OpenClaw Is a Preview of What's Coming and Most Businesses Aren't Ready
Let's be real about something the AI industry keeps dancing around.
The same qualities that make an AI agent powerful... autonomous action, broad system access, persistent memory, the ability to execute tasks without being asked... are exactly what make deploying one without proper vetting a serious business risk. OpenClaw makes this impossible to ignore.
Within three weeks of going viral, OpenClaw became the focal point of a multi-vector security crisis involving a critical remote code execution vulnerability, a large-scale supply-chain poisoning campaign in its skills marketplace, and systemic architectural weaknesses that amplified the impact of both.
This is not a story about a flawed product. It's a story about what happens when the speed of adoption outpaces the frameworks businesses have for evaluating what they're deploying.
The numbers are not theoretical
Every OpenClaw deployment ships with the gateway unauthenticated. Most people who deployed it didn't know this. Many still don't.
CVE-2026-25253, a cross-site WebSocket hijacking bug rated 8.8 on the CVSS severity scale, meant any website could steal your authentication token and run arbitrary code on your machine through a single malicious link. TechRadar Before the patch landed, Censys tracked growth from approximately 1,000 to over 21,000 publicly exposed instances in under a week.
Then the marketplace got hit. 341 malicious skills were discovered in ClawHub — roughly 12% of the entire registry — with updated scans later reporting over 800 malicious skills, or approximately 20% of the registry. Conscia These weren't obviously suspicious. They had professional documentation and innocent names. They installed keyloggers.
Between March 18 and March 21 alone, nine new CVEs were publicly disclosed. One scored 9.9 out of 10 on the CVSS scale. Openclawai
Here's the opinion you won't hear from startups building agents
The OpenClaw crisis wasn't caused by bad intentions. OpenClaw was built as a hobbyist project by a single developer. It went viral because it worked, not because it was secure. Peter Steinberger built something genuinely remarkable. The market adopted it faster than any security framework could keep up with.
That pattern is not unique to OpenClaw. It is the pattern of the entire AI agent market right now.
Every vendor selling an AI agent into your business workflows has made dozens of architectural decisions you haven't seen — about what the agent can access, how it handles failure, what happens when it gets something wrong, and who is responsible when it does. The demo doesn't show you any of that. The sales deck doesn't either. And unlike a SaaS tool that sits in a browser tab, an agent that touches your files, your email, your customer data, and your internal systems can cause damage that isn't reversible with a password reset.
Cisco Talos described OpenClaw as "groundbreaking" — a dream for busy professionals, but "an absolute nightmare" from a security perspective. You can bet that that tension isn't going away. The productivity case for agents is real. The risk of deploying them without evidence is equally real.
What this means if you're evaluating AI agents right now
OpenClaw is open source, so its vulnerabilities became public quickly. The agents being sold into your business operations by funded startups with polished decks are not open source. You have less visibility, not more.
The question to ask every vendor isn't whether their agent works in a demo. It's how it behaves in production — what it can access, how failures are logged, whether autonomy can be dialed back without rebuilding your integration, and what evidence they can show you of real-world performance outside a controlled environment.
We have seen this before. The shape of this crisis is identical to Log4Shell, to AutoGPT, to every open-source tool that went viral before its security architecture was ready for the exposure virality creates. It will happen again.
That's what Signal is for.