OpenClaw was hacked
in 7 minutes.

You want to give it everything: shell, API keys, repos. An assistant you can't trust is a liability.

Get early access See a live block demo
294K
GitHub stars, fastest ever
135K+
Instances exposed on internet
71
Malicious ClawHub skills discovered
8.8
CVE-2026-25253 severity (CVSS)
Threat landscape

5 ways OpenClaw gets you compromised

All five have active exploits in the wild.

SSH & auth file tampering

OpenClaw edits ~/.ssh/authorized_keys with no guardrail. Attackers forge master-user payloads to rotate keys, then SSH in with their own.

GitHub #20918 · Critical

Host exec & privilege escalation

Full shell access: sudo, package installs, system config, one prompt away. One compromised instruction escalates to root. No approval required.

Shell access · High severity

Secret theft & exfiltration

Credentials stored in plaintext: API keys, .env files, OAuth tokens. Prompt injection or a malicious skill exfiltrates them in seconds.

Plaintext storage · Active in the wild

Installer & supply-chain compromise

Malicious archives use path traversal to escape the install directory. 71+ malicious ClawHub skills discovered: info-stealers, backdoors, crypto drainers.

PR #9513 · Zip Slip · Code exec

Guardrail downgrade & self-weakening

Attackers can instruct agents to disable ask mode, broaden exec allowlists, or expose the gateway. The agent complies.

Configuration abuse · High impact
Attack timeline

What 7 minutes looks like

Real exploit. Forged master-user payloads, fake breach alerts, hijacked SSH key rotation. Default OpenClaw, no Certiv.

7:00
Time to full compromise
0:00
Payload crafted

A payload mimics the structure and auth signature of OpenClaw's master user, the account the agent trusts implicitly.

1:12
Trust established

The payload passes OpenClaw's validation. The agent accepts it as legitimate. No second factor.

Certiv Semantic Policy

Identity-claim social engineering detection

Flagged: urgency + identity claim, no second factor. Action blocked.

2:45
Fake breach injected

A follow-up payload reports a breach and demands immediate SSH key rotation. The agent believes it.

Certiv Intent Policy

Task intent vs. action scope mismatch

Blocked: no prior context for SSH key rotation. Intent divergence. Escalated to critical.

4:30
SSH keys rotated

SSH keys replaced with attacker-controlled ones. No approval.

Certiv Deterministic Policy

Block writes to ~/.ssh/authorized_keys

Hard block: write to ~/.ssh/authorized_keys denied. No LLM in the loop. Policy enforced in microseconds.

5:30
VPN tunnel established

The agent opens a VPN to attacker infrastructure. All traffic tunnels out. IP allowlists are useless.

Certiv All three Policy

VPN/tunnel connection blocked across all policy layers

Deterministic: outbound to unlisted IP denied. Semantic: tunnel pattern flagged. Intent: VPN diverges from scope. All three layers blocked.

7:00
Full compromise

Attacker SSHs in with their own keys. Full shell: lateral movement, exfiltration, persistence. Game over.

With Certiv: 3 layers, 3 blocks

Attack stopped at every stage. No single point of failure.

How Certiv works

Three policy layers. One enforcement point.
Zero surprises.

Between intent and execution. Every action evaluated before it runs.

Deterministic
Semantic
Intent
Deterministic

Hard rules that never bend

If-then rules enforced in microseconds. No LLM means no prompt injection. Exact-match on tool, parameters, and rate.

  • Block writes to ~/.ssh/*, /etc/ssh/*, auth config
  • Deny outbound to non-allowlisted IPs
  • Block cron, launchd, systemd persistence setup
  • Prevent archive installs with path traversal patterns
Semantic

Natural-language threat detection

LLM-evaluated policies that catch obfuscated attacks, social engineering, and tool-output laundering.

  • Detect urgency + identity-claim social engineering
  • Flag prompt injection in emails, docs, shell output
  • Recognize exfiltration via messaging surfaces
  • Treat tool output and repo text as untrusted
Intent

Context-aware decision engine

Compares user intent to agent action. Blocks divergence before execution. Catches multi-step attack chains.

  • Block when action scope diverges from task intent
  • Detect multi-step attack chains (read → exfil → persist)
  • Flag guardrail downgrades and self-weakening
  • Correlate sequences into severity escalation
Concrete examples

See Certiv in action

Real OpenClaw attack patterns. What Certiv blocks, and how.

SSH auth file modification blocked

Deterministic Blocked
Agent instructed to rotate SSH keys Attempts write to ~/.ssh/authorized_keys Certiv: simple rule, block writes to ~/.ssh/* · action terminated in μs

Urgency-based social engineering caught

Semantic Blocked
Forged payload claims "urgent breach" Requests emergency credential rotation Identity claim without verification Certiv: LLM rule, urgency + identity claim pattern detected · blocked

Secret exfiltration via outbound POST

Deterministic Blocked
Malicious skill reads .env, API keys Attempts POST to unknown external IP Certiv: simple rule, outbound to non-allowlisted IP denied · alert sent

Guardrail downgrade attempt detected

Intent Blocked
Agent told to set security=full Disable ask mode + broaden allowlists Certiv: intent rule, self-weakening action diverges from task scope · blocked

Legitimate automation still works

Allowed Passed
User: "Summarize my calendar" Reads Google Calendar API (allowlisted) Certiv: intent verified · scope matches · executed
Visibility dashboard

See everything your agent does

Real-time audit trail for every action, skill, and outbound call.

Certiv Shield · Agent Monitor
Protected
Device: Mac Mini openclaw v2026.2.25 Certiv active Last scan: 2 minutes ago
342
Actions today
14
Blocked
3
Quarantined
4 min ago
Last threat
Installed skills
18 18 / 18 audited
Outbound domains
7 known All allowlisted
Policy engine
Healthy 3 layers active
LIVE FEED BLOCKED outbound POST to 45.33.xx.xx:8080 · skill: "productivity-boost" · intent mismatch QUARANTINED prompt injection detected in email body · action: forward_all · pattern: hidden-instruction BLOCKED forged master-user payload · origin mismatch · SSH key rotation attempt denied ALLOWED calendar read via Google API · intent verified · scope: read-only

Your agent is powerful.
Make sure you're the one in control.

294K developers trust OpenClaw. Use it without trusting your luck.

Join the waitlist