Blockchain security firm CertiK has released a comprehensive analysis of OpenClaw, a popular open-source AI agent that has seen explosive growth since its debut. The report warns that the platform’s rapid adoption has outpaced its security measures, creating significant vulnerabilities that could expose users to data theft, system breaches, and cryptocurrency losses.
Launched in November 2025 as a side project called Clawdbot, OpenClaw evolved into a widely used tool with more than 300,000 GitHub stars and an estimated 2 million monthly active users.
It operates locally on personal devices, connecting to messaging apps like WhatsApp, Slack, and Telegram to handle tasks such as email management, calendar updates, and file operations.
CertiK’s examination of OpenClaw’s architecture, workflows, internal components, supply-chain elements, and external dependencies reveals a pattern of accumulating technical shortcomings.
Researchers describe the platform as having built up substantial “security debt” amid its surge in popularity.
The analysis, based on information available through mid-March 2026, identifies it as a leading target for supply chain attacks at scale.
Over 280 GitHub security advisories and roughly 100 common vulnerabilities and exposures (CVEs) have been logged, alongside multiple ecosystem-wide incidents since launch.
One of the most pressing concerns involves malicious “skills” available through OpenClaw’s ClawHub marketplace and similar sources.
Hundreds of counterfeit installers and imitation packages have been discovered, many designed to bypass traditional antivirus tools by leveraging natural language instructions to alter behavior.
Once installed, these components can quietly extract sensitive information, including passwords and cryptocurrency wallet credentials.
Attackers have specifically targeted high-value crypto tools, such as wallet trackers, insider monitoring utilities, and integrations with services like Polymarket or Google Workspace.
The payloads often aim at popular browser extensions, including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and OKX Wallet, enabling large-scale drainage through familiar tactics like social engineering and credential theft.
Additional weaknesses stem from deployment and configuration issues.
Security scans found approximately 30,000 internet-facing instances shortly after launch, with later assessments identifying 135,000 installations spanning 82 countries.
Of these, around 15,200 were susceptible to remote code execution.
Other risks include local gateway hijacking—where malicious websites or payloads exploit the agent’s presence on a user’s machine—prompt injection attacks, identity bypasses, and inconsistent boundary checks that can leak credentials, session histories, and stored agent memories.
Plugins that add new channels, tools, or services further expand the attack surface, sometimes concealing backdoors within legitimate code.
CertiK emphasizes that these flaws turn OpenClaw into a bridge between external inputs and local execution, amplifying classic threats in an AI context.
The firm strongly cautions non-technical users, security professionals, and experienced developers alike against installing the platform from unverified sources until more robust, hardened versions become available.
Instead, it recommends establishing secure operating environments, enforcing strict tool permissions, and applying layered defenses.
OpenClaw’s founder, Peter Steinberg—who recently joined OpenAI—acknowledged ongoing efforts to strengthen protections, noting recent improvements following two months of focused work.
The research report serves as yet another alert for developers and organizations experimenting with AI agents, underscoring the need for security to keep pace with innovation. As adoption continues, addressing these gaps will be essential to prevent widespread exploitation and maintain user trust.