The widespread use of digital assistants poses critical risks, making users vulnerable to data leaks, hacks, and cryptocurrency theft. This warning comes from experts at CertiK.
What happens when an AI agent gets broad access before security catches up?
— CertiK (@CertiK) March 31, 2026
Our latest report examines OpenClaw’s attack surface, from gateway takeover and identity bypass to prompt injection and supply chain risk.
Read the full report👇https://t.co/x0RfYYic0T
According to them, OpenClaw has become the "leading attack vector for software supply chain attacks on a global scale."
The AI agent acts as a bridge between external data and local execution, which "opens standard channels for attacks." One such channel is the interception of local gateways.
Malicious websites or scripts exploit the assistant's presence on devices to steal confidential data or perform unauthorized actions.
OpenClaw architecture. Source: CertiK.
Plugins and malicious skills for OpenClaw, which can be installed from local sources or marketplaces, also pose significant dangers.
Unlike traditional viruses, these can manipulate the agent's behavior through natural language, making them resistant to standard scanning. Once activated, such software can extract sensitive information, including cryptocurrency wallet credentials.
CertiK emphasized that infected components hide within legitimate codebases and load seemingly normal URLs. Consequently, these links deliver shell commands or malicious scripts.
Widespread Network and Recommendations
Cybercriminals have deliberately placed malicious skills in various high-value categories: utilities for Phantom, address trackers, tools for finding "insider" wallets, Polymarket tools, and Google Workspace integrations.
"They have covered an incredibly broad spectrum of the crypto ecosystem, targeting mass infection of browser wallet extensions: MetaMask, Phantom, Trust Wallet, Coinbase Wallet, OKX Wallet, and many others," the experts added.
Researchers also noted that the actions of these criminals resemble familiar tactics in the digital asset sector, including social engineering, deception through fake utilities, credential theft, and phishing.
CertiK advised regular users—non-security specialists, developers, or enthusiasts—not to install OpenClaw and to wait for "more mature, secure, and managed versions."
Issues with OpenClaw
OpenClaw originated as a byproduct of Clawdbot, launched in November 2025. The project quickly gained popularity among developers and users, with over 340,000 stars on GitHub.
In March, a wave of excitement around the AI agent swept through China, with nearly 1,000 people lining up at Tencent's headquarters to install OpenClaw on their computers. However, the country's Cyber Center soon warned about associated risks, leading to the emergence of a paid service for removing the AI agent in China.
Many independent experts also raised concerns about the software's security. Just weeks after its release, Bitsight specialists discovered 30,000 versions of OpenClaw available publicly.
Researchers from SecurityScorecard found 135,000 copies across 82 countries, with 15,200 vulnerable to remote code execution, as noted by CertiK.
The digital assistant has become "the most scrutinized platform in terms of security," accumulating over 280 GitHub Security Advisories, 100 vulnerabilities (CVE), and a "series of ecosystem-level attacks."
In March, cybersecurity firm OX Security already reported that criminals were using OpenClaw's popularity to conduct phishing campaigns and steal cryptocurrencies from developers.