On February 14th, 2026 — Valentine's Day — security researcher Marcus Chen published a disclosure that sent the OpenClaw community into a tailspin. He'd found 386 malicious skills on ClawHub, the largest third-party skill registry for OpenClaw. Some had been live for months.
The attack, now dubbed ClawHavoc, wasn't sophisticated. That's what makes it terrifying.
What actually happened
The attack worked like this: someone uploaded OpenClaw skills to ClawHub that looked legitimate. Names like enhanced-gmail-manager, calendar-sync-pro, smart-document-reader. The kind of boring, useful names that don't raise eyebrows.
Under the hood, these skills did what they advertised. They synced your calendar. They read your documents. But they also exfiltrated data — emails, contacts, API keys, personal files — to external servers. Some established persistent backdoors, letting the attacker maintain access even after the skill was removed.
Two critical vulnerabilities made this possible:
- CVE-2026-25253: A skill sandbox escape that allowed malicious skills to access the host filesystem beyond their declared scope. Severity: Critical (CVSS 9.8).
- CVE-2026-26329: An authentication bypass in OpenClaw's skill installation flow that let skills elevate privileges without user confirmation. Severity: High (CVSS 8.6).
Both are patched in OpenClaw 2026.2.15+. But patching requires knowing about the vulnerabilities, having the skills to apply updates, and actually doing it.
The real problem isn't the vulnerabilities
Software has bugs. That's not news. The real problem is the deployment model.
Most self-hosted OpenClaw instances are set up once and forgotten. Someone follows a YouTube tutorial, gets their AI assistant running on a $5 VPS, connects their Gmail and Telegram, and moves on with their life. They don't subscribe to OpenClaw's security mailing list. They don't monitor CVE databases. They don't have automated update pipelines.
Here's what the last week of February 2026 looked like for OpenClaw security:
| Date | CVE | Severity | Description |
|---|---|---|---|
| Feb 20 | CVE-2026-26812 | High | Memory leak in voice processing allowing DoS |
| Feb 21 | CVE-2026-26329 | High | Skill privilege escalation bypass |
| Feb 22 | CVE-2026-27001 | Critical | Remote code execution via crafted webhook |
| Feb 24 | CVE-2026-25253 | Critical | Skill sandbox filesystem escape |
| Feb 25 | CVE-2026-27340 | Medium | Information disclosure in agent logs |
| Feb 26 | CVE-2026-27501 | High | SSRF in web fetch skill |
Six CVEs in seven days. Each one requiring a patch, a rebuild, a restart. Each one a window where your personal data — your emails, your calendar, your files — is exposed.
If you're a DevOps engineer who enjoys this kind of thing, self-hosting is fine. You'll keep up. But most people aren't, and most people won't.
Who was affected
ClawHub's download stats suggest at least 12,000 installations of affected skills across roughly 8,000 unique instances. The actual number is likely higher — ClawHub doesn't track every install accurately.
The typical victim profile: someone who wanted an AI assistant but didn't want to pay for a managed service. They self-hosted, installed a few third-party skills to extend functionality, and unknowingly gave an attacker access to their entire digital life.
It's the same story as npm supply chain attacks, PyPI typosquatting, and VS Code extension malware, but with higher stakes, because OpenClaw has access to your email, calendar, files, and potentially your smart home.
Why self-hosting makes this worse
OpenClaw is powerful because it has deep access to your life. That's the entire point — an AI assistant that can read your email, manage your calendar, search the web on your behalf, and talk to your other services.
But that same power means the attack surface is enormous. A compromised OpenClaw instance doesn't just give an attacker one app's data. It gives them everything.
Self-hosting compounds the risk in three specific ways:
-
Update lag. The average self-hosted OpenClaw instance is 23 days behind the latest security patch, according to a survey by the OpenClaw community. That's 23 days of known vulnerabilities sitting unpatched while your instance has access to your most sensitive data.
-
Skill vetting. ClawHub has no mandatory security review. Anyone can publish a skill. Self-hosters who want extended functionality have to either audit skill code themselves (how many actually do?) or trust strangers on the internet with root-level access to their personal AI.
-
Configuration drift. Security isn't a one-time setup. It's firewall rules, TLS certificates, log monitoring, access controls. Over months, things drift. Ports get left open for debugging. Certificates expire. Nobody's watching the logs.
How managed hosting changes the equation
This is where we stop being neutral and start being direct: if you're not a systems administrator, you should not be self-hosting an AI assistant that has access to your personal data.
At KillerBot, every instance runs on infrastructure we control and monitor:
- No third-party skills. We run a curated, audited set of 55 bundled skills. No ClawHub. No random packages from the internet. The entire ClawHavoc attack vector doesn't exist on our platform.
- Same-day patching. When a CVE drops, we patch every instance within hours, not weeks. The six CVEs from last week? Our users never had to think about them.
- Network isolation. Each customer instance runs in its own isolated environment. A compromise of one can't spread to others.
- Continuous monitoring. We watch for anomalous behavior — unexpected outbound connections, unusual data access patterns, resource spikes that might indicate cryptomining.
We're not doing anything revolutionary here. We're just doing the boring operational security work that most individuals don't have the time, knowledge, or desire to do themselves.
What you should do right now
If you're self-hosting OpenClaw:
- Update immediately to 2026.2.15 or later. Check your version with
openclaw --version. - Audit your installed skills. Remove anything from ClawHub that you haven't personally reviewed. Stick to bundled skills.
- Check your logs for outbound connections to domains you don't recognize.
- Rotate your credentials — Gmail tokens, API keys, anything your OpenClaw instance has access to. Assume they may be compromised if you had ClawHub skills installed.
- Set up automatic updates or at minimum subscribe to the OpenClaw security mailing list.
Or skip all of that and let someone else handle it.
KillerBot is managed OpenClaw hosting built for people who want a powerful AI assistant without the security headaches. Every instance is patched, monitored, and runs only vetted skills. No ClawHub. No surprise CVEs to chase.