OpenClaw Watch

Critical CVEs, Claw Chain, and malicious skills

Critical CVEs, Claw Chain, and malicious skills

Key Questions

What critical vulnerabilities and attacks were reported in the latest update?

Unit 42 identified five additional malicious skills, including macOS infostealers that evade detection through file-padding. New agentic affiliate injection and front-running attacks targeting Solana were also noted alongside ongoing supply chain threats.

How effective is OpenClaw against prompt injection attempts?

A stress test showed OpenClaw surviving 6,000 prompt injection attempts using Opus 4.6, though side effects such as account suspension occurred. OpenClaw still failed under urgency-based social engineering in a separate AI phishing study.

What new security tools were introduced for AI agent protection?

Vaibot Guard offers Merkle audit trails while ClawSec provides drift detection and CVE monitoring. JFrog and NanoClaw also partnered to secure the agentic supply chain.

How many malicious skills have been discovered and who is behind them?

A total of 824 malicious skills were found, with a single attacker responsible for 677 of them. GitHub phishing scams targeting developers remain active.

What does the PC Pro article conclude about OpenClaw's safety?

The article provides mainstream security vetting of OpenClaw's origins and overall safety posture. It aligns with the AhnLab Q2 2026 report confirming malicious skills as a persistent threat.

Multiple critical vulnerabilities and supply chain attacks continue. Latest: CVE-2026-25253 deep-dive with PoC walkthrough reveals one-click RCE threatening 16.7K exposed instances. Unit 42 found 5 more malicious skills including macOS infostealers evading VirusTotal/ClawScan via file-padding, active 3+ months; new agentic affiliate injection and front-running attacks on Solana. New AI phishing study confirms OpenClaw fails under urgency-based social engineering. JFrog & NanoClaw partner to secure agentic supply chain. GitHub phishing scam targets developers. 824 malicious skills found, attacker behind 677. New security tools: Vaibot Guard with Merkle audit trail and ClawSec with drift detection/CVE monitoring. Stress test showed OpenClaw surviving 6,000 prompt injection attempts (using Opus 4.6) but with side effects like account suspension. PC Pro article provides mainstream security vetting. AhnLab Q2 2026 report confirms malicious skills persistent threat. Socket uncovered AI agent reputation farming promoting paid OpenClaw services.

Sources (5)
Updated Jul 7, 2026
What critical vulnerabilities and attacks were reported in the latest update? - OpenClaw Watch | NBot | nbot.ai