Security researchers have identified critical vulnerabilities in OpenClaw, an open-source AI assistant that automates email, calendar management, and other tasks. The project rebranded from Clawdbot to Moltbot and then to OpenClaw after receiving a trademark complaint from Anthropic.
The core problem lies in Model Context Protocol, the framework OpenClaw uses to connect with various services. MCP shipped without mandatory authentication, creating what Itamar Golan, who leads AI security strategy at SentinelOne, describes as an identity and execution problem. Users grant these agents access to email, files, and corporate systems, but the underlying protocol lacks built-in security controls.
Researchers found 1,862 MCP servers exposed to the internet without authentication, according to security firm Knostic. Jamieson O’Reilly of Dvuln discovered eight completely open OpenClaw instances allowing full command execution without credentials. He also demonstrated a supply chain attack through ClawdHub, the assistant’s skills library, reaching 16 developers across seven countries in eight hours.
The assistant stores sensitive data in plaintext files on local systems. Hudson Rock reported that popular infostealer malware families including RedLine, Lumma, and Vidar have already added OpenClaw to their target lists. Shruti Gandhi of Array VC reported 7,922 attack attempts on her firm’s instance.
Security researcher Matvey Kukuy extracted an SSH private key from an OpenClaw instance in five minutes using prompt injection, where malicious instructions hidden in documents trick the AI into performing unauthorized actions.
Three critical vulnerabilities have been documented with severity scores ranging from 8.8 to 9.6 out of 10. Analysis by Equixly found that 43 percent of popular MCP implementations contained command injection flaws.
Sources: VentureBeat, The Register, VentureBeat
