← Articles Security

OpenClaw Security Timeline: CVEs, GhostClaw Malware, and How the Ecosystem Responded

In its first five months, OpenClaw faced a critical CVE, a malware-infected npm impersonator, and a ClawHub supply chain incident. Here’s the full security timeline and what developers should do today.

Rapid growth creates rapid attack surfaces. OpenClaw’s explosion in popularity β€” 337,000 stars in under five months β€” made it an attractive target before the security community had time to fully audit it. The result was a compressed and chaotic security history: a critical CVE, an npm impersonator distributing remote access trojans, and a ClawHub skills marketplace supply chain incident. Here’s the complete timeline.

January 2026: CVE-2026-25253 (CVSS 8.8)

The first major vulnerability was disclosed in January 2026. CVE-2026-25253 carries a CVSS score of 8.8 β€” classified as High severity, one point below Critical. The specific details of the exploit path were responsibly disclosed through the standard process, but the impact was significant enough to trigger a wave of community forks explicitly positioned as security-hardened alternatives.

The Carapace project (puremachinery/carapace) explicitly cites “critical January 2026 vulnerability disclosures” as its founding motivation. IronClaw (Near AI) and Moltis similarly emerged in the same period with WASM sandboxing and zero-unsafe-code policies respectively.

The vulnerability highlighted a systemic issue: OpenClaw’s plugin architecture gave skills broad access to the host system without meaningful sandboxing. This is a design trade-off common in extensible frameworks β€” capability comes at the cost of a larger attack surface β€” but it was a surprise to users who assumed local execution meant safe execution.

February–March 2026: The GhostClaw Malware Incident

The most alarming incident in the OpenClaw security history was the publication of a malicious npm package designed to impersonate the legitimate OpenClaw distribution.

Package name: @openclaw-ai/openclawai
Published: March 3, 2026
Removed: March 10, 2026
Classification: GhostClaw / GhostLoader Remote Access Trojan (RAT)

The package was scoped under @openclaw-ai β€” plausible to developers unfamiliar with the ecosystem’s actual npm namespace. The legitimate package is simply openclaw (no scope prefix). The malicious package installed a RAT that gave attackers persistent remote access to infected machines.

The seven-day window between publication and removal is concerning. npm’s automated malware detection did not flag it immediately, and discovery appears to have been community-driven. The research note in our implementation database is stark: “Only install the legitimate openclaw package (no scoped prefix).”

For developers: audit your package.json and lock files right now. If you have @openclaw-ai/openclawai in any dependency tree β€” direct or transitive β€” treat the machine as compromised.

The ClawHub Supply Chain Incident

Separately from the npm malware incident, the ClawHub skill registry experienced its own supply chain compromise. ClawHub is OpenClaw’s official “App Store” at clawhub.ai, hosting over 5,700 community-contributed skills.

The specific details of the ClawHub incident are less publicly documented than the GhostClaw npm package, but it prompted a significant response: Prompt Security (a SentinelOne company) built ClawSec specifically around skill integrity verification and SOUL.md drift detection. ClawSec’s “skill-of-skills” architecture continuously monitors installed skills for unauthorized modifications.

nanobot (from HKU’s Data Intelligence Lab) made an explicit architectural decision in response to supply chain concerns: removing litellm as a dependency after a supply chain incident and switching to native Anthropic and OpenAI SDKs instead.

The Security Ecosystem Response

The security incidents catalyzed a meaningful response from the community and commercial security vendors.

SecureClaw β€” Adversa AI

SecureClaw launched in February 2026 as a dual-stack security layer: both a full OpenClaw plugin and a standalone skill. It runs 56 automated audit checks across 8 categories and maps findings to OWASP ASI, MITRE ATLAS, CSA MAESTRO, and NIST AI 100-2 frameworks. Five hardening modules and three background monitors run continuously. Everything operates locally β€” no telemetry leaves the machine.

ClawSec β€” Prompt Security / SentinelOne

ClawSec launched in March 2026 with a specific focus on supply chain protection. The SOUL.md drift detection feature monitors for unauthorized changes to the agent’s configuration files. The skill integrity verification component validates installed skills against known-good checksums. Its “skill-of-skills” architecture means it functions as an always-on security monitor rather than a one-time scanner.

Security-First Rewrites

The rewrite variants that emerged after January 2026 read like a security wish list for the original OpenClaw:

  • Carapace: Fail-closed authentication, OS-level subprocess sandboxing, signed plugin runtime (signature-verified), encrypted secret storage
  • IronClaw (Near AI): All untrusted tools run in isolated WebAssembly containers; TEE approach; capability-based permissions; endpoint allowlisting; credential injection; leak detection
  • Moltis: Zero unsafe Rust code (denied workspace-wide); WebAuthn/passkey authentication; Docker + Apple Container sandboxing
  • NanoClaw: Bash access runs inside a container, not on the host; container-isolated execution for all agent operations

Practical Advice for Developers

1. Verify your npm package name. The legitimate package is openclaw. No scope prefix. If you’re installing anything with a scope like @openclaw-ai or @openclaw/core, verify carefully.

2. Audit your installed skills. Skills run with the same permissions as OpenClaw itself. Review what you’ve installed from ClawHub, check checksums where available, and consider ClawSec for ongoing monitoring.

3. Update to the current version. Version 2026.3.24 is the latest release as of late March 2026. Earlier versions may still be vulnerable to CVE-2026-25253.

4. Consider a security-hardened variant for sensitive workloads. If your OpenClaw instance has access to production credentials, financial data, or sensitive communications, Carapace or IronClaw’s sandboxed execution models are worth evaluating. Fail-closed beats fail-open for sensitive deployments.

5. Install SecureClaw. Adversa AI’s OWASP-aligned 56-check audit suite runs locally and takes minutes to install. There’s no strong reason not to run it.

The Broader Pattern

OpenClaw’s security journey is not unusual for a project that achieved viral scale in months rather than years. The original OpenClaw design made explicit trade-offs: maximum compatibility and extensibility over sandboxed execution. Those trade-offs are reasonable for many use cases and harder to justify for others.

The ecosystem’s response β€” dedicated security plugins, sandboxed rewrites, commercial managed hosting with EDR monitoring β€” demonstrates a maturing community. The GhostClaw incident in particular produced a clear outcome: the npm namespace confusion has been publicly documented and the community knows what to watch for.

The security picture in March 2026 is meaningfully better than it was in January 2026. The question is whether it will keep pace with an attack surface that grows every time a new enterprise deploys OpenClaw at scale.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by