What are the 'Claw Chain' vulnerabilities and how severe are they?

Four chained vulnerabilities (CVE-2026-44112, 44113, 44115, 44118) disclosed by Cyera researchers can turn a single supply chain foothold into full agent compromise. The most critical, CVE-2026-44112 (CVSS 9.6), is a TOCTOU sandbox write escape. Shodan identified ~65,000 publicly accessible instances, with patches available in v2026.4.22+.

Did infostealer malware really steal OpenClaw secrets in the wild?

Yes. Hudson Rock documented the first confirmed case — a Vidar infostealer variant exfiltrated gateway auth tokens, device private keys, and agent memory files in February 2026. The stolen data is sufficient for full identity compromise. This underscores that OpenClaw secrets need vault-level protection, not filesystem storage.

OpenClaw Weekly: Skill Workshop Ships as Security Risks Mount

Q: What is the OpenClaw Skill Workshop and why does it matter for enterprises?

The Skill Workshop is a governed skill creation and review flow shipping in v2026.6.1-beta.1. Agents propose skills through a structured review process with versioned frontmatter, approval/rejection/quarantine actions, and rollback safeguards. For enterprises, this replaces an ad-hoc approach with proper governance — but the open skill trust model still needs layered controls.

Q: What did Singapore's CSA say about OpenClaw?

Singapore's Cyber Security Agency issued advisory AD-2026-005 recommending organizations apply zero-trust principles and avoid deploying OpenClaw in mission-critical or highly sensitive environments in its open-source form. The advisory cited unpatched vulnerabilities, malicious third-party skills, and memory poisoning as key risks.

The OpenClaw ecosystem delivered its most anticipated feature this week — the Skill Workshop governed skill creation flow in v2026.6.1-beta.1 — but the security story dominated the conversation. Researchers disclosed a four-vulnerability “Claw Chain” that chains a supply chain foothold into full agent compromise, the first confirmed infostealer malware targeting OpenClaw secrets was documented in the wild, and Singapore’s Cyber Security Agency issued a formal advisory urging organizations to approach production deployments with caution.

For IT and security leaders evaluating self-hosted AI agents, this week frames the central tension clearly: the platform is maturing rapidly, but the security governance model has not kept pace. Here is the full executive briefing.

In a hurry? The headline takeaways: (1) Skill Workshop brings governed skill creation to OpenClaw — a major step forward for enterprise extensibility, (2) the “Claw Chain” vulnerability disclosure exposes the gap between the platform’s ambition and its current security posture, (3) the first in-the-wild infostealer targeting OpenClaw configs is a wake-up call for anyone storing secrets on disk, and (4) Microsoft’s ClawPilot now has 3,000+ internal users, signaling serious enterprise interest. Skip to What to Watch or book a discovery call if you are planning a deployment.

Skill Workshop: Governance for the Open Skill Model

The biggest feature landing this week is Skill Workshop — a structured, agent-guided skill creation and review flow that replaces the previous ad-hoc approach to building and distributing skills.

In v2026.6.1-beta.1 (a 98+ commit pre-release), agents now propose skills through a governed pipeline with versioned frontmatter, approval/rejection/quarantine actions, rollback safeguards, and a full Control UI dashboard featuring proposal lists, today view, revision dialog, and file preview. The skill workshop tool (skill_workshop) integrates with Codex app-server prompts so agents know when to use it, and a centralized core skills index handles loading, status, filtering, and prompt formatting.

Why it matters for enterprise teams. The open skill model has been OpenClaw’s greatest strength and greatest risk. Skill Workshop addresses the “vetting” side of that equation — giving operators a structured review flow before agents or users install third-party skills. It does not, however, solve the runtime isolation or trust-scoring problems. NVIDIA’s Skill Cards (static and semantic skill analysis at install time) showed up in the same release cycle, hinting at a layered security approach. For production deployments, Skill Workshop is necessary but not sufficient — organizations should still layer identity, sandboxing, and audit controls on top. For a broader view of where the platform is headed, see our State of OpenClaw 2026 analysis.

