On February 3, 2026, security researchers disclosed CVE-2026-25253 in OpenClaw — the fastest-growing open-source AI agent, then sitting at 346,000 GitHub stars. The vulnerability was severe: CVSS 8.8, one-click remote code execution via a WebSocket origin validation gap that let an attacker hijack any running OpenClaw instance, even those configured to listen only on localhost, simply by getting the user to visit a malicious webpage. Within four days, nine more CVEs dropped. By early April, researchers were tracking 138 vulnerabilities discovered over a 63-day window — roughly 2.2 new CVEs per day.

The exposure scale was massive. Comprehensive scanning across multiple security firms found over 135,000 OpenClaw instances running on publicly accessible IP addresses — Bitsight's early scan window (January 27–February 8) identified 30,000+ distinct instances, while SecurityScorecard's broader scan documented over 135,000 across 82 countries. 63% had gateway authentication disabled. 28% were still running pre-patch versions weeks after the fix was available. The "ClawHavoc" supply chain campaign had seeded OpenClaw's official skills marketplace, ClawHub, with 341 confirmed malicious skills — approximately 12% of the entire registry — primarily delivering Atomic macOS Stealer (AMOS) to steal credentials from infected machines. In parallel, Moltbook, a social network built for OpenClaw agents, disclosed a database breach — caused by a Supabase deployment missing Row Level Security policies — that exposed 35,000 user email addresses, 1.5 million agent API tokens, and private messages containing plaintext OpenAI and Anthropic API keys.

This is the first major AI agent security crisis of 2026, and it's worth studying not just as a patching problem, but as a governance architecture failure.

AI agent supply chain security refers to the set of controls that govern what tools, skills, and plugins an autonomous AI agent is permitted to install and execute — covering source verification, runtime access scoping, behavioral monitoring, and output filtering. Unlike traditional software supply chain security, agent supply chains are dynamic: an agent can discover, install, and invoke new capabilities at runtime, often without human review at each step. This makes the governance layer — the controls that operate independent of the agent's own code — the last reliable enforcement point between a malicious skill and the systems the agent has access to.

What made OpenClaw an attractive attack surface?

OpenClaw's popularity created a dangerous combination: wide deployment, broad system access, and a marketplace economy with minimal trust verification.

To be useful, OpenClaw agents are routinely granted deep permissions: full disk access, terminal execution, browser automation, OAuth token access for third-party services. These aren't bugs in OpenClaw's design — they're features. A personal AI agent that can't read your files, run commands, or access your calendar is significantly less useful. But they mean that a compromised OpenClaw instance isn't just a compromised app. It's a compromised system.

The ClawHub skills marketplace accelerated the attack surface problem. Skills are third-party capability packages — the equivalent of MCP servers in the Model Context Protocol ecosystem, or plugins in browser-based agents. Installing a skill from ClawHub grants it access to the same resources as OpenClaw itself. There is no sandbox isolation between skills by default. There is no provenance verification before a skill executes. The marketplace operated on a trust model built for a small developer community, not for the 346,000-star deployment footprint it ended up with.

The result was predictable in retrospect. The ClawHavoc campaign didn't need to exploit a vulnerability — it just needed to upload convincing-looking skills and wait for users to install them. Most of the 341 confirmed malicious skills were professionally documented, categorized correctly, and had clean names. Roughly 12% of the entire ClawHub registry was compromised before detection. Some updated scans put the figure higher.

Why didn't patching CVE-2026-25253 fix the governance problem?

CVE-2026-25253 was patched in OpenClaw v2026.1.29, released January 29, 2026 — five days before the public disclosure. The patch was real and effective for the specific WebSocket vulnerability.

But 28% of exposed instances were still running pre-patch versions weeks later. This is the standard outcome for self-hosted open source software deployed by individuals and small teams: patching requires someone to notice, decide to act, and follow through. For software installed on personal machines and lab environments, that often doesn't happen promptly. For software installed inside enterprise environments by individual developers — without IT provisioning or centralized update management — it often doesn't happen at all.

The deeper issue is that patching the RCE vulnerability doesn't address the governance gaps that make OpenClaw dangerous in enterprise contexts regardless of patch status:

Unverified marketplace skills remain a live threat. The ClawHavoc campaign's malicious skills persisted in ClawHub after CVE-2026-25253 was patched. Patching the WebSocket vulnerability didn't remove the malicious skills already installed on user systems, and it didn't prevent new malicious skills from being uploaded to the registry.

Overprivileged agents remain overprivileged. An agent running with full disk access and OAuth tokens granted before the incident continues to have that access after the patch. Nothing in the CVE patch revised the permissions model.

Behavioral monitoring was absent before and after. Nothing in the default OpenClaw deployment detects when a skill is performing credential harvesting (the primary AMOS payload behavior). No alert fires when an agent begins exfiltrating files. The activity simply happens.

The 1.5 million API tokens in the Moltbook breach are permanently compromised. Patching the RCE doesn't revoke those tokens. Any service those tokens authenticated to is still exposed unless every downstream team individually rotates them.

This is the distinction between vulnerability management and governance. CVE-2026-25253 was a vulnerability. The underlying architecture — unverified skills executing with full system access, no runtime behavioral monitoring, no output filtering — is a governance gap that exists independent of any specific CVE.

What does a runtime governance layer prevent in this scenario?

The OpenClaw crisis is a useful case study because it involves four distinct attack vectors, each of which maps to a different governance enforcement point.

Attack vector 1: The WebSocket RCE (CVE-2026-25253)

The vulnerability exploits OpenClaw's WebSocket gateway, which accepted connections without validating the request origin. A malicious webpage could open a WebSocket to the local OpenClaw instance and issue arbitrary agent commands.

A runtime governance layer enforces what commands are permitted at execution time, independent of how they arrived. A policy requiring that outbound actions (file access, terminal execution, external API calls) log and evaluate against a permission set would catch command injection from an unexpected origin — not because the governance layer knows about the specific CVE, but because the commands themselves would violate the access policy. The enforcement is on the action, not the channel.

Attack vector 2: The ClawHub supply chain (ClawHavoc)

Malicious skills executed with the same permissions as the agent. There was no enforcement point between "skill installed" and "skill executes with full access."

A proper agent registry treats installed skills as registered capabilities with explicit permission scopes — not as arbitrary code that inherits all agent permissions. Before a skill can invoke a tool, the registry confirms that the skill is approved and that the invocation falls within its declared scope. A skill claiming to be a "productivity enhancer" but attempting to read credential files from ~/.ssh/ or ~/.aws/ would trigger a policy violation, regardless of whether the marketplace listing looked legitimate.

This is directly analogous to the MCP governance problem: you don't grant every MCP server full access to every tool your agent has. You scope each server to the tools it needs, verify source provenance, and enforce at execution time. OpenClaw's marketplace lacked that layer.

Attack vector 3: The credential exfiltration (AMOS payload)

The Atomic macOS Stealer payload harvested credentials and exfiltrated them to attacker-controlled infrastructure. The exfiltration worked because nothing was watching what the agent was sending outbound.

Content and output governance — scanning agent outputs and outbound requests for credential patterns, sensitive data signatures, and unexpected external destinations — is the enforcement point that catches this. The controlled data interface pattern means outbound requests pass through a policy evaluation layer before they execute. A policy flagging outbound HTTP requests to unregistered external domains, or containing detected credential file patterns, would intercept the exfiltration before the data left the system.

Attack vector 4: The Moltbook API token breach

The 1.5 million API tokens exposed via the Moltbook breach represent a downstream consequence: tokens that had been granted to agents (and stored in Moltbook's database) were now in attacker hands. This breach reflects a systemic architectural issue — long-lived, broadly-scoped tokens stored in a third-party platform with inadequate security.

Runtime governance addresses this at the token management layer: short-lived, scoped tokens that are issued per-session and rotated automatically. A governance policy requiring that credentials used by agents be session-scoped rather than persistent would limit the blast radius of any credential leak. There are no long-lived tokens to steal because none are issued.

Why this is harder than it looks for enterprise security teams

The OpenClaw crisis has a feature that makes it particularly dangerous in enterprise environments: the users deploying it aren't the ones making enterprise security decisions.

OpenClaw spread through individual developer adoption. An engineer installs it on a personal machine, finds it useful, brings it to a team demo, gets asked to set it up on the shared dev environment. By the time an enterprise security team becomes aware, OpenClaw is running on dozens of machines with OAuth tokens to the organization's GitHub, Slack, Linear, and cloud provider accounts.

