Your OpenClaw just installed malware disguised as a Skill.

1,184 malicious Skills found on ClawHub. They're draining browser passwords, crypto wallets, and SSH keys while you sleep.

135,000 OpenClaw instances exposed to the internet. 93.4% have zero authentication.

If you installed OpenClaw and just hit run without configuring anything? Attackers can walk right in.

Your AI assistant is literally robbing you.

5-Step Security Checklist (Do This Now):

1. Update Your Version

Run: openclaw --version

If you're not on v2026.2.26 or later, update immediately. This patch fixes ClawJacked and multiple critical exploits.

2. Audit Installed Skills

Run: ls ~/.openclaw/skills/

For each Skill:

- Did you install this intentionally?

- Does the GitHub repo still exist? Normal star count?

- Does SKILL.md ask you to run random commands?

- Any suspicious subprocess, os.system, or requests calls in the Python files?

If you don't recognize it or can't verify it, delete it.

3. Lock Down Public Access

If running on a cloud server:

- Block Gateway ports from public internet

- Use VPN or SSH tunnels only

- Enable authentication (stop running default configs)

4. Rotate All Credentials

If you're unsure whether you're compromised:

- Change critical browser passwords

- Regenerate SSH keys

- Rotate all API tokens (GitHub, cloud services, AI models)

- Check crypto wallets for unauthorized transactions

5. Vet Skills Before Installing

- Only install high-star, actively maintained Skills

- Read README and SKILL.md for sketchy commands

- Test in a VM or container first if possible

- Follow OpenClaw's official security advisories

The OpenClaw supply chain is compromised. If you're running it in production without hardening, you're already exposed.

Fix it before someone else does.