The “Claw Chain” — Four Chained Vulnerabilities

Cyera researchers disclosed four chainable vulnerabilities that together represent the most dangerous OpenClaw attack chain documented to date. All four are patched in v2026.4.22+, but the exposure is staggering: Shodan identified approximately 65,000 publicly accessible OpenClaw instances; ZoomEye identified roughly 180,000.

The chain works like this: a single foothold inside OpenShell (via prompt injection, a malicious plugin, or compromised input) enables simultaneous exploitation of all three sandbox-layer vulnerabilities — data exfiltration through a filesystem read escape (CVE-2026-44113, CVSS 7.7), privilege escalation through an MCP loopback header bypass (CVE-2026-44118, CVSS 7.8), and persistence through a TOCTOU filesystem write escape (CVE-2026-44112, CVSS 9.6 Critical). A separate execution allowlist env-var disclosure (CVE-2026-44115, CVSS 8.8) can leak API keys through unquoted heredocs.

Why it matters. This is not a theoretical attack. The chain requires no arbitrary-code-execution — it works through the file operations and MCP protocol that every OpenClaw agent uses by default. Any organization running an unpatched instance with a public endpoint should treat this as a patch immediately alert.

Sources: Cyera Research, TNW, Cloud Security Alliance

First Confirmed Infostealer Targeting OpenClaw Secrets

Hudson Rock documented the first in-the-wild infostealer infection specifically targeting OpenClaw configuration files. A Vidar infostealer variant (infection date: February 13, 2026) exfiltrated:

openclaw.json — gateway authentication token, email, workspace path
device.json — public and private keys used for device pairing and signing, enabling message impersonation
soul.md and memory/*.md — agent behavior definitions, daily activity logs, private messages, and calendar events

Hudson Rock concluded the stolen data is sufficient for full compromise of the victim’s digital identity. The malware did not target OpenClaw specifically — it swept for files containing “token” and “private key” keywords — but the impact on OpenClaw users is severe.

Why it matters. This is the moment the OpenClaw community can no longer treat secret storage as “good enough on disk.” The same files that power agent identity and memory are now active targets. Organizations should move OpenClaw secrets to vault-backed storage (Azure Key Vault, HashiCorp Vault, or Windows Credential Manager) and treat device.json as the equivalent of an SSH private key — never on disk without encryption.

Sources: BleepingComputer, Hudson Rock

Singapore CSA Advisory — Formal Warning on Production Risk

Singapore’s Cyber Security Agency (CSA) issued Advisory AD-2026-005 formally documenting systemic OpenClaw risks: unpatched vulnerabilities, weak access controls, sensitive data exposure, malicious third-party skills, and memory poisoning. The advisory recommends organizations apply zero-trust principles and avoid deploying OpenClaw in mission-critical or highly sensitive environments in its open-source form.

This joins government warnings and restrictions from China, South Korea, and Belgium issued throughout 2026. The pattern is consistent: regulators are watching autonomous agent frameworks closely, and OpenClaw’s open skill model draws particular scrutiny.

Why it matters. Government advisories are not bans — but they shift the compliance conversation. Organizations covered by Singapore’s regulatory perimeter or operating in jurisdictions with similar guidance need to demonstrate that their OpenClaw deployment includes layered security controls beyond what the open-source project ships. This is the precise gap that hardened enterprise deployments are designed to close.

Source: CSA Advisory AD-2026-005

Microsoft ClawPilot Reaches 3,000+ Internal Users

Microsoft’s internal OpenClaw-based desktop assistant, ClawPilot (under “Project Lobster”), expanded from roughly 100 internal testers to 3,000+ users in early May. Spearheaded by Corporate Vice President Omar Shahine, ClawPilot provides an always-on agent team that monitors user signals, triages inboxes, and follows up on action items. A Teams plug-in built on OpenClaw is already available internally, and Microsoft is experimenting with more secure, enterprise-grade OpenClaw-like capabilities for Microsoft 365 Copilot, expected around Build.

Why it matters. Microsoft’s own internal adoption validates the architecture for Microsoft-centric environments — the same environments Big Hat Group specializes in. ClawPilot’s rapid scaling from 100 to 3,000 users in roughly a week signals that Microsoft sees real productivity value in the OpenClaw agent model. For enterprises on Microsoft 365, this reduces the “is it enterprise-ready?” risk: if Microsoft trusts OpenClaw for its own workforce, the question becomes “how do we harden it?” rather than “should we use it?” Read our full ClawPilot deep dive for Microsoft-centric IT teams.

