Executive Summary
In February 2026, the OpenClaw AI assistant platform faced a significant supply chain attack. Malicious actors uploaded over 230 compromised 'skills' to ClawHub, OpenClaw's skill repository, between January 27 and 29. These skills, often disguised as crypto trading tools, were designed to exfiltrate sensitive user data, including cryptocurrency wallets and browser information. The attack exploited OpenClaw's extensive system permissions, allowing unauthorized access to users' local files and networks. Additionally, a vulnerability in the Cline CLI tool led to the unintended installation of OpenClaw on approximately 4,000 developer systems, further expanding the attack's reach. (cyware.com)
This incident underscores the escalating risks associated with AI-powered automation tools and their plugin ecosystems. The rapid adoption of such platforms, combined with insufficient security vetting of third-party extensions, has created new avenues for supply chain attacks. Organizations must prioritize stringent security measures, including thorough code reviews and robust authentication protocols, to mitigate these emerging threats.
Why This Matters Now
The OpenClaw supply chain attack highlights the urgent need for enhanced security practices in AI-driven platforms. As these tools become more integrated into critical systems, the potential impact of such vulnerabilities grows, necessitating immediate attention to safeguard sensitive data and maintain operational integrity.
Attack Path Analysis
Attackers exploited OpenClaw's supply chain by uploading malicious skills to ClawHub, leading to initial compromise. These skills, once installed, escalated privileges by accessing sensitive system resources. The compromised agents facilitated lateral movement across systems. Attackers established command and control channels through the agents' network capabilities. Sensitive data was exfiltrated via the agents' network connections. The attack culminated in significant data breaches and potential system disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers uploaded malicious skills to ClawHub, which users unknowingly installed, leading to system compromise.
Related CVEs
CVE-2026-25253
CVSS 8.8OpenClaw versions prior to 2026.1.29 contain a vulnerability where the Control UI trusts the 'gatewayUrl' from the query string without validation, leading to potential remote code execution via token leakage.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
exploited in the wildCVE-2026-26322
CVSS 7.6OpenClaw's Gateway tool contains a Server-Side Request Forgery (SSRF) vulnerability, allowing attackers to send crafted requests leading to unauthorized actions.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
proof of conceptCVE-2026-26319
CVSS 7.5OpenClaw's integration with Telnyx lacks proper webhook authentication, potentially allowing unauthorized access and actions.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
proof of conceptCVE-2026-26329
CVSS 6.5OpenClaw's browser upload functionality contains a path traversal vulnerability, potentially allowing unauthorized file access.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
proof of conceptCVE-2026-24763
CVSS 8.8OpenClaw's Docker sandbox mode is vulnerable to command injection via unsafe handling of the PATH environment variable, allowing authenticated users to execute arbitrary commands.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Compromise Software Dependencies and Development Tools
Hardware Additions
Trusted Relationship
Unsecured Credentials in Code Repositories
Compromise Infrastructure
Acquire Infrastructure
Develop Capabilities
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
OpenClaw supply chain attacks directly target software development environments through malicious plugin ecosystems, compromising automated workflows and developer credentials.
Information Technology/IT
IT organizations face high risk from OpenClaw's AI automation framework vulnerabilities, enabling remote code execution and credential theft through poisoned skills.
Financial Services
Financial institutions using AI automation face critical exposure to OpenClaw's CVE-2026-25253 RCE vulnerability and OAuth token abuse affecting sensitive financial data.
Health Care / Life Sciences
Healthcare organizations deploying AI assistants risk HIPAA violations through OpenClaw's prompt injection attacks and unsandboxed skill execution accessing patient data.
Sources
- The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Webhttps://www.bleepingcomputer.com/news/security/the-openclaw-hype-analysis-of-chatter-from-open-source-deep-and-dark-web/Verified
- CVE-2026-25253: One-Click RCE in OpenClaw via Token Leakage and WebSocket Abusehttps://www.netizen.net/news/post/7562/cve-2026-25253-one-click-rce-in-openclaw-via-token-leakage-and-websocket-abuseVerified
- Researchers Reveal Six New OpenClaw Vulnerabilitieshttps://www.infosecurity-magazine.com/news/researchers-six-new-openclaw/Verified
- Command Injection in openclaw | CVE-2026-24763 | Snykhttps://security.snyk.io/vuln/SNYK-JS-OPENCLAW-15202443Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command channels, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the reach of malicious uploads by enforcing strict identity-based policies, reducing the likelihood of unauthorized code execution.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the scope of privilege escalation by enforcing least-privilege access controls, reducing the attacker's ability to access sensitive resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have reduced the attacker's ability to move laterally by segmenting network traffic and enforcing strict communication policies between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have limited the establishment of command channels by providing real-time monitoring and control over network communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have reduced data exfiltration by enforcing strict outbound traffic policies and monitoring data flows.
The implementation of Aviatrix Zero Trust CNSF controls could have reduced the overall impact by limiting the attacker's ability to escalate privileges, move laterally, establish command channels, and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Email Management
- Scheduling
- System Automation
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of authentication tokens, API keys, and sensitive user data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict agent permissions and limit the impact of compromised skills.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic from agents.
- • Utilize Threat Detection & Anomaly Response to identify and respond to unusual agent behaviors.
- • Apply Inline IPS (Suricata) to detect and prevent malicious payloads within agent communications.
- • Regularly audit and verify the integrity of skills within ClawHub to prevent supply chain attacks.
