The vulnerability is called ClawJacked. Its CVE designation is CVE-2026-25253. And according to the most comprehensive technical breakdown published to date by PBX Science, over 135,000 OpenClaw instances remained exposed to one-click remote code execution as of early March.

The attack vector: a malicious skill payload delivered through ClawHub, OpenClaw’s community marketplace for agent extensions. A user installs what appears to be a legitimate skill. The skill executes arbitrary code on the host machine. No second confirmation required.

From Bug Report to Industry Reckoning

CVE-2026-25253 was disclosed and patched in OpenClaw v2026.2.25. Within days, the security story intersected with OpenClaw’s explosive adoption in China — where the framework had become a cultural phenomenon under the “raise a lobster” framing.

The vulnerability’s timing amplified its impact. OpenClaw’s community marketplace, ClawHub, operates on an open contribution model with limited security review for submitted skills. The CVE demonstrated that this model’s trust assumptions break down at scale — particularly when adoption is driven by users who treat skill installation as casually as downloading a mobile app.

A single CVE forced a reckoning with how AI agent marketplaces vet third-party code.

The Structural Problem

ClawJacked exposed something more fundamental than a single vulnerability. OpenClaw grants agents broad system access by design — that’s the feature. Skills extend that access further. The combination means any exploitable entry point has an unusually large blast radius compared to traditional software vulnerabilities.

PBX Science’s analysis emphasizes that the issue extends beyond this specific CVE. The architecture that makes OpenClaw powerful — an LLM-driven agent that can execute tasks, access files, call APIs, and install extensions — creates an attack surface that scales with capability. Every new skill, every new integration, every new permission granted to an agent widens the target.

135,000 Exposed Instances

The persistence of unpatched installations is the most troubling detail in PBX Science’s reporting. OpenClaw’s adoption grew faster than its user base’s operational security maturity. Many of those 135,000 exposed instances likely belong to users who followed a tutorial, got the agent running, and never checked back for updates.

This is the predictable consequence of viral adoption outpacing security hygiene — and it’s a pattern the AI agent ecosystem will need to solve structurally, not just patch by patch.

The fix for CVE-2026-25253 has been available for weeks. The fix for the underlying dynamic has not.