The week Peter Steinberger announced he was joining OpenAI turned out to be one of the most eventful in OpenClaw’s short history — and not only for reasons anyone planned. While the founder hire dominated headlines, a coordinated supply chain attack was quietly poisoning the project’s skill marketplace, two security-focused releases shipped in quick succession, and Microsoft’s security team published a formal hardening guide for enterprise deployments.
Here is what happened.
ClawHavoc: 1,184 malicious skills in the official marketplace
The most serious development of the week came from researchers at Koi Security, who on February 1st named a campaign they’d been tracking since late January: ClawHavoc.
The attack targeted ClawHub, OpenClaw’s official marketplace for community-built skills — the plugin-style extensions that give agents new capabilities. By the time the full scope became clear, researchers had identified 1,184 malicious skills distributed across the marketplace, representing roughly 12% of the total skill catalogue at the time.
The infection chain was methodical. Attackers registered as legitimate ClawHub developers, uploaded skills with professional-looking README and SKILL.md files, and buried the payload in the “Prerequisites” section — instructions urging users to copy-paste terminal commands or download helper tools from attacker-controlled domains. The social engineering worked because the agent itself read and summarised these files, lending them the implicit credibility of an AI recommendation.
If the commands were executed, Atomic Stealer (AMOS) or a keylogger was deployed, targeting browser cookies, system keychains, OpenClaw environment files, API keys, and cryptocurrency wallets.
A separate but related incident emerged on February 17th: StepSecurity’s npm monitoring system detected a malicious release of [email protected] that silently installed OpenClaw via a post-install script — using the project’s own legitimate reputation as a delivery vector.
Security Boulevard’s analysis identified the structural weakness ClawHavoc exploited: OpenClaw’s “sovereign architecture” — the same local-first design that makes it powerful — grants agents direct filesystem and terminal access with insufficient oversight at the skill ingestion layer. The LLM doesn’t distinguish between a legitimate prerequisite and a social-engineered payload instruction. Both arrive as text.
What to do if you run ClawHub skills: audit all installed skills, remove anything unverified or recently installed, and treat SKILL.md “prerequisites” sections asking for terminal input as a red flag until the project ships skill signature verification.
Two security releases in five days
The project responded with back-to-back releases that addressed both the infrastructure vulnerabilities and the growing attack surface.
v2026.2.12 — 40+ vulnerabilities patched (February 13)
Version 2026.2.12 was the more urgent of the two: a security-first release that patched over 40 vulnerabilities across hooks, browser control, scheduling, messaging channels, and the gateway layer.
The headline fixes, disclosed by Endor Labs, addressed six specific classes of vulnerability:
- SSRF (Server-Side Request Forgery): Gateway and OpenResponses now enforce strict deny policies for URL-based requests, with hostname allowlists, per-request URL limits, and audit logging for blocked attempts. The previous design allowed agents to be used as proxies for probing internal networks.
- Missing webhook authentication: Inbound webhooks were reachable without verification. Now gated.
- Path traversal: File access operations failed to sanitise paths adequately.
- Prompt injection hardening: Outputs from browser and web tools are now treated as untrusted data, wrapped in structured metadata and cleaned before reaching the model. This doesn’t eliminate prompt injection as a class — it remains an open research problem — but it raises the cost of exploitation.
CVE-2026-25253, a critical vulnerability patched in v2026.1.29, was included in the retrospective disclosure. If you are running anything older than 2026.1.29, that vulnerability is unpatched on your system.
v2026.2.17 — Sonnet 4.6, 1M context, platform features (February 17)
Four days later, v2026.2.17 shipped — primarily a feature release, though it carried additional security fixes alongside a substantial platform update.
The headline capability: one million token context window for Claude Opus 4.6 and Sonnet users, enabled by setting params.context1m: true in the model config. The feature maps to Anthropic’s context-1m-2025-08-07 beta header and remains opt-in. For agents processing large codebases or extended document sets, this changes what’s practical in a single session.
Full Sonnet 4.6 support was added — anthropic/claude-sonnet-4-6 now works natively, with backward-compatible fallbacks for providers whose model catalogues haven’t updated. Given that Sonnet 4.6 matches Opus-level performance at roughly one-fifth the cost per token, the practical implication is that most OpenClaw deployments can cut inference costs significantly without a capability trade-off.
Platform improvements across messaging channels included native token-by-token streaming for Slack, inline button styling and reaction surfacing for Telegram, reusable interactive components and /exec autocomplete for Discord, reply targeting for iMessage, and a new /subagents spawn command for deterministic subagent launching — directly relevant to the multi-agent workflows Steinberger is heading to OpenAI to develop.
Webhook delivery for cron jobs with staggered scheduling and per-run usage telemetry round out the infrastructure additions. 72 contributors were credited in the release.
A credential theft vulnerability was referenced in connection with this release by GBHackers, though full technical details had not been publicly disclosed at time of writing.
Microsoft publishes a hardening guide
Microsoft’s Security Blog published formal guidance today on running OpenClaw safely in enterprise environments — a notable development in its own right. It signals that the project has reached a scale where major enterprise security teams consider it worth addressing formally, rather than simply advising against use.
The guidance covers identity (treating agent accounts as privileged users, not service accounts), isolation (sandboxing, network segmentation), and runtime risk (monitoring for anomalous tool invocations and exfiltration patterns). The framing is practical rather than dismissive: Microsoft assumes deployment will happen and focuses on reducing blast radius when things go wrong.
Gartner’s previously reported assessment — that OpenClaw represented “an unacceptable cybersecurity risk” in its early form — appears to be evolving, at least in posture. Whether the 2026.2.12 patches move the needle on that rating has not been updated publicly.
The broader picture
The security story around OpenClaw is not primarily about bad code. The structural tension is architectural: a local-first, open-source agent with direct system access and a community skill marketplace is a powerful combination that also creates a substantial attack surface. The same properties that make it attractive — extensibility, local execution, no vendor lock-in — are the properties that make ClawHavoc-style attacks possible.
The project is shipping patches faster than most open-source security responses. Two significant releases in five days, with 40+ vulnerabilities addressed and a formal commitment to prompt injection defences, is not nothing. Whether it’s fast enough, given the deployment growth curve and the attention now attached to the project post-Steinberger hire, is a different question.
For users: stay current on releases, audit ClawHub skills before installing them, and follow the Microsoft hardening guidance if you’re deploying in any environment where the data at risk is real.
Sources: SC World · Cyberpress · eSecurity Planet · Security Boulevard · StepSecurity · CybersecurityNews — 2.12 · CybersecurityNews — 2.17 · OpenClaw.report · GBHackers · Barrack.ai · Microsoft Security Blog · GitHub release