The growing integration of artificial intelligence assistants, such as the self-hosted AI agent OpenClaw, poses significant security threats to users. Cybersecurity firm CertiK has issued a warning detailing risks that include unauthorized actions, data exposure, system compromises, and the potential draining of cryptocurrency wallets.

The Rise and Security Debt of OpenClaw

Rapid Adoption and Exposure

OpenClaw, which integrates with platforms like WhatsApp, Slack, and Telegram, allows autonomous actions on user computers, managing tasks such as emails and files. Launched in November 2025, the agent quickly gained traction, evidenced by over 300,000 GitHub stars, signaling immense popularity.

However, this rapid adoption has accumulated substantial "security debt," according to CertiK researchers. Within weeks of its release, security firms identified massive exposure: Bitsight located 30,000 internet-exposed instances, while SecurityScorecard found 135,000 instances across 82 countries.

Security Scrutiny and Vulnerabilities

OpenClaw has become one of the most heavily scrutinized AI agent platforms from a security perspective. Since its November launch, it has accumulated over 280 GitHub Security Advisories and 100 Common Vulnerabilities and Exposures (CVEs).

CertiK researchers noted a "string of ecosystem-level attacks" targeting the platform. Because OpenClaw bridges external inputs with local system execution, it creates "classic attack vectors." These include local gateway hijacking, where malicious payloads exploit the agent's local presence to steal data or execute unauthorized commands.

The Threat of Malicious Skills

Natural Language Manipulation

A key danger lies in plugins and extensions that add new capabilities, as malicious skills can be installed from local or marketplace sources. Unlike traditional malware, these malicious skills can manipulate system behavior using natural language, making them resistant to conventional scanning methods.

Once activated, these skills can exfiltrate highly sensitive information, specifically mentioning passwords and cryptocurrency wallet credentials. Furthermore, backdoors may be concealed within functional codebases, fetching seemingly harmless URLs that ultimately deliver shell commands or malware payloads.

Targeting the Crypto Ecosystem

Attackers have strategically seeded malicious skills across high-value categories within the crypto space. These categories included utilities for Phantom, wallet trackers, insider-wallet finders, Polymarket tools, and Google Workspace integrations.

The primary payload was designed to target a wide array of browser extension wallets simultaneously. This broad net included MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and OKX Wallet, among others. CertiK observed a clear overlap in tradecraft with existing crypto-theft methods, such as social engineering, fake utility lures, and credential theft.

Industry Response and Mitigation Efforts

Peter Steinberg, the founder of OpenClaw who recently joined OpenAI, acknowledged the security challenges. He stated that security has been a primary focus for the last two months, indicating that conditions have improved significantly on that front.

Other security firms are also addressing the growing risks associated with autonomous AI systems. Earlier this month, OX Security reported a phishing campaign utilizing fake GitHub posts and a bogus “CLAW” token. Additionally, SlowMist introduced a security framework in March, positioning it as a "digital fortress" to defend against risks posed by autonomous agents handling on-chain actions.