RT @HedgieMarkets
🦔 OpenClaw, the open-source AI agent that exploded to 200,000 GitHub stars in weeks, has become a security nightmare. In five weeks it accumulated 9 disclosed vulnerabilities, over 2,200 malicious add-ons in its marketplace, and 40,000 internet-exposed instances. Researchers found that 93% of those instances had authentication bypassed, and the project triggered 8 of 10 vulnerability classes that security experts warned about for AI agents.

The attack chain works like this: malicious add-ons in the marketplace instruct the AI agent to present fake setup dialogs to users, tricking them into entering passwords. The agent becomes the social engineering tool. One campaign distributed macOS malware by having the agent itself ask users for their credentials. Users trust their AI assistant, so they comply.

My Take
I believe this is what happens when something goes viral before anyone thinks through what they're actually deploying. Developers gave OpenClaw shell access to their computers, connected it to their email and Slack, handed it cloud API keys, and then installed add-ons from a community marketplace that had basically no vetting. Over 40% of the add-ons that got audited had serious security issues. The project went from weekend hack to 200,000 users before anyone built the guardrails.

The attack method here is new. The malware doesn't trick the human directly anymore, it tricks the AI agent into tricking the human. When your assistant asks you for a password to finish an installation, you probably enter it because you trust it. To anyone investigating later, it looks like you voluntarily installed the software. The agent's role is invisible. I've been writing about AI tools being deployed faster than security can keep up, and this is that problem at scale. If anyone at your company has been running OpenClaw, I'd treat it as compromised until proven otherwise.

Hedgie

X (formerly Twitter) (x.com)