A report by cybersecurity firm Certik on March 16, 2026, warns that Openclaw – an open-source artificial intelligence platform – has multiple security vulnerabilities, especially in its “skill scanning” mechanism, which is insufficient to protect users from malicious third-party extensions (skills).
According to the report, Openclaw’s security model relies too heavily on detection and alerting rather than runtime isolation, making users vulnerable to system-level breaches.
Limitations of Clawhub’s Moderation Process
On the Openclaw marketplace, Clawhub, third-party applications called “skills”—such as automation tools or crypto wallet management—are moderated through multiple layers, including Virustotal for known malware scans, Static Moderation Engine to detect suspicious patterns, and an “incoherence detector” tool that checks for discrepancies between a skill’s declared purpose and its actual behavior.
However, Certik argues that static rules can be bypassed by rewriting the code simply. The AI evaluation layer only detects explicit intentions, leaving hidden vulnerabilities in seemingly legitimate code potentially unnoticed.
The “Pending” Vulnerability
A critical weakness is how pending scan results are handled. Skills can still be installed even if Virustotal has not yet returned a result. This process can take several hours or days, yet the system still considers the skill “safe.”
To demonstrate this, Certik researchers created a proof-of-concept skill called “test-web-searcher.” This skill appears normal but contains a vulnerability allowing arbitrary command execution on the server. When run via Telegram, this skill bypasses Openclaw’s sandbox and executes on the test machine—highlighting a clear example of full system compromise.
Recommendations and Warnings
The report concludes that detection cannot replace true security boundaries. Certik recommends that Openclaw run third-party skills within default isolated environments and require skills to explicitly declare resource needs, similar to modern mobile operating systems.
Users are warned that a “benign” label on Clawhub does not guarantee safety. Until stronger isolation mechanisms are implemented by default, the platform should only be used in low-value environments, avoiding sensitive information or critical assets.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
