Back to all articles

Security Alert: CVE-2026-25253 and the ClawHub Malicious Skill Wave

February 2026 has been a wake-up call for the OpenClaw community. While the framework's power lies in its ability to interact with your local system, that same power is currently being exploited by threat actors.

If you haven't updated your OpenClaw installation in the last 48 hours, your data may be at risk.

The Vulnerability: CVE-2026-25253

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-25253, was discovered earlier this month. The flaw exists in how OpenClaw parses "Skill Configuration" files.

An attacker can craft a malicious Markdown file that, when loaded by an OpenClaw agent, escapes the sandbox and executes arbitrary commands on the host machine. This gives the attacker the same permissions as the user running the OpenClaw process—which often includes access to browser cookies, SSH keys, and .env files.

The ClawHub "Poisoning" Attack

Adding to the complexity, the community marketplace ClawHub has seen a surge in "poisoned" skills. Attackers are uploading useful-sounding skills (like "Enhanced WhatsApp Integration" or "Crypto Portfolio Tracker") that contain hidden payloads.

Security firms SlowMist and Koi Security report that over 900 installations have already been compromised. The primary goal of these attacks appears to be credential harvesting—specifically targeting crypto wallets and cloud provider API keys.

How to Protect Yourself

The OpenClaw team has been working around the clock to mitigate these threats. Follow these steps immediately:

  1. Update to Version 2026.1.29 or Higher: The RCE flaw was patched in the 2026.1.29 release. If you are on an older version, your system is wide open.
  2. Audit Your Installed Skills: Go to your skills/ directory and look for any third-party additions you didn't explicitly vet.
  3. Use Docker-in-Docker (DinD): The safest way to run OpenClaw is inside a hardened Docker container that has no access to your host's root file system.
  4. GitHub Verification: Only download skills from "Verified" creators on ClawHub. The platform now requires a GitHub account for uploads, which helps in tracking malicious actors.

Our Recommendation

For users who aren't comfortable managing their own server security, we strongly recommend migrating to a Managed Wrapper. Providers like SimpleClaw and SafeClaw have already patched their infrastructure and provide automated skill sandboxing that prevents these types of escapes.

You can compare security features of different providers on our Security Breakdown Section.

Stay safe, and remember: Never give an AI agent permission to access your root directory unless you trust every single plugin it has loaded.

By CompareClaw TeamUpdated Mar 2026