CVE-2026-25253: The OpenClaw Vulnerability That Gives Attackers 1-Click Remote Code Execution

Network IOCs: Outbound connections to 91.92.242.30 , any glot.io/api/ endpoints, or webhook.site URLs
File access patterns: Code that reads .env , .ssh/ , or browser credential paths without legitimate reason
MEMORY.md/SOUL.md access: Skills that read or transmit agent personality files
Base64 obfuscation: Encoded payloads that decode to network requests or file system access
Dynamic code loading: Use of eval() , Function() constructors, or remote script fetching
Prompt manipulation: Instructions injected into system prompts that reference external URLs or command execution

🛡️

ClawSecure Team

Security Research

Free 3-layer OpenClaw security audit with OWASP ASI Top 10 coverage and proprietary threat intelligence.