135,000-star OpenClaw hits SaaS security crisis

OpenClaw’s rapid adoption exposed a wave of AI-agent security failures across SaaS systems.

OpenClaw, an open-source AI agent created by Peter Steinberger, hit more than 135,000 GitHub stars within weeks and then became tied to a string of security incidents in early 2026. Reco’s February 12 analysis says the agent’s broad access to files, email, calendars, and messaging tools turned a productivity tool into a fast-moving attack surface.

What changed

OpenClaw, previously called Clawdbot and Moltbot after trademark disputes, runs locally and connects to models such as Claude and GPT. It can execute shell commands, read and write files, browse the web, send email, manage calendars, and keep persistent memory across sessions, which means it can retain context and access over time.

That reach made it a target almost immediately. Reco says the first two weeks after OpenClaw went viral brought a cluster of incidents: malicious skills in its public marketplace, a remote code execution flaw, exposed management interfaces, and a separate breach in a related agent network called Moltbook.

• Jan. 27-29, 2026: attackers pushed 335 malicious skills through ClawHub.
• Researchers later counted 341 malicious skills in a 2,857-skill registry, about 12%.
• Jan. 30: OpenClaw patched CVE-2026-25253, a one-click RCE issue.
• Jan. 31: Censys found 21,639 exposed instances online, up from about 1,000 days earlier.
• Jan. 31: Moltbook exposed 35,000 email addresses and 1.5 million agent API tokens.
• Feb. 3: OpenClaw disclosed three high-impact advisories, including two command-injection bugs.

The core technical problem was not one bug. It was the combination of marketplace trust, local exposure, and agent permissions that let a single malicious link or skill trigger code execution and data access in milliseconds.

Why it matters

For companies, the bigger risk is shadow AI with elevated access. Employees can connect personal agents to Slack, Google Workspace, email, and document systems without security review, then hand over OAuth tokens and data that can be reused across sessions if the agent is compromised.

That makes standard controls less effective. Endpoint tools see processes, network tools see API traffic, and identity systems see grants, but none of them are built to flag autonomous agent behavior as a separate class of risk. Reco argues security teams need direct visibility into agent connections, permissions, and app-to-app activity before those links become an incident.

The takeaway is blunt: OpenClaw is less a one-off problem than a preview of what happens when autonomous agents get broad SaaS access faster than security teams can map it.