You installed OpenClaw because a coworker wouldn't stop talking about it. An AI agent — a program that runs tasks on your computer without you clicking every button — managing your files, emails, and calendar. You gave it shell access (permission to run commands directly on your operating system). Everything felt smooth. Automated. Calm.

Nobody mentioned that the thing running commands on your laptop has the same security model as an unmoderated app store from 2014. Anyone with a week-old GitHub account could upload a "skill" — a plugin that extends what OpenClaw can do — to ClawHub, the official marketplace. No review. No scanning. No signatures. Just vibes.

On March 27, 2026, OpenClawd shipped a security update with verified skill screening and runtime sandboxing — isolated containers that prevent plugins from touching anything outside their box. This arrived eight weeks after Koi Security researchers found that 341 out of 2,857 ClawHub skills were malware. That's 11.9%. Nearly one in eight.

Here's the timeline. On January 30, OpenClaw patched CVE-2026-25253 — a vulnerability (a security flaw serious enough to get an official tracking number) scoring 8.8 out of 10 on the severity scale. The flaw let attackers craft a single link that, when clicked, stole your authentication token (the digital key proving you're you) and gave them full remote code execution — the ability to run any command on your machine as if they were sitting at your keyboard.

Three days earlier, on January 27, the first malicious skill had already appeared on ClawHub. By January 31, an account called hightower6eu was mass-uploading across every category. Koi Security's February 1 audit traced 335 of those 341 skills to one coordinated campaign they named ClawHavoc. The payload: Atomic macOS Stealer (AMOS) — a compact program that harvests your keychain passwords, browser data from 60+ crypto wallet extensions, SSH keys (the credentials your machine uses to connect to servers), and files from your Desktop and Documents folders. By February 16, the count had grown to 824 malicious skills across 10,700+ marketplace entries.

Meanwhile, Bitsight scanned the internet and found over 30,000 OpenClaw instances sitting exposed on port 18789 — the network door OpenClaw listens on — between January 27 and February 8. As Danny Wilson from OpenClawd put it: "There are now two ways to get compromised before you even run your first OpenClaw command."

If this sounds familiar, it should. npm — JavaScript's package manager — had its event-stream incident in 2018: a trusted library hijacked to steal cryptocurrency wallets. PyPI — Python's package index — faced waves of typosquatting attacks in 2022, where malicious packages mimicked popular ones with slightly misspelled names. The formula never changes: open marketplace plus zero verification plus explosive growth equals malware authors who move faster than maintainers.

OpenClawd's fix adds three layers: a vetting pipeline (automated analysis that blocks suspicious patterns before publication), runtime sandboxing (each skill runs in isolation with explicit permissions), and signed installers (cryptographic proof that the software hasn't been tampered with). Solid engineering. One problem: it only covers OpenClawd's managed hosting. The majority of OpenClaw users run self-hosted instances. They get nothing. The broader skill ecosystem still has no cryptographic signing standard.

If you run any AI agent with shell access — OpenClaw or otherwise — treat it like a production server. Audit what permissions it has. Pin your plugin versions so updates don't sneak in. Never install unverified skills. Assume every third-party plugin is hostile until proven otherwise. This isn't paranoia. It's ops hygiene ⚙️

The personal AI agent era just got its first real supply-chain crisis. The cleanup will take longer than the hype cycle that created it. Your automation should make life calmer — not hand your keychain to a stranger 🫶