Some recent articles, worthy of your attention:
DIY AI bot farm OpenClaw is a security 'dumpster fire'
https://www.theregister.com/2026/02/03/openclaw_security_problems/
- "In the past three days, the project has issued three high-impact security advisories: a one-click remote code execution vulnerability, and two command injection vulnerabilities."
- "In addition, Koi Security identified 341 malicious skills (OpenClaw extensions) submitted to ClawHub, a repository for OpenClaw skills that's been around for about a month."
Clouds rush to deliver OpenClaw-as-a-service offerings
https://www.theregister.com/2026/02/04/cloud_hosted_openclaw/
- "China’s Tencent Cloud was an early mover, last week delivering a one-click install tool for its Lighthouse service – an offering that allows users to deploy a small server and install an app or environment and run it for a few dollars a month."
- "DigitalOcean delivered a similar set of instructions a couple of days later, and aimed them at its Droplets IaaS offering."
- "Alibaba Cloud launched its offering today and made it available in 19 regions, starting at $4/month, and using its simple application server – its equivalent of Lighthouse or Droplets. Interestingly, the Chinese giant says it will soon offer OpenClaw on its Elastic Compute Service – its full-fat IaaS equivalent to AWS EC2 – and on its Elastic Desktop Service, suggesting the chance to rent a cloudy PC to run an AI assistant."
The CLAWDBOT/MOLTBOT Nightmare. The biggest risk to your privacy.
https://www.linkedin.com/pulse/clawdbotmoltbot-nightmare-biggest-risk-your-privacy-chris-duffy-caio-tfi6e/
- "Running AI agents without proper governance, isolation, and monitoring isn't innovation. It's negligence waiting to become a breach."
- "The businesses that win with AI won't be the ones who move fastest. They'll be the ones who build the internal capability to deploy safely."
Heather Adkins VP of Security at Google also took to X to voice her concern:
https://x.com/argvee/status/2015928303098712173
- "My threat model is not your threat model, but it should be, don't run Clawdbot"
https://www.linkedin.com/posts/makucharski_ai-cybersecurity-tdd-activity-7421820578786852865-aSPo
- "We've had the fix for SQL Injection since the early 2000s. 26 years later, it's still causing breaches. Now NCSC is warning about a vulnerability with no fix. And this week, it showed up on your employees' laptops - over 1,000 ClawdBot personal AI assistants found exposed, leaking corporate credentials in plaintext."
- "Exploiting Clawdbot via Backdoors"
- "Clawdbot is of course all the rage, showing an always-on personal AI assistant (PAI) with robust capabilities and potential."
- "Those of us in the security community are looking at it from the security angle."
- "One of the most interesting analysis I've found is from Jamieson O'Reilly."
- "He's published a two part series, in the first demonstrating the widespread publicly exposed deployments of Clawdbot and how it can be used to enumerate filesystems, data and more."
- hacking clawdbot and eating lobster souls
- eating lobster souls Part II: the supply chain (aka - backdooring the #1 downloaded clawdhub skill)
- "In his new piece today, he demonstrates how he creates a backdoored ClawdHub skill, demonstrating software supply chain attacks via 'skills'."
- "For those unfamiliar, ClawdHub, it's a package registry where developers share and download 'skills' to extend what Clawdbot can do, riding the wave of skills that continue to grow with the Clawdbot is of course all the rage, showing an always-on personal AI assistant (PAI) with robust capabilities and potential."
- "Those of us in the security community are looking at it from the security angle."
- "One of the most interesting analysis I've found is from Jamieson O'Reilly."
- "He's published a two part series, in the first demonstrating the widespread publicly exposed deployments of Clawdbot and how it can be used to enumerate filesystems, data and more.
In his new piece today, he demonstrates how he creates a backdoored ClawdHub skill, demonstrating software supply chain attacks via 'skills'." - "For those unfamiliar, ClawdHub, it's a package registry where developers share and download 'skills' to extend what Clawdbot can do, riding the wave of skills that continue to grow with the excitement around Agentic AI."
Zenity: OpenClaw or OpenDoor?
Indirect Prompt Injection makes OpenClaw vulnerable to Backdoors and much more.
https://labs.zenity.io/p/openclaw-or-opendoor-indirect-prompt-injection-makes-openclaw-vulnerable-to-backdoors-and-much-more
https://www.youtube.com/watch?v=jvlbhm2uSJ8
- "OpenClaw processes untrusted content from chats, skills, and external data sources without hard isolation from user intent."
- "Indirect prompt injection can be used to induce persistent configuration changes in the agent."
- "An attacker can establish a backdoor via a zero-click attack by adding a new chat integration under their control."
- "Once compromised, OpenClaw can be abused to execute commands, exfiltrate and delete files, and perform destructive actions on the host."
- "The agent’s persistent context (SOUL.md) can be modified and reinforced using scheduled tasks to create a long-lived listener for attacker-controlled instructions, maintaining persistence even after the original backdoor is closed."
- "The compromise can be further escalated by using OpenClaw to deploy a traditional C2 implant on the host, enabling the transition from agent-level manipulation to complete system-level compromise."
- "No software vulnerability is required. All attacks abuse OpenClaw’s intended capabilities."
Pi: The Minimal Agent Within OpenClaw
https://lucumr.pocoo.org/2026/1/31/pi/
Fake Moltbot AI Coding Assistant on VS Code Marketplace Drops Malware
https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html
- "Cybersecurity researchers have flagged a new malicious Microsoft Visual Studio Code (VS Code) extension for Moltbot (formerly Clawdbot) on the official Extension Marketplace that claims to be a free artificial intelligence (AI) coding assistant, but stealthily drops a malicious payload on compromised hosts."
- "The extension, named "ClawdBot Agent - AI Coding Assistant" ("clawdbot.clawdbot-agent"), has since been taken down by Microsoft. It was published by a user named "clawdbot" on January 27, 2026."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
https://en.wikipedia.org/wiki/OpenClaw
https://openclaw.ai/
"OpenClaw is a personal AI assistant you run on your own devices. It answers you on the channels you already use (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat), plus extension channels like BlueBubbles, Matrix, Zalo, and Zalo Personal. It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane — the product is the assistant."
https://github.com/openclaw/openclaw
"Your own personal AI assistant. Any OS. Any Platform. The lobster way."
https://github.com/badlogic/pi-mono/
"AI agent toolkit: coding agent CLI, unified LLM API, TUI & web UI libraries, Slack bot, vLLM pods"
