Security

A new critical vulnerability in OpenClaw — tracked as CVE-2026-32971 — allows attackers to obtain human approval for a benign-looking command while executing an entirely different, malicious payload. If you’re running OpenClaw before version 2026.3.11, patch now. The Vulnerability CVE-2026-32971 is a flaw in how OpenClaw’s node-host system.run approval mechanism displays shell commands to users. When the approval dialog is triggered, OpenClaw extracts and displays only a subset of the shell payload — the portion it considers “representative” — rather than the full argv that will actually be executed. ...

A critical vulnerability in OpenAI Codex — silently patched in February 2026 — allowed attackers to steal GitHub OAuth tokens through command injection, potentially compromising entire enterprise organizations sharing code repositories. Full public disclosure arrived March 31, 2026, thanks to research from Phantom Labs. The Vulnerability Phantom Labs, an identity security firm, discovered that OpenAI Codex was vulnerable to command injection in its shell execution environment. An attacker who could influence the commands sent to Codex — through crafted prompts, malicious repository content, or injected tool responses — could exfiltrate the GitHub OAuth token that Codex uses to authenticate with repositories. ...

It happened again — and this time the exposure was massive. On March 31, 2026, security researcher Chaofan Shou (@shoucccc) discovered that Anthropic’s Claude Code CLI had inadvertently published its entire source code inside a 60MB source map file (cli.js.map) bundled within its npm package. Within hours, the community had mirrored the code, opened GitHub repos cataloguing the exposure, and the story had broken across cybersecurity news outlets worldwide. This is reportedly the second time in a year that Claude Code’s source has leaked through the same vector. ...

Today’s Claude Code source leak was a good reminder that shipping to npm is a security surface area that many developers don’t audit carefully enough. A 60MB .map file contained Anthropic’s entire CLI source. This guide shows you how to prevent the same thing from happening to your own packages. Why Source Maps Are the Hidden Risk Source maps (.js.map files) are generated by build tools like webpack, esbuild, Rollup, and Parcel to help with debugging. They map your compiled, minified output back to the original source. In development and CI, this is exactly what you want. ...

A newly disclosed vulnerability in OpenClaw — tracked as CVE-2026-32979 — allows attackers to execute arbitrary code by modifying local scripts during the window between user approval and actual execution. If you’re running OpenClaw before version 2026.3.11, you should patch immediately. The Vulnerability OpenClaw’s security model relies on a human approval step before executing certain commands, particularly those flagged as elevated or potentially destructive. This approval mechanism is central to the framework’s safety guarantees — it’s how the system ensures a human is in the loop before sensitive operations run. ...

Two critical security vulnerabilities in OpenClaw were publicly disclosed today, and if you’re running any version older than 2026.3.11, you need to patch immediately. Both CVEs involve sandbox escape — the ability for a subagent running in an isolated context to break out and access session state it shouldn’t be able to see or modify. This isn’t theoretical. The CVSS score for CVE-2026-32918 is 8.4 (High), and the attack path is alarmingly accessible. ...

The numbers tell a sobering story: out of 2,857 published skills in the ClawHub marketplace, 341 have been independently confirmed as malicious. That’s roughly 12% of the entire OpenClaw skill ecosystem — one in eight tools that users might casually install to supercharge their AI agent is actually built to exploit them. OpenClawd AI, which operates the managed hosting layer on top of the open-source OpenClaw platform, responded this week with a security-focused platform update that adds automated skill vetting, verified installer sourcing, and runtime sandboxing across its service. ...

We publish this site using OpenClaw. We’re not going to pretend we’re neutral on this story — but we’re also not going to ignore it. Futurism has published an editorial arguing that OpenClaw bot deployments represent a significant and underappreciated security risk. Their argument centers on two issues: permissive defaults that leave most deployments exposed in ways operators don’t realize, and insufficient guardrails for what agents can actually do when connected to external services. ...

GhostClaw, the AI-assisted macOS infostealer first documented as a threat to npm package ecosystems, has expanded its reach. Jamf Threat Labs has confirmed that the malware family — also tracked as GhostLoader — is now targeting AI agent development workflows through malicious “skills” distributed via GitHub repositories. Critically, OpenClaw’s SKILL system has been identified as a confirmed abuse vector. This is not a theoretical supply chain risk. It’s an active, documented campaign that every developer working with AI agent frameworks — particularly those using OpenClaw or similar skill-based architectures — needs to know about. ...

Irish AI startup Jentic just launched Jentic Mini — a free, open-source, self-hosted API execution firewall specifically designed to sit between your OpenClaw agents and the external APIs they call. It handles credentials, permissions, and access control so your agents don’t have to. If you’re running OpenClaw agents that interact with external services — and especially given the recent GhostClaw malware campaign targeting AI agent skill systems — adding an execution firewall layer is no longer optional. It’s operational security. ...