OpenClaw's Security Crisis: 512 Vulnerabilities, 341 Malicious Skills — How to Test Your Agent Before Deployment

TriggerLab TeamMarch 28, 20269 min readOpenClaw, Security, Adversarial Testing, Vulnerabilities, AI Agents

The OpenClaw Security Crisis Is a Wake-Up Call for Every AI Builder

If you deploy AI agents — or plan to — the OpenClaw security crisis should fundamentally change how you think about openclaw security testing and pre-deployment validation. In March 2026, security researchers disclosed 512 vulnerabilities across the OpenClaw ecosystem, including 9 CVEs published in just 4 days. Meanwhile, 341 malicious skills were discovered on ClawHub, and Shodan scans revealed 42,665 OpenClaw instances exposed to the public internet with no authentication.

This is not a theoretical risk. Real companies lost real data. Real agents were compromised. And the vast majority of affected deployments had zero adversarial testing before going live.

Here is what happened, what it means, and what you should do about it.

The Numbers: What Researchers Found

512 Vulnerabilities in the Core Platform

Between January and March 2026, independent security researchers and firms including Cisco Talos, CrowdStrike, and Kaspersky published findings on the OpenClaw agent framework. The total vulnerability count reached 512 across the core runtime, skill execution engine, communication layer, and default configurations.

The breakdown is stark:

127 critical-severity issues (CVSS 9.0+)
214 high-severity issues (CVSS 7.0-8.9)
171 medium and low-severity issues
9 CVEs published in a 4-day window (March 11-14, 2026)

The speed of disclosure created a patch-or-die scenario. Most teams could not update fast enough.

CVE-2026-25253: One Click to Full Remote Code Execution

The most dangerous vulnerability, CVE-2026-25253, carries a CVSS score of 8.8. It allows 1-click remote code execution through the skill installation flow. When a user installs a skill from ClawHub — something the platform actively encourages — a specially crafted skill manifest can execute arbitrary code on the host machine during the installation process.

No additional user interaction is needed beyond clicking "Install." The skill does not need to be activated or configured. Installation alone is sufficient for full compromise.

This is particularly dangerous because it exploits the trust model at the heart of agent platforms: users expect that installing a skill is safe, much like installing a browser extension. CVE-2026-25253 proved that assumption wrong.

341 Malicious Skills on ClawHub

ClawHub, the official skill marketplace for OpenClaw, contained 341 skills with malicious payloads at the time of the audit. These were not subtle. Researchers found:

89 skills that exfiltrated environment variables (including API keys, database credentials, and cloud provider tokens)
67 skills that established reverse shells or persistent backdoors
53 skills designed for cryptomining on the host machine
42 skills that performed prompt injection attacks against the agent itself, hijacking its behavior for phishing or social engineering
90 skills with various other malicious behaviors including data harvesting, lateral movement, and credential stuffing

Many of these skills had hundreds or thousands of installations. Some had been on ClawHub for months before detection. The marketplace had no meaningful code review, no sandboxing, and no behavioral analysis before listing.

42,665 Exposed Instances

Shodan scans conducted during the disclosure period found 42,665 OpenClaw instances directly accessible from the public internet. Of these:

31,200+ had no authentication enabled (default configuration)
8,400+ were running versions with known unpatched CVEs
2,900+ had debug mode enabled in production
Hundreds were connected to production databases with admin credentials in environment variables

These are not test instances. Port patterns, connected services, and domain associations indicate the majority are production deployments handling real user data.

The Moltbook Breach: 35,000 Emails and 1.5 Million API Tokens

The most significant real-world impact came from Moltbook, a mid-size SaaS company that used OpenClaw agents for customer support automation. Attackers exploited a combination of CVE-2026-25253 and an exposed instance to gain access to Moltbook's internal systems.

The breach exposed:

35,000 customer email addresses
1.5 million API tokens (many still active at time of disclosure)
Internal Slack messages, customer support transcripts, and billing records
Agent configuration files containing system prompts, API keys for third-party services, and database connection strings

Moltbook disclosed the breach on March 18, 2026. The full scope is still being assessed.

What the Security Industry Is Saying

Cisco Talos

Cisco's threat intelligence team published a detailed analysis of the OpenClaw attack surface, noting that the platform's architecture fundamentally lacks privilege separation between the agent runtime and the host system. Their assessment: the agent framework treats skills as trusted code, which means any malicious skill has the same privileges as the agent itself.

CrowdStrike

CrowdStrike's Falcon OverWatch team reported a spike in intrusion attempts targeting OpenClaw deployments in enterprise environments. Their advisory highlighted that traditional endpoint protection tools do not adequately detect agent-specific attack patterns, particularly prompt injection chains that result in code execution.

