Cybersecurity firm CertiK has issued a stark warning about the critical security risks introduced by the widespread integration of AI assistants like OpenClaw, which could lead to unauthorized actions, data exposure, system compromises, and drained cryptocurrency wallets.
OpenClaw is a self-hosted AI agent that integrates with messaging platforms such as WhatsApp, Slack, and Telegram, enabling it to autonomously manage tasks like email, calendars, and files on users' computers. The platform has grown rapidly, boasting an estimated 2 million active monthly users. It evolved from a side project called Clawdbot, launched in November 2025, to garner over 300,000 GitHub stars, signaling immense popularity but also accumulating serious security debt in the process.
However, this rapid growth has made OpenClaw a primary supply chain attack vector at scale. Security researchers have identified tens of thousands of internet-exposed instances. Bitsight found 30,000 such instances shortly after launch, and SecurityScorecard researchers later discovered 135,000 instances across 82 countries, with 15,200 specifically vulnerable to remote code execution.
CertiK's report details that OpenClaw has become the most aggressively scrutinized AI agent platform from a security standpoint, accumulating more than 280 GitHub Security Advisories, 100 Common Vulnerabilities and Exposures (CVEs), and experiencing a string of ecosystem-level attacks since its November launch.
The core risk lies in OpenClaw's architecture, which acts as a bridge between external inputs and local system execution, reintroducing classic attack vectors. These include local gateway hijacking, where malicious websites could exploit the agent's presence to extract sensitive data or execute unauthorized commands.
A major threat comes from malicious skills—plugins that can be installed from local or marketplace sources. Unlike traditional malware, these skills can manipulate behavior through natural language, resisting conventional scanning. Once launched, the malware can exfiltrate sensitive information such as passwords and cryptocurrency wallet credentials, CertiK researchers stated. Malicious backdoors can also be hidden within legitimate codebases.
Researchers told Cointelegraph that attackers have strategically seeded malicious skills across high-value categories, including utilities for Phantom, wallet trackers, and Google Workspace integrations. The primary payload is designed to target a large number of browser extension wallets simultaneously, such as MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and OKX Wallet. The tradecraft shows clear overlap with the broader crypto-theft ecosystem, employing social engineering, fake utility lures, and wallet-focused phishing.
In response to the concerns, OpenClaw founder Peter Steinberg, who recently joined OpenAI, stated at the ClawCon event in Tokyo that the team has been working on security improvements over the last two months. Meanwhile, CertiK advises ordinary users who are not security professionals or developers to avoid installing OpenClaw from scratch and to wait for more mature and hardened versions.
