A must-read for those jumping on the "lobster farming" bandwagon! OpenClaw is riddled with vulnerabilities, resulting in the compromised devices and stolen assets of thousands.

author:

Beware of lobster farming! Equipment may be stolen.

Have you all recently become fans of an AI tool called OpenClaw (commonly known as "Lobster") ? It's touted as an "all-around AI worker" that can automatically organize files, delete emails, call APIs, and even execute system commands, making it convenient and efficient. Suddenly, everyone on the internet is following the trend of "raising lobsters".

But who would have thought that behind this "worry-free" experience lies a deadly security trap? OpenClaw recently suffered a large-scale security incident, with over 30,000 instances worldwide being compromised by hackers. Many users in China have already suffered serious consequences after just starting to use it.

The problem lies in its inherent weaknesses: it grants excessive default permissions, lacks security configurations, and harbors multiple high-risk vulnerabilities. Furthermore, the chaotic third-party plugin market provides ample opportunity for hackers. Attackers can easily remotely take over devices, steal keys, steal assets, and delete data using techniques such as message injection, remote code execution, and unauthenticated access to port 18789, making it virtually impossible to defend against.

Numerous victims have reported online: some had their credit cards maxed out, others had their API keys stolen, resulting in tens of thousands of yuan in debt within three days; even Meta's security executives were not spared—more than 200 of their important emails were mass-deleted by the out-of-control OpenClaw, and they couldn't stop it.

Even more outrageous, the black market has also seized upon this trend, using the "lobster" hype to commit cryptocurrency scams, issuing counterfeit currency, and inducing people to transfer funds. Some people have lost hundreds of thousands of yuan in assets without even realizing it. Precisely because of the severity of the situation, on March 10th and 11th, the National Internet Emergency Center and the Ministry of Industry and Information Technology issued emergency warnings one after another, directly pointing out the four fatal risks of OpenClaw and reminding everyone to take immediate precautions.

Four fatal risks: Beware of theft!

The security crisis of OpenClaw is never a simple matter of a single vulnerability; rather, it's a "fatal combination punch" resulting from a multitude of problems, including flawed access control, inadequate ecosystem management, and technical deficiencies. Its risks are highly insidious, spread extremely rapidly, and cover all usage scenarios for individuals and businesses. It has become one of the most pressing cybersecurity threats requiring vigilance recently, and even the slightest carelessness can lead to vulnerability!

1. Prompt Keyword Injection: Beware of Data Leaks

Prompt injection is currently the most prevalent and covert attack method used by OpenClaw! Hackers hide malicious commands in web pages, documents, and group chat messages, exploiting the indiscriminate execution of commands by AI to achieve stealth hijacking. Once OpenClaw reads this content containing malicious commands, it will automatically leak information, transmit data, and execute malicious operations, all without your manual intervention. Even experienced users would find it difficult to detect. This attack can cover all scenarios, including WeChat, local documents, and web browsing, and is a primary method hackers use to steal your sensitive information!

Real Cases

Multiple users reported that after integrating OpenClaw into WeChat and authorizing it to read group messages, hackers sent malicious messages disguised as "business notifications" in the group. After the AI was hijacked, it secretly transmