CertiK Security Audit Reveals Systemic Collapse in OpenClaw: 100+ CVEs, 135K Exposed Instances, Malware-Infected Skills

On March 31, 2026, blockchain and Web3 security firm CertiK published a devastating security audit of the OpenClaw AI agent framework, revealing what researchers call a systemic collapse of security boundaries. Despite OpenClaw rapid growth to 300,000+ GitHub stars, the platform has accumulated over 100 CVEs and 280 security advisories in just four months, creating what the report describes as an unbounded attack surface.

The most critical finding is CVE-2026-25253, which allows attackers to seize full administrative control of an OpenClaw instance by tricking a user into clicking a single malicious link. The attack steals authentication tokens and enables complete agent hijacking, giving attackers access to file systems, command execution, messaging platforms, and connected devices.

Global internet scans revealed over 135,000 OpenClaw instances exposed to the public internet across 82 countries. Many of these had authentication disabled by default, leaking API keys, chat histories, and sensitive credentials in plaintext. This represents one of the largest exposed AI agent attack surfaces ever documented.

Perhaps most alarming is the supply chain attack vector. CertiK found that the OpenClaw skills repository, where users share agent capabilities, has been infiltrated by malware. Hundreds of extensions were found bundling infostealers designed to siphon saved passwords and cryptocurrency wallets from host systems.

Additionally, attackers are hiding malicious instructions within emails and webpages that, when processed by the AI agent, force it to exfiltrate files or execute unauthorized commands without user knowledge, a classic prompt injection attack amplified by high-privilege execution.

The report identifies a fundamental architectural flaw: OpenClaw was designed for trusted local environments but is now widely deployed on internet-facing servers, a transition the software was never equipped to handle. A Penligent auditor stated that OpenClaw aggregates classic software defects into a runtime with high delegated authority, making the blast radius of any single bug massive.

Mitigation recommendations include running OpenClaw exclusively in sandboxed environments, updating to version 2026.1.29 or later, and using EDR tools to detect unauthorized installations in enterprise networks.