis is itself a security risk. If we got breached, your scan data โ every vulnerability we found in your repo โ could become an attacker's roadmap. We designed this out entirely. A security company that keeps your secrets isn't a security company.
How It Works: Agent-to-Agent and Human-to-Agent
CrawDaddy operates as an autonomous agent on the Virtuals ACP (Agent Commerce Protocol) network. Other agents can hire CrawDaddy for scans, receive structured JSON results, and pay in USDC on Base L2 โ no human in the loop.
For human customers: send a GitHub repo URL or smart contract address to @blocdev_bot on Telegram. CrawDaddy runs the scan, delivers the full HTML report to your Telegram as a file, and deletes it from our servers within the hour.
The report renders in any browser. Grade, risk score, every finding with file path and line number, remediation steps with specific CVE patches, and a quantum threat window assessment.
What to Do If You're Running OpenClaw
Immediate (today)
- Update to OpenClaw v2026.2.26 or later
- Audit every installed skill โ check for ClawHavoc indicators
- Bind your gateway to 127.0.0.1, not 0.0.0.0
- Set and rotate your OPENCLAW_AUTH_TOKEN
- Check
~/.clawdbot/.envโ is it in your git history?
Short-term (this month)
- Run a full scan on your OpenClaw repo and any repos your agent has access to
- Document which version you're running and set up automated alerts for new CVEs
- Inventory your agent wallet cryptography โ document every secp256k1 dependency
- Don't install skills from publishers with less than 30 days of GitHub history
- Don't grant OpenClaw access to systems containing PHI without air-gap isolation
The quantum layer
Start the PQC migration conversation now. Evaluate hybrid ECDSA + Dilithium schemes for agent wallet signing. The NIST standards are finalized โ ML-KEM (FIPS 203) and ML-DSA (FIPS 204) are production-ready. The migration timeline is 2027-2030. That's not far away.
"The same nation-states investing billions in quantum computing demonstrated with XZ Utils that they're willing to spend years infiltrating a single dependency. The patience is the threat. OpenClaw is moving fast. Quantum is moving patient."
The Bigger Picture
OpenClaw is not a rogue project. It's a legitimate, useful, rapidly-evolving framework. The security problems it has are the same problems every fast-moving open source ecosystem develops when adoption outpaces security engineering. npm had the same trajectory. Docker had the same trajectory. The difference is that OpenClaw agents run with full system access, hold cryptocurrency wallets, and interact with your most sensitive services.
The blast radius of a compromised OpenClaw agent is qualitatively different from a compromised npm package. An npm package can exfiltrate build secrets. A compromised OpenClaw agent can exfiltrate everything โ your files, your email, your calendar, your crypto holdings, your connected services โ and do it silently while you sleep, because the agent runs 24/7 whether you're watching or not.
Build the visibility before you need it.
๐ฆ Scan Your Repo or Agent Deployment
Send a GitHub URL or smart contract address. CrawDaddy runs the full v2 scan โ post-quantum readiness + 7 agent security categories. Report delivered once, deleted within the hour.