"This time around, SecurityScorecard's STRIKE threat intelligence team is sounding the alarm over the sheer volume of internet-exposed OpenClaw instances it discovered, which numbers more than 135,000 as of this writing. When combined with previously known vulnerabilities in the vibe-coded AI assistant platform and links to prior breaches, STRIKE warns that there's a systemic security failure in the open-source AI agent space."
"For those unfamiliar with the saga of Clawdbot, er Moltbot, no, wait, OpenClaw (it keeps changing names), it's an open-source, vibe-coded agentic AI platform that has been, frankly, an unmitigated disaster for those worried about security. OpenClaw's skill store, where users can find extensions for the bot, is riddled with malicious software. Three high-risk CVEs have been attributed to it in recent weeks, and it's also been reported that its various skills can be easily cracked and forced to spill API keys, credit card numbers, PII, and other data valuable to cybercriminals."
SecurityScorecard's STRIKE team identified more than 135,000 internet-exposed OpenClaw instances, dramatically enlarging the attack surface for automation agents. Previously reported high-risk CVEs, a malicious skill store, and links to prior breaches indicate widespread vulnerabilities across the platform. Default settings, convenience-driven deployments, and weak access controls enable easy exploitation. Compromised skills can leak API keys, credit card numbers, PII, and other sensitive data. The combination of scale and insecure configurations turns OpenClaw instances into high-value targets and suggests a systemic security failure in open-source agent ecosystems worldwide. Remediation and stricter access controls are urgently needed to prevent large-scale compromise.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]