OpenClaw Attack-Defense Lab

OpenClaw default-config fragility & official advisories

OpenClaw default-config fragility & official advisories

Key Questions

How many OpenClaw deployments are vulnerable and what are the main risks?

Over 1 million deployments and 580,000 instances are affected, with 63% vulnerable according to reports. Key risks include default configuration fragility, multi-tenant exposures, and supply-chain attacks such as those seen in the Megalodon campaign and CVE-2025-59145. Real-world incidents like an $80k API key abuse bill underscore the urgency.

What security improvements does the v2026.6.6 release introduce?

The v2026.6.6 release adds a security approval timeout with default deny, transcript isolation, and sandbox binding restrictions. It also includes a new comprehensive security guide with practical hardening steps for API key hygiene and gateway protections. These changes address exposures highlighted in prior versions like v2026.5.12-beta.6.

What official advisories and research cover OpenClaw vulnerabilities?

CNCERT has issued a new advisory reiterating four core risks, alongside alerts from QiAnXin and AWS. Research includes a Unit 42 study scanning nearly 50,000 skills that found 80% deviating from declared behavior and 5% with multi-stage attack chains, plus iThome reports on 23 malicious skills using squatting techniques.

1M+ deploys/580k+ instances (63% vuln); v2026.5.12-beta.6 expands surfaces; CNCERT/QiAnXin/AWS advisories. New CNCERT official advisory (ex-3d45116f) reiterates four core risks. New v2026.6.6 release adds security approval timeout default deny, transcript isolation, sandbox binding restrictions. New comprehensive security guide (ex-0dfed950) provides practical hardening steps. Gateway/IM breakdowns and 25 Tools/53 Skills guide highlight multi-tenant exposures. API key hygiene emphasized. Broader supply-chain technique from 'Megalodon' campaign noted. CVE-2025-59145 config-file supply-chain attack parallels ClawHub poisoning. Real-world $80k bill from API key abuse reinforces urgency. Agent Threat Rules (ATR) provide 400+ detection rules. OpenClaw used Gavriel Cohen's code, exposing AI agent accountability. Trail of Bits reveals ClawHub scanning bypass techniques. Microsoft Scout agent built on OpenClaw expands attack surface. Varonis Pinchy phishing test confirms AI agent identity verification failure. OAuth vs API keys article reinforces key hygiene. Unit 42 study (1CRmSx1M) scans 49,943 skills, finds 80% deviate from declared behavior, 5% carry multi-stage attack chains — first large-scale empirical validation of supply-chain risks; BIV methodology and 29-capability taxonomy useful for building skill audit pipelines. New signal: iThome reports 23 malicious skills using squatting techniques on ClawHub (ex-df895ddc). New architecture deep-dive (ex-a1f96a49) adds full-chain architectural knowledge for attack surface analysis. New architecture analysis from openEuler community (ex-3a0ae481) provides additional deep dive into Agent Loop, Tools, Gateway, complementing existing architectural knowledge. New paper review (ex-4ad376b9) introduces SafeClawArena benchmark with 406 adversarial tasks covering skill supply chain, persistent state, cross-boundary data flow, and indirect prompt injection, providing theoretical framework for attack surface understanding.

Sources (2)
Updated Jul 7, 2026