What was the OpenClaw security crisis?

OpenClaw (formerly MoltBot) went viral with 180,000+ users, then security researchers found 341 malicious plugins on its marketplace, 42,665 exposed instances, a one-click remote code execution exploit, and a 22% enterprise infection rate. It demonstrated the real-world risk of AI agents with broad system access and no trust boundaries.

How did the OpenClaw RCE exploit work?

OpenClaw did not maintain trust boundaries between untrusted inputs and high-privilege execution. Anything the agent read could control what it did, meaning a single malicious web page visit could trigger remote code execution in milliseconds. This is prompt injection at the agentic layer.

What should businesses do after the OpenClaw crisis?

Audit your organization for AI agent installations (22% of enterprises already had OpenClaw without IT approval), disable or sandbox agents with broad system access, rotate exposed credentials, and implement scanning with tools like Firmis. Run npx firmis-cli scan to detect vulnerable agent configurations across your stack.

Back to Journal

Threat IntelligenceFebruary 6, 2026·6 min read

The OpenClaw Crisis: What the First AI Agent Security Nightmare Means for Your Business

Over 180,000 developers deployed an AI agent that could read their emails, control their browsers, and execute code. Then the vulnerabilities started appearing.

TL;DR

OpenClaw/MoltBot is an AI agent that went viral with 180,000+ users - then security researchers found critical vulnerabilities
341 malicious plugins discovered, 42,665 exposed instances, and a one-click remote code execution exploit
22% of enterprises already have employees using it without IT approval
This is a preview of the agentic AI security challenges every business will face

In late January 2026, an open-source AI agent called MoltBot (later rebranded to OpenClaw) went viral. Developers loved it - finally, an AI that could actually do things.

Then the security researchers started looking closer. What they found should concern every business owner.

What Makes OpenClaw Different

Unlike ChatGPT or Claude, which respond to questions, OpenClaw acts. It connects to your email, calendar, and file system. It browses websites, fills out forms, and executes code.

Sends emails and messages on your behalf
Controls desktop applications
Browses the web and makes purchases
Integrates with WhatsApp and Telegram
Takes screenshots and executes code

This is incredibly powerful. It's also a security nightmare.

The Vulnerabilities

341

Malicious Plugins Found

42,665

Exposed Instances

22%

Enterprises Affected

<1s

RCE Exploit Time

Within weeks of going viral, security researchers discovered 341 malicious "skills" on ClawHub, the official marketplace. These fake plugins installed Atomic Stealer malware on macOS systems.

Critical: One-Click RCE

A remote code execution exploit was published that takes "milliseconds" to execute. If you have OpenClaw running, visiting a single malicious web page is all it takes.

The fundamental problem? OpenClaw doesn't maintain trust boundaries between untrusted inputs and high-privilege execution. Anything the agent reads can potentially control what it does.

It's Already in Your Organization

Cybersecurity firm Token Security reported that 22% of their enterprise customers already have employees using MoltBot/OpenClaw - likely without IT approval.

This is shadow IT on steroids. When employees install an autonomous AI agent with access to their email, calendar, and file system, the attack surface isn't theoretical. It's already inside your network.

What To Do Now

Immediate Actions

→Audit your organization for AI agent installations
→Disable or sandbox any agents with broad system access
→Rotate API keys and credentials that may have been exposed
→Establish clear policies about AI agent usage
→Implement monitoring for AI agent activity

OpenClaw exposed something the security industry has been warning about: we're building AI systems faster than we're building the security models to contain them.

The OpenClaw crisis is a preview of what's coming. The question is whether your organization will be ready.

PreviousWhat Is an AI-BOM and Why Your Agent Stack Needs One

Try It Now

Find out if your agent stack is safe

One command. 30 seconds. Free.

$npx firmis-cli scan

Fix and Monitor included with Pro

View pricing