CVE-2026-25253 · ClawJacked · CVSS 8.8

Secure your OpenClaw in 60 seconds.

OpenClaw had 7 CVEs in 60 days. ClawHavoc injected 1,184 malicious skills into ClawHub. Ship Safe scans your agent configs, MCP servers, and skills before attackers exploit them.

$npx ship-safe openclaw .
What we detect

6 critical attack vectors. One command.

Every check maps to a real CVE, OWASP Agentic Top 10 control, or active campaign.

critical

Public Gateway Binding

OpenClaw bound to 0.0.0.0 exposes your agent to the entire network. ClawJacked (CVE-2026-25253, CVSS 8.8) exploits this for full agent takeover via WebSocket.

critical

Missing Authentication

No auth configured means anyone who can reach your OpenClaw instance can control your agent — execute commands, read files, exfiltrate data.

critical

Malicious Skills (ClawHavoc)

1,184 malicious skills were uploaded to ClawHub delivering the AMOS stealer. Ship Safe checks skill hashes against known IOCs and analyzes skill code for malicious patterns.

critical

Prompt Injection in Config Files

Attackers inject "ignore previous instructions" into .cursorrules, CLAUDE.md, or agent memory files to hijack AI agents. Ship Safe detects 15+ injection patterns.

critical

Malicious Claude Code Hooks

Check Point disclosed RCE via malicious hooks in .claude/settings.json. Ship Safe scans hooks for shell commands, piped downloads, and encoded payloads.

high

Unencrypted WebSocket

Using ws:// instead of wss:// transmits all agent communication in plaintext — credentials, code, and commands visible to anyone on the network.

How it works

Scan. Fix. Red team. Repeat.

Four modes, one tool. No API keys. No cloud. Everything runs locally.

Scan

Full security audit of your OpenClaw config, MCP servers, skills, and agent instruction files.

npx ship-safe openclaw .

Auto-fix

Rebind to localhost, add auth, upgrade to wss://, enable safeBins. One flag.

npx ship-safe openclaw . --fix

Red Team

7 adversarial tests simulating ClawJacked, prompt injection, data exfiltration, and encoded payloads.

npx ship-safe openclaw . --red-team

Skill Scanner

Analyze any skill before installing. Typosquatting detection, static analysis, and threat intel matching.

npx ship-safe scan-skill <url>
Auto-fix

Harden with --fix

Ship Safe rewrites your openclaw.json to close every attack vector automatically.

Vulnerable

{
  "host": "0.0.0.0",
  "port": 3100,
  "url": "ws://my-server:3100",
  "skills": [
    { "name": "unknown-skill" }
  ]
}

Hardened

{
  "host": "127.0.0.1",
  "port": 3100,
  "auth": { "type": "apiKey" },
  "url": "wss://my-server:3100",
  "safeBins": ["node", "git"],
  "skills": []
}
Context

The OpenClaw security timeline

CVE-2026-25253 · CVSS 8.8

ClawJacked

Full agent takeover via WebSocket. Any OpenClaw instance bound to 0.0.0.0 without auth is vulnerable. Attackers can execute commands, read files, and exfiltrate data.

Campaign · Jan–Mar 2026

ClawHavoc

1,184 malicious skills uploaded to ClawHub — roughly 20% of the registry. Skills delivered the AMOS stealer targeting macOS and Linux credential stores.

Check Point Research · 2026

Claude Code Hooks RCE

Remote code execution via malicious hooks in .claude/settings.json. Any repo with a compromised hooks config can execute arbitrary commands on the developer's machine.

ASI01–ASI10 · 2026

OWASP Agentic Top 10

OWASP released ASI01–ASI10 covering goal hijacking, tool misuse, privilege abuse, and supply chain attacks specific to AI agents.

Start scanning in one command.

Free, open source, runs locally. No signup, no API keys, no data sent anywhere.

$npx ship-safe openclaw .
Try the web dashboardView on GitHub