CertiK Warns OpenClaw AI Agent Poses Critical Risks to Crypto Wallets

Blockchain security firm CertiK has released a detailed report labeling the OpenClaw AI agent as "the leading software supply chain attack vector on a global scale." According to the firm, users of the digital assistant face significant risks of data leaks, breaches, and cryptocurrency theft.

"What happens when an AI agent gets broad access before security catches up? Our latest report examines OpenClaw's attack surface, from gateway takeover and identity bypass to prompt injection and supply chain risk." — CertiK (@CertiK), original post

Why This Matters

OpenClaw has rapidly amassed a massive user base — its GitHub stars exceeded 340,000, and in March 2026, a wave of enthusiasm swept China where nearly 1,000 people lined up at Tencent's headquarters to install the software. With such widespread adoption, the vulnerabilities identified by CertiK affect an enormous number of users, particularly those handling cryptocurrency. Attackers have already targeted major wallets including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, OKX Wallet, and others.

How OpenClaw Attack Vectors Work

CertiK's report explains that OpenClaw acts as a bridge between external data and local code execution, creating standard channels for cyberattacks. A primary vector involves local gateway takeover: malicious websites or scripts exploit the assistant's presence on a device to steal sensitive information or perform unauthorized actions.

Malicious plugins and skills for OpenClaw present a distinct threat. Available for installation from local sources and marketplaces, these components differ from traditional malware by manipulating the agent's behavior through natural language — rendering them resistant to conventional antivirus scanning. Once activated, they can extract sensitive data including crypto wallet credentials.

CertiK's researchers noted that infected components hide within legitimate codebases and load seemingly harmless URLs that actually deliver shell commands or malicious scripts.

Scope of the Threat

Attackers deliberately planted malicious skills across high-value categories:

• Phantom wallet utilities
• Address trackers
• Insider wallet discovery tools
• Polymarket instruments
• Google Workspace integrations

The researchers observed that the attackers' methods mirror well-known crypto fraud techniques: social engineering, fake utility deception, credential theft, and phishing campaigns.

OpenClaw's Troubled Security History

OpenClaw originated as a spinoff of Clawdbot, which launched in November 2025. The project gained traction quickly among developers and general users alike, but security concerns emerged almost immediately.

Within weeks of the initial release, Bitsight researchers discovered 30,000 exposed OpenClaw instances. SecurityScorecard identified 135,000 copies across 82 countries, of which 15,200 were vulnerable to remote code execution, according to CertiK's report.

To date, the platform has accumulated over 280 GitHub Security Advisories, 100 CVEs (Common Vulnerabilities and Exposures), and a string of ecosystem-level attacks. China's cybersecurity center had previously warned about OpenClaw-related risks, and a paid removal service for the AI agent even emerged in the country.

Earlier in March 2026, cybersecurity firm OX Security reported that threat actors were exploiting OpenClaw's popularity to conduct phishing campaigns and steal cryptocurrency from developers.

CertiK's Advice to Users

CertiK advised regular users — those who are not security specialists, developers, or advanced technical enthusiasts — to avoid installing OpenClaw altogether. The firm recommended waiting for more mature, hardened, and managed versions of the platform before adopting it.