SC Media Maps OpenClaw's Agent Attack Surface: 341 Malicious Skills, One CVSS 8.8 Gateway Exploit, and an Industry Without Answers

SC Media published a security analysis on May 11 framing OpenClaw not as uniquely vulnerable but as the system that exposed how agent architectures amplify known attack patterns. The analysis centers on two findings: the now-patched CVE-2026-25253 — disclosed January 30, 2026 and no longer an active threat — a CVSS 8.8 local gateway exploit that allowed authentication token theft from unvetted webpage visits due to missing origin validation and rate limiting, and Koi Security’s audit of 2,857 skills in the ClawHub registry, which confirmed 341 (roughly 12%) were malicious.

The broader context is an industry unprepared for its own ambitions. A Dark Reading poll cited by GitHub’s security blog found that 83% of organizations plan to deploy agentic AI capabilities, but only 29% feel ready to do so securely.

The Gateway Problem

OpenClaw gives agents full authority across a user’s digital ecosystem: email, calendar, file storage, external APIs. The local Gateway, which manages all these connections, implicitly trusts local connections. CVE-2026-25253 exploited this trust. An attacker could steal authentication tokens without the victim taking any action beyond visiting a single malicious webpage, according to SC Media’s analysis.

The vulnerability was patched, but the architectural pattern it exposed persists across the agent industry. Stormshield’s retrospective documented the full CVE timeline: the vulnerability was assigned January 30, 2026, and sits within a broader sequence that included nine CVEs disclosed in a four-day window in March, with one scoring CVSS 9.9.

SC Media’s core argument is that registry-level vetting cannot provide durable protection when the agent runtime itself does not enforce capability boundaries. The Gateway accepts any skill’s instructions at face value. No sandboxing layer restricts what a skill can access once installed.

The Supply Chain Is Already Compromised

The 341 malicious skills Koi Security identified were not isolated incidents. VentureBeat reported on May 7 that a follow-up analysis by Antiy CERT expanded the count to 1,184 compromised packages across ClawHub. The campaign, dubbed ClawHavoc, initially traced 335 of the original 341 malicious skills to a single threat actor.

The attack vector is structural, not incidental. Skill definitions are Markdown files with natural-language instructions and code examples. No mainstream security scanner has a detection category for malicious instructions embedded in agent skill definitions, as VentureBeat documented. SAST scanners analyze source code syntax. SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate.

Cisco confirmed the gap directly. “Traditional application security tools were not designed for this,” Cisco’s engineering team wrote in a blog post announcing its AI Agent Security Scanner for IDEs. “SAST scanners analyze source code syntax. SCA tools check dependency versions. Neither understands the semantic layer where MCP tool descriptions, agent prompts, and skill definitions operate.”

Researchers at Griffith University, Nanyang Technological University, UNSW, and the University of Tokyo documented the specific attack chain in an April 2026 paper. Their technique, Document-Driven Implicit Payload Execution (DDIPE), embeds malicious logic inside code examples within skill documentation. Across four agent frameworks and five LLMs, DDIPE achieved bypass rates between 11.6% and 33.5%, according to VentureBeat’s reporting.

The Governance Gap Nobody Has Closed

SC Media’s analysis positions OpenClaw as the proving ground for a problem that will recur across every agent platform: the gap between what agents can access and what organizations can monitor. The OpenClaw incident pattern is not OpenClaw-specific. Any platform that grants agents broad system access through implicit trust, distributes capabilities through community marketplaces, and lacks runtime capability boundaries will face the same attack surface.

The 83%/29% gap from Dark Reading’s survey, cited by GitHub’s security team, quantifies how far the industry is from solving this. Organizations are deploying agents faster than they can secure them. OpenClaw, with 370,000+ GitHub stars and tens of thousands of exposed instances flagged by SecurityScorecard, is simply the largest target.

The question SC Media leaves open is whether any current agent architecture is equipped to enforce least-privilege at the runtime level, or whether the entire category needs a security layer that does not yet exist.