Kaspersky

Kaspersky researchers focused on the ClawHub supply chain attack vector, publishing analysis of the 341 malicious skills. Their key finding: the average time between a malicious skill being published and its first installation was under 4 hours. Detection, when it happened at all, took an average of 47 days.

The consensus across all three firms: agent-specific security testing is now a requirement, not an option.

Why This Proves Adversarial Testing Is Essential

The OpenClaw crisis is not unique to OpenClaw. It is a preview of what happens when any agent platform scales without systematic security testing. The failure modes are instructive:

1. Default Configurations Are Dangerous

OpenClaw ships with authentication disabled. Most users never change this. The result: 31,200+ instances with no access control. Traditional penetration testing would catch this in minutes. But most teams never test their agent deployments with the same rigor they apply to web applications.

2. Supply Chain Attacks Are the New Normal

The ClawHub malicious skills problem mirrors what happened with npm, PyPI, and Docker Hub — but with higher stakes. A malicious agent skill does not just run code. It can hijack the agent's behavior, making it serve the attacker's goals while appearing normal to operators. Detecting this requires testing the agent's actual behavior under adversarial conditions, not just scanning code.

3. Prompt Injection Is a Real Attack Vector

42 of the malicious ClawHub skills used prompt injection to hijack agent behavior. This is not a theoretical research paper scenario. Attackers in the wild are using prompt injection to:

Make agents leak system prompts and internal data
Redirect agents to perform unauthorized actions
Use agents as social engineering tools against end users
Bypass safety guardrails and content filters

You cannot defend against prompt injection by looking at code. You have to test the agent itself by sending adversarial prompts and observing what happens.

4. One-Time Audits Are Not Enough

The 9 CVEs published in 4 days illustrate a fast-moving threat landscape. An agent that passed a security review in January may be vulnerable in March due to new CVEs, updated dependencies, or changes in model behavior. Security testing must be continuous.

How to Test Your Agent Before Deployment

Whether you use OpenClaw, LangChain, CrewAI, AutoGen, or a custom framework, here is the minimum testing you should do before any production deployment:

Step 1: Map Your Attack Surface

Document every entry point: user-facing chat interfaces, API endpoints, webhook receivers, skill/plugin interfaces, and admin panels. Each is a potential attack vector.

Step 2: Test for Prompt Injection

Send adversarial prompts designed to make your agent ignore its system instructions, leak its configuration, or perform unauthorized actions. This is not optional — it is the single most common attack vector against AI agents.

Step 3: Test for Data Leakage

Attempt to extract sensitive information through the agent interface. Can you get it to reveal API keys? Database schemas? Other users' data? System prompts?

Step 4: Test Skill and Plugin Security

If your agent uses plugins or skills, test what happens when a malicious plugin is loaded. Does the agent sandbox plugin execution? Can a plugin escalate privileges?

Step 5: Test Under Adversarial Load

Send a high volume of adversarial requests simultaneously. Many agents behave differently under load — safety checks may be bypassed, rate limits may fail, and error handling may expose internal details.

Step 6: Validate Continuously

Run these tests after every deployment, model update, configuration change, and dependency update. Automation is essential.

Where TriggerLab Fits In

We built TriggerLab specifically for this problem. You give us an agent endpoint — any HTTP endpoint that accepts a prompt and returns a response — and we run 105+ adversarial test scenarios against it. No SDK to install, no code changes required.

The test suite covers exactly the attack categories exposed by the OpenClaw crisis:

Prompt injection resistance — Can your agent be hijacked?
Data leak prevention — Does it protect sensitive information?
Safety and refusal — Will it refuse harmful requests?
Hallucination detection — Does it fabricate information under pressure?
Bias and fairness — Are responses equitable?

Each test is evaluated by a 3-layer judging system: pattern matching for obvious failures, AI evaluation for nuanced responses, and statistical analysis across the full test suite. You get a score, a detailed breakdown by category, and — if you pass — a cryptographically signed certificate you can share with customers and regulators.

The free tier includes 5 test runs per month. Enough to validate your agent before deployment and after significant updates.

The Bigger Picture

The OpenClaw crisis will not be the last agent security incident. As AI agents become more prevalent in production environments — handling customer data, executing transactions, accessing internal systems — the attack surface grows.

The teams that survive this shift are the ones that treat agent security testing as seriously as they treat application security testing. That means:

Testing before deployment, not after incidents
Testing continuously, not once
Testing adversarially, not just happy-path scenarios
Testing independently, not just with internal QA

The OpenClaw vulnerabilities were preventable. The Moltbook breach was preventable. The 42,665 exposed instances were preventable. In every case, the missing piece was systematic adversarial testing before production deployment.

Do not wait for your own incident to start testing.

Test your AI agent now with TriggerLab's adversarial test suite — free for up to 5 runs per month. Learn how certification works, review our compliance mapping for SOC2/GDPR/HIPAA, or see pricing plans.