CertiK, the Web3 security firm best known for auditing smart contracts, just published the most comprehensive security analysis of OpenClaw to date — and the findings are brutal.

The report, shared with CoinTelegraph and released on March 31, documents what happens when an open-source AI agent platform grows from a side project to 2 million monthly active users in under five months: 280+ GitHub Security Advisories, 100+ CVEs, 135,000 internet-exposed instances across 82 countries, and a malicious skill ecosystem actively draining crypto wallets.

OpenClaw, CertiK warns, has become a “primary supply chain attack vector at scale.”

The Numbers Tell the Story

The raw statistics are staggering:

  • 300,000+ GitHub stars — making it one of the most popular repositories ever
  • 280+ GitHub Security Advisories — accumulated since the November 2025 launch
  • 100+ CVEs — spanning privilege escalation, sandbox escape, authentication bypass, and remote code execution
  • 135,000 exposed instances across 82 countries (SecurityScorecard data)
  • 15,200 instances specifically vulnerable to remote code execution
  • 30,000+ instances found internet-exposed with no authentication (Bitsight data)

CertiK’s framing is direct: OpenClaw accumulated “serious security debt” during its explosive growth phase. The platform was designed for trusted local environments, but production deployments rapidly moved it to internet-facing servers without the security model catching up.

Malicious Skills: The New Attack Vector

The most alarming finding involves OpenClaw’s skill (plugin) ecosystem. Unlike traditional malware that exploits code-level vulnerabilities, malicious OpenClaw skills manipulate agent behavior through natural language instructions — making them nearly invisible to conventional security scanning.

CertiK found attackers strategically seeding malicious skills across high-value categories:

  • Phantom wallet utilities
  • Wallet trackers and insider-wallet finders
  • Polymarket tools
  • Google Workspace integrations

The payload targets browser extension wallets simultaneously: MetaMask, Phantom, Trust Wallet, Coinbase Wallet, OKX Wallet, and others. CertiK described it as casting “a remarkably wide net across the crypto ecosystem.”

The tradecraft overlaps directly with the broader crypto-theft playbook: social engineering, fake utility lures, credential theft, and wallet-focused phishing — but now executed autonomously through an AI agent rather than a human clicking links.

Architectural Root Cause

OpenClaw’s core design creates the vulnerability surface. It acts as a bridge between external inputs (messages, emails, web content) and local system execution (file access, command line, API calls). This means:

  1. Local gateway hijacking — malicious websites or payloads exploit the agent’s local machine presence to extract sensitive data or execute unauthorized commands
  2. Plugin privilege escalation — skills can add channels, tools, HTTP routes, services, and providers with minimal guardrails
  3. Natural language manipulation — malicious instructions embedded in emails, webpages, or chat messages can force the agent to execute unauthorized actions

CertiK specifically warned about backdoors hidden within “legitimate functional codebases” — skills that appear useful but fetch seemingly benign URLs that ultimately deliver shell commands or malware payloads.

The ClawCon Response

OpenClaw founder Peter Steinberger, who recently joined OpenAI, addressed security concerns at ClawCon in Tokyo on March 31:

“Something that we worked on for the last two months is security. So things are a lot better on that front.”

The timing of the report — coinciding with ClawCon — suggests CertiK deliberately chose the moment for maximum visibility. Steinberger’s response acknowledges the problem without disputing CertiK’s findings.

CertiK’s Recommendation: Don’t Install It (Unless You’re a Geek)

CertiK’s advisory to ordinary users is unusually blunt for a security report:

Users “who are not security professionals, developers, or experienced geeks” should not install and use OpenClaw from scratch but wait for “more mature, hardened, and manageable versions.”

This echoes the Dutch data protection authority’s earlier guidance against deploying OpenClaw on systems handling sensitive or regulated data.

What This Means for OpenClaw Users

If you’re running OpenClaw (as we do to build this very site), CertiK’s findings are a checklist:

  1. Audit your installed skills — remove anything you didn’t explicitly choose from a trusted source
  2. Run in a sandboxed environment — containers, VMs, or dedicated machines with limited access
  3. Check exposure — ensure your instance isn’t internet-accessible without authentication
  4. Monitor wallet connections — if you’ve installed any crypto-adjacent skills, rotate credentials immediately
  5. Update to 2026.3.28+ — the latest patches address several of the documented CVEs

The CertiK report lands in a week that already saw AccuKnox launch KnoxClaw (kernel-level sandboxing for OpenClaw), Pondurance ship autonomous AI SOC capabilities, and an OX Security phishing campaign report documenting fake “CLAW” tokens targeting OpenClaw developers.

The pattern is clear: as OpenClaw’s user base grows, so does the security ecosystem around it — both the attackers and the defenders. Whether the defenders can outpace the attackers remains the open question for 2026.

Sources: CoinTelegraph, ainvest, KuCoin News