Security researchers and enterprise security teams have described this as the "shadow agent" problem — the same dynamic that drove shadow IT for consumer cloud apps, but with agents that have execution capabilities rather than just storage access. Microsoft's guidance on OpenClaw in enterprise environments (published February 19, 2026) recommended treating it as "untrusted code execution with persistent credentials" and deploying only in fully isolated VMs with non-privileged, dedicated credentials. Most of the engineers who installed it on shared dev environments had not read that guidance. The security team doesn't know what's installed. No governance layer exists because no governance layer was provisioned. The agent is running in a permissions context designed for a personal productivity tool, inside an enterprise permissions context that wasn't designed for it.

This is why the governance architecture question matters as much as the patching question. Enterprises that deployed OpenClaw before the CVE disclosure mostly didn't make a deliberate security decision to do so. They inherited a deployment that individuals made. The question for enterprise security and engineering teams is: what controls exist at the organizational layer that limit the blast radius of that decision, regardless of what's installed?

How Waxell handles this

How Waxell handles this: Waxell's runtime governance policies operate at the infrastructure layer — above and independent of whatever agent code or marketplace skills are installed. Policies evaluate before each tool invocation and outbound action: is this skill approved to invoke this tool? Is this outbound request to a registered destination? Does this content match a credential exfiltration pattern? The enforcement answers those questions regardless of whether the underlying agent is patched, and regardless of what the skill's marketplace listing claimed it would do. The agent registry tracks approved skills and tools with explicit permission scopes — a skill installed from ClawHub doesn't inherit full agent access; it executes within a declared and approved scope. Waxell instruments this via three lines of SDK code, applies across any agent framework, and requires no modification to the underlying agent. If your team is deploying agents with marketplace-sourced capabilities, get early access to see what a runtime governance layer looks like in practice.

Frequently Asked Questions

What is the OpenClaw security crisis?
OpenClaw, an open-source AI agent that grew to 346,000+ GitHub stars, became the center of the first major AI agent security crisis of 2026. CVE-2026-25253 (CVSS 8.8), disclosed February 3, 2026, enabled one-click remote code execution against any running OpenClaw instance. Simultaneously, the ClawHavoc supply chain campaign seeded OpenClaw's official skills marketplace (ClawHub) with 341+ malicious skills delivering credential-stealing malware. Scanning found 135,000+ publicly exposed instances across 82 countries (SecurityScorecard; Bitsight's earlier scan window identified 30,000+), 63% running without authentication. A separate breach of Moltbook, a social network for OpenClaw agents, exposed 35,000 emails and 1.5 million agent API tokens. By early April 2026, researchers were tracking 138+ CVEs in OpenClaw across a 63-day window.

What is CVE-2026-25253?
CVE-2026-25253 is a remote code execution vulnerability in OpenClaw rated CVSS 8.8. It exploits a WebSocket origin validation gap in OpenClaw's control gateway, which by default listens on port 18789. An attacker can craft a malicious webpage that, when visited by anyone with OpenClaw running, opens a WebSocket connection to the local gateway and sends arbitrary agent commands — including commands to access files, run terminal processes, or call external APIs. The attack works even against localhost-bound instances because the exploit originates from the user's own browser. The vulnerability was patched in v2026.1.29 (released January 29, 2026), five days before public disclosure.

What was the ClawHavoc supply chain attack?
ClawHavoc was a coordinated campaign to distribute malicious skills through ClawHub, OpenClaw's official skills marketplace. Attackers uploaded 341 confirmed malicious skills — roughly 12% of the entire registry — disguised as legitimate productivity tools. The primary payload was Atomic macOS Stealer (AMOS), a credential harvesting tool that extracts passwords, cookies, and OAuth tokens from the infected machine. Updated scans placed the total above 800 malicious skills. Because OpenClaw skills execute with the same permissions as the agent itself — which typically includes broad filesystem and terminal access — a malicious skill is effectively a system-level compromise. The Moltbook database breach compounded this: a Supabase deployment missing Row Level Security (RLS) policies exposed 1.5 million API tokens, 35,000 email addresses, and private messages containing plaintext OpenAI and Anthropic API keys — credentials that could be used to impersonate users across any service those tokens authorized.

