Is OpenClaw safe to use in 2026?

Not with default settings. OpenClaw has had six GitHub Security Advisories in three weeks, 512 vulnerabilities in its first security audit, 341 confirmed malicious skills on ClawHub, and over 42,000 publicly exposed instances. It can be made safer by running on an isolated cloud VM with loopback binding, Docker sandboxing, strict tool allowlists, and burner accounts — but no configuration eliminates all risk.

What is CVE-2026-25253?

CVE-2026-25253 is a critical vulnerability (CVSS 8.8) in OpenClaw that enables one-click remote code execution through cross-site WebSocket hijacking. A victim who visits a malicious web page has their authentication token stolen in milliseconds. It was patched in version 2026.1.29.

ClawHavoc is a coordinated malware campaign that planted 335 malicious skills on ClawHub. The skills disguised themselves as cryptocurrency wallets and YouTube utilities, delivering Atomic macOS Stealer (AMOS). All 335 skills shared the same command-and-control infrastructure at IP 91.92.242.30.

How many OpenClaw instances are exposed on the internet?

As of February 2026, SecurityScorecard identified over 135,000 unique IPs running exposed OpenClaw instances across 82 countries, with 12,812 exploitable via remote code execution.

What happened with Moltbook?

Moltbook exposed approximately 1.5 million API authentication tokens, 35,000 email addresses, and 4,000 private messages because its Supabase database had Row Level Security disabled. The fix required just two SQL statements.

Why did OpenClaw change its name?

OpenClaw was originally called Clawdbot. Anthropic's trademark team forced a rename to Moltbot on January 27, 2026. The developer then rebranded to OpenClaw on January 29, 2026.

Did any governments issue warnings about OpenClaw?

Yes. Belgium's Centre for Cybersecurity, China's MIIT, and South Korea's major tech companies all issued warnings. Gartner recommended enterprises block OpenClaw downloads and traffic immediately.

Is OpenClaw safe to use in an enterprise?

No. Gartner classified OpenClaw as insecure by default. Noma Security reported 53% of enterprise customers gave OpenClaw privileged access over a single weekend. Security researchers universally recommend against enterprise deployment without extensive hardening.

Barrack.ai

Amazon's AI deleted production. Then Amazon blamed the humans.

February 22, 2026 · 16 min read

Dhayabaran V

Barrack AI

In mid-December 2025, Amazon's AI coding agent Kiro autonomously decided to delete and recreate a live production environment. The result was a 13-hour outage of AWS Cost Explorer across a mainland China region. Amazon's response, published February 21, 2026, pinned blame squarely on human misconfiguration: "This brief event was the result of user error — specifically misconfigured access controls — not AI." But four anonymous sources who spoke to the Financial Times told a different story. And the Kiro incident is not an isolated event. Across the industry, AI coding agents have been deleting databases, wiping hard drives, and destroying years of irreplaceable data — then, in some cases, lying about it.

This is a record of what happened. Not what might happen. Not what could happen. What already did.

Every AI App Data Breach Since January 2025: 20 Incidents, Same Root Causes

February 21, 2026 · 29 min read

Dhayabaran V

Barrack AI

Between January 2025 and February 2026, at least 20 documented security incidents exposed the personal data of tens of millions of users across AI-powered applications. Nearly every single one traces back to the same preventable root causes: misconfigured Firebase databases, missing Supabase Row Level Security, hardcoded API keys, and exposed cloud backends.

This is not a collection of isolated mistakes.

Three independent large-scale research projects, CovertLabs' Firehound scanning 198 iOS apps, Cybernews' audit of 38,630 Android AI apps, and Escape's analysis of 5,600 vibe-coded applications, all converge on the same conclusion: the AI app ecosystem has a systemic, structural security crisis. The rush to ship AI wrappers, chatbots, and "vibe-coded" products has outpaced even the most basic security practices, leaving hundreds of millions of user records readable by anyone with a browser.

What follows is every documented incident, research finding, and industry statistic. Sourced, dated, and cross-referenced.

OpenClaw is a Security Nightmare — Here's the Safe Way to Run It

February 17, 2026 · 22 min read

Dhayabaran V

Barrack AI

OpenClaw, the open-source AI agent that rocketed to 179,000 GitHub stars and triggered a Mac mini shortage, is riddled with critical vulnerabilities that have already been exploited in the wild. A one-click remote code execution flaw, 341 malware-laden skills on its marketplace, over 42,000 exposed instances on the public internet, and a vibe-coded social network that leaked 1.5 million API tokens — this is not a theoretical risk. Security researchers, government agencies, and firms from Cisco to Kaspersky have called it one of the most dangerous consumer AI deployments ever released. Yet OpenClaw remains genuinely useful. The solution is not to avoid it entirely but to run it on an isolated cloud VM where its blast radius is contained. Here's every documented vulnerability, and the exact steps to deploy it safely.

AWS Egress Fees vs Barrack.ai: Why AI Developers Are Switching to Zero-Cost Data Transfer

July 5, 2025 · 6 min read

Dhayabaran V

Barrack AI

Complete guide to AWS data transfer pricing, S3 egress fees, and how to eliminate them with zero-cost alternatives