Sources: GeekWire, Cloud Wars

ASRock Claw Quickset — One-Click Windows Installer

ASRock announced Claw Quickset, a one-click Windows application that automates OpenClaw installation on ASRock Claw handhelds and other Windows PCs. It provides a GUI wizard for local vs. cloud model setup, runtime management, and workspace configuration — no manual terminal commands required.

Why it matters. This is the first consumer-friendly installer for OpenClaw on Windows. While ASRock’s target market is handheld gaming PC users, the same installation pattern is directly applicable to Windows 365 Cloud PCs and Azure Virtual Desktop — environments where IT needs to deploy OpenClaw without requiring users to navigate CLI setup. Expect to see enterprise deployment tooling follow this pattern.

Source: ASRock

Upstream Hardening and Other Releases

Beyond Skill Workshop, the release train delivered meaningful security hardening:

Windows ComSpec hijacking fixed (#77472) — process wrapper now routes through a shared resolver and rejects UNC paths and semicolon-delimited path lists.
Plugin diagnostics trust (#77516) — only bundled or @openclaw/diagnostics-* packages receive internal diagnostic capabilities.
fs-safe library — new filesystem hardening library for safe path resolution and symlink attack prevention (GitHub).
Gateway config fails closed — a breaking change in v2026.6.1-beta.1 means invalid config stops the Gateway entirely instead of auto-restoring from last-known-good state. Repair via openclaw doctor --fix.
Performance DoS in v2026.5.3-1 (#77519) — operators should avoid this version entirely due to a 1500x sessions.list regression.

Stable release v2026.5.28 shipped with Claude Opus 4.8 support, iOS Pro UI with native iPad layouts, Supervisor plugins for Copilot and Codex runtimes, and encrypted PDF rendering.

EnterpriseClaw and the Governance Ecosystem

CIO.com covered EnterpriseClaw, a commercial governance layer that enables behind-the-firewall agent management with policy enforcement, audit trails, and compliance controls. Separately, AxonFlow shipped structured policy enforcement for OpenClaw tool calls and outbound messages — governance-as-code for agent workflows.

These third-party governance products are emerging alongside the OpenClaw Foundation (openclaw.org), which positioned itself as ensuring OpenClaw remains “independent, community-driven, and open forever.” Foundation participants include Microsoft, GitHub, Atlassian, Convex, and OpenAI through the GitHub Secure Open Source Fund.

Why it matters. A governance ecosystem is forming in parallel with the core project — commercial layers that fill the security and compliance gaps the upstream project cannot prioritize. For enterprise buyers, this is a healthy signal: the “hardened OpenClaw” conversation is evolving from “should someone build this?” to “which vendor’s governance layer fits our stack?”

Sources: CIO.com, AxonFlow

What to Watch

Skill Workshop in stable. The governed skill creation flow lands in beta this week. The stable release timeline will determine whether it meaningfully improves the skill trust model that the CSA flagged.
Microsoft Build 2026. M365 Copilot’s agent capabilities — expected around Build — could either validate OpenClaw’s architecture or compete directly. ClawPilot’s 3,000-user internal test is a strong leading indicator.
Claw Chain patch adoption. With 65,000 to 180,000 exposed instances and a full attack chain publicly documented, patch velocity will be a major test of the OpenClaw update ecosystem.
Infostealer countermeasures. The Vidar case is likely the first of many. Expect credential vaulting improvements, encrypted-on-disk configs, and possibly runtime secret scanning to emerge as must-have features.
Gateway config fail-closed. The breaking change in v2026.6.1-beta.1 will catch operators who rely on automatic recovery. Know your doctor --fix before you apply the update.

Check back next week for another roundup of OpenClaw ecosystem developments. If your organization is evaluating OpenClaw for production — on Windows 365, Azure, or anywhere in the Microsoft ecosystem — reach out. Big Hat Group delivers hardened OpenClaw deployments with Entra ID identity, signed skills, Intune compliance, and Azure-native architecture.