AWS Launches Managed OpenClaw on Lightsail as Bitdefender Finds 20% of ClawHub Skills Are Malicious

Amazon Web Services has launched a managed OpenClaw deployment blueprint on Amazon Lightsail, its simplified VPS product, giving OpenClaw an official one-click cloud hosting path for the first time. The blueprint ships with Amazon Bedrock preconfigured (defaulting to Claude Sonnet 4.6), automates IAM role creation, and lets users pair their browser via SSH credentials before connecting through WhatsApp, Telegram, Slack, Discord, or web chat.

The timing is extraordinary. The same week AWS stamps its logo on OpenClaw, Bitdefender has found that approximately 900 skills listed on ClawHub — OpenClaw’s official skill marketplace — are malicious. That’s roughly 20% of all published skills. Some are credential stealers disguised as utilities. Others use obfuscated payloads sophisticated enough to slip through code review.

AWS is building a front door. The security data suggests the house may already be on fire.

The Legitimacy Play

The Lightsail blueprint addresses real friction. Self-hosting OpenClaw on EC2 required DevOps knowledge most users don’t have — configuring TLS, managing IAM policies, hardening WebSocket endpoints. Lightsail reduces that to picking a blueprint and running a CloudShell script, according to AWS’s announcement blog post.

For AWS, the math is obvious. OpenClaw has 250,000+ GitHub stars. Wikipedia notes 2 million visitors in a single week. SecurityScorecard’s STRIKE team found 42,900 public-facing instances across 82 countries, and 98.6% of those already run on cloud platforms — DigitalOcean, Alibaba Cloud, Tencent, and AWS itself. Demand exists. AWS wants to capture it before competitors do.

The blueprint includes some hardening: sandboxed execution, device-pairing authentication, and HTTPS without manual TLS setup. AWS’s own documentation acknowledges risk, noting that running OpenClaw “may cause a security threat if you are careless.” The guide recommends never exposing the gateway publicly, rotating tokens frequently, and storing credentials in environment files rather than config files.

That’s a careful hedge. It also undersells the problem significantly.

The Security Landscape AWS Is Walking Into

The core vulnerability hasn’t gone away. CVE-2026-25253, disclosed February 1, affects all OpenClaw versions before 2026.1.29 and enables one-click remote code execution through WebSocket token theft. An attacker crafts a malicious URL; when a victim clicks it, their authentication token gets silently forwarded to an attacker-controlled server. No confirmation prompt. No visible warning.

Hunt.io researchers found over 17,500 internet-exposed instances vulnerable to this flaw. Once an attacker has a token, they can connect to the victim’s OpenClaw gateway, modify security configurations, and execute privileged operations on the host system. Every one of those instances stores API credentials for Claude, OpenAI, Google AI, and similar services — making each compromised gateway a credential farm.

Bitsight identified more than 30,000 exposed instances between January and February. SecurityScorecard put the number at 42,900 across 82 countries, with 15,200 confirmed vulnerable to remote code execution.

Then there’s prompt injection — the architectural problem no deployment configuration can solve. Giskard research demonstrated that carefully crafted prompts can extract API keys, environment variables, and secrets from running agents. Microsoft warned that OpenClaw should be treated as “untrusted code execution with persistent credentials” and recommended full isolation for any evaluation. OpenClaw grants agents system-level permissions — file access, script execution, browser control via Playwright — and those permissions become the attacker’s permissions once a gateway is compromised.

The ClawHub Supply Chain Problem

The Bitdefender finding about ClawHub is arguably more alarming than the CVE itself. CVE-2026-25253 is a specific bug with a specific patch. ClawHub’s contamination is structural.

ClawHub is OpenClaw’s skill registry — the npm equivalent for agent capabilities. Users install skills to give their agents new abilities: email management, calendar integration, browser automation. Bitdefender found that roughly 900 of all published skills are malicious. The attack types range from obvious credential stealers to sophisticated backdoors offering persistent access.

This mirrors the supply chain attacks that have plagued npm and PyPI for years, but the stakes are materially higher. An npm package runs in a Node.js process with limited default permissions. An OpenClaw skill runs with the agent’s full system-level access — reading messages, touching API keys, executing files, controlling the browser. A malicious skill has every credential the agent can reach.

For enterprise deployments, this is the nightmare scenario. A well-meaning developer installs a productivity skill from ClawHub, and it silently exfiltrates every API key stored in the agent’s environment. No CVE needed. No exploit chain. Just a marketplace that doesn’t adequately vet 20% of its listings.

The Shadow AI Problem

The security findings have drawn government attention. China’s Ministry of Industry and Information Technology issued warnings. South Korean tech companies have banned internal use. But the more revealing number comes from Token Security: 22% of organizations have employees running OpenClaw without IT approval.

That means nearly a quarter of companies with OpenClaw exposure don’t know they have OpenClaw exposure. Their employees have deployed autonomous AI agents with system-level permissions on corporate networks, connecting to email, calendars, and messaging systems — all outside the view of IT security teams. Even if a CISO patches the CVE and blocks ClawHub, they first have to know the agents exist.

Shadow AI is the successor to shadow IT, and it’s harder to detect. A rogue SaaS subscription shows up in network logs. A rogue OpenClaw agent looks like normal WebSocket traffic until it starts exfiltrating data.

What AWS’s Bet Actually Means

AWS is making a calculated wager: that managed infrastructure can reduce the risk enough to make OpenClaw enterprise-viable. A Lightsail blueprint with sensible defaults — sandboxed execution, forced authentication, HTTPS by default — does eliminate the lowest-hanging fruit. No more exposed gateways with default tokens on port 3000.

But managed hosting doesn’t solve the architectural problems. It doesn’t fix prompt injection. It doesn’t vet ClawHub skills. It doesn’t prevent an agent with system permissions from being tricked into exfiltrating credentials. And it doesn’t address the 22% of organizations whose employees are running unsanctioned agents that no Lightsail blueprint will touch.

The parallel to draw is AWS launching managed Kubernetes before container security was solved. The managed service reduced operational burden but inherited every vulnerability in the container runtime, the supply chain, and the orchestration layer. AWS benefited from the adoption wave. The security problems were someone else’s to fix.

OpenClaw’s creator, Peter Steinberger, joined OpenAI in mid-February after Sam Altman called him a “genius.” The project transitioned to an independent open-source foundation with OpenAI funding. That governance structure may eventually produce the security hardening the ecosystem needs — skill signing, sandboxed execution by default, mandatory permission scoping. But “eventually” is doing heavy lifting in a sentence about a platform with 17,500 exposed instances today.

The Two-Track Reality

OpenClaw now exists on two parallel tracks that are moving at very different speeds.

Track one: legitimization. AWS managed hosting. OpenAI backing. 250,000 GitHub stars. Jensen Huang calling it “probably the single most important release of software, probably ever.” Enterprise cloud providers competing to onboard it.

Track two: security escalation. 17,500+ vulnerable instances. 20% malicious marketplace skills. One-click RCE. Government bans in China and South Korea. Microsoft recommending full isolation.

These tracks aren’t contradictory — they’re the same pattern that plays out with every platform that achieves mass adoption before achieving security maturity. The question is whether the gap between adoption speed and security hardening will close before a major breach forces it shut.

AWS is betting the gap is manageable. The security data suggests the gap is widening. Both can be true at once — and that’s what makes OpenClaw the most interesting infrastructure story of 2026.

Sources: InfoQ, AWS Blog, Hunt.io, TechInformed/Bitsight, OpenClaws Security Roundup, Microsoft Security Blog, Token Security, NVD