A report by Certik highlights significant security flaws in Openclaw, an open-source AI platform, particularly its reliance on “skill scanning” which fails to adequately protect users from malicious third-party extensions.
Limitations of the Clawhub Moderation PipelineA report by cybersecurity firm Certik has revealed significant security gaps in OpenClaw, an open-source artificial intelligence agent platform, warning that its reliance on “skill scanning” is insufficient to protect users from malicious third-party extensions.
The findings, published March 16, 2026, suggest the platform’s security model depends too heavily on detection and warnings rather than robust runtime isolation, leaving users vulnerable to host-level compromises.
However, Certik researchers said static rules searching for “red flags” were circumvented using simple code rewriting. They also asserted that the AI review layer proved effective at spotting obvious intent but struggled to identify exploitable vulnerabilities hidden within otherwise plausible-looking code.
The ‘Pending’ GapOne of the most critical flaws identified by Certik is the treatment of pending scan results. Researchers found that a skill could remain active and installable on the marketplace even while Virustotal results were still pending—a process that can take hours or days. In practice, these pending skills were treated as benign, allowing them to be installed without a warning to the user.
To prove the vulnerability, Certik researchers created a proof-of-concept (PoC) skill called “test-web-searcher.” The skill appeared functional and benign but contained a hidden “vulnerability-shaped” bug that allowed for arbitrary command execution on the host machine. When invoked via Telegram, the skill successfully bypassed Openclaw’s optional sandboxing and “popped a calculator” on the researcher’s machine—a classic demonstration of full system compromise.
The report concludes that detection can never be a substitute for a true security boundary. Certik is urging Openclaw developers to run third-party skills in isolated environments by default, rather than relying on optional user configuration. Developers should also implement a model where skills must declare specific resource needs up front, similar to modern mobile operating systems.
FAQ What security issue did Certik find in Openclaw? Certik reported that Openclaw’s reliance on “skill scanning” fails to adequately protect users from malicious third-party extensions. How does Openclaw’s moderation flow function? Openclaw uses a layered moderation flow, including tools like Virustotal and an incoherence detector to review third-party “skills.” What is the critical flaw regarding pending scan results? Skills can remain active and installable while scan results are pending, posing a risk as users may unknowingly install malicious extensions. What should users do to protect their data on Openclaw? Users are advised to only use Openclaw in low-value environments until stronger isolation measures are implemented by developers.