Why didn't patching CVE-2026-25253 solve the security problem?
Patching the RCE vulnerability addressed one attack vector out of four. It didn't: (1) remove malicious skills already installed on user machines from the ClawHavoc campaign; (2) restrict overprivileged agent access that predated the vulnerability; (3) add behavioral monitoring to detect credential harvesting in progress; or (4) revoke the 1.5 million API tokens exposed in the Moltbook breach. These are governance architecture gaps, not vulnerability gaps. They persist regardless of patch status because they were never addressed by the application's security model. 28% of exposed instances were still running pre-patch versions weeks after the fix was public.

What does runtime governance prevent in an AI agent supply chain attack?
Runtime governance enforces what an agent is allowed to do at execution time, independent of what's installed. For supply chain attacks like ClawHavoc: an agent registry with explicit permission scopes prevents marketplace skills from inheriting full agent access; policy enforcement on tool invocations flags skills attempting to access resources outside their declared scope; output filtering intercepts credential exfiltration before data leaves the system; and session-scoped credential management limits the blast radius of any token exposure. These controls operate at the infrastructure layer — they evaluate before each action, regardless of whether the underlying skill or agent code has been patched or audited.

How is the OpenClaw skills marketplace similar to MCP servers?
OpenClaw's ClawHub marketplace and the Model Context Protocol (MCP) ecosystem share the same governance challenge: both provide mechanisms for agents to discover and invoke third-party capabilities at runtime. In both cases, the installed capability executes within the permissions context of the agent, and in both cases, the default trust model is permissive — install and run. The OpenClaw crisis illustrates what happens when that trust model operates without a governance layer to scope, verify, and monitor capability execution. The same supply chain attack that distributed malicious OpenClaw skills via ClawHub is the same class of attack that would distribute malicious MCP servers via a registry. Runtime governance applies to both.

Sources

• Censys, Bitsight, Hunt.io scanning results cited in multiple security advisories — February–April 2026

• NVD, CVE-2026-25253 Detail — https://nvd.nist.gov/vuln/detail/CVE-2026-25253 — verified April 8, 2026

• Sangfor, OpenClaw Security Risks: From Vulnerabilities to Supply Chain Abuse (2026) — https://www.sangfor.com/blog/cybersecurity/openclaw-ai-agent-security-risks-2026 — verified April 8, 2026

• adminbyrequest.com, OpenClaw Went from Viral AI Agent to Security Crisis in Just Three Weeks (2026) — https://www.adminbyrequest.com/en/blogs/openclaw-went-from-viral-ai-agent-to-security-crisis-in-just-three-weeks — verified April 8, 2026

• SOCRadar, CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration (2026) — https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/ — verified April 8, 2026

• Bitsight, OpenClaw Security: Risks of Exposed AI Agents Explained (2026) — https://www.bitsight.com/blog/openclaw-ai-security-risks-exposed-instances — verified April 8, 2026

• Microsoft Security Blog, Running OpenClaw safely: identity, isolation, and runtime risk (February 19, 2026) — https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/ — verified April 8, 2026

• Kaspersky, New OpenClaw AI agent found unsafe for use (2026) — https://www.kaspersky.com/blog/openclaw-vulnerabilities-exposed/55263/ — verified April 8, 2026

• CGTN, Meet OpenClaw: The AI assistant that broke every record – and started a security panic (March 11, 2026) — https://news.cgtn.com/news/2026-03-11/OpenClaw-AI-tool-that-broke-every-record-and-caused-a-security-panic-1LpwvrIqQk8/p.html — verified April 8, 2026

• DTG, CVE-2026-25253 "OpenClaw RCE" and Moltbook Database Exposure (2026) — https://www.dtg.com/post/cve-2026-25253-openclaw-rce-and-moltbook-database-exposure — verified April 8, 2026

• adversa.ai, OpenClaw security guide 2026: CVE-2026-25253, Moltbook breach & hardening (2026) — https://adversa.ai/blog/openclaw-security-101-vulnerabilities-hardening-2026/ — verified April 8, 2026

• Trend Micro, CISOs in a Pinch: A Security Analysis of OpenClaw (2026) — https://www.trendmicro.com/en_us/research/26/c/cisos-in-a-pinch-a-security-analysis-openclaw.html — verified April 8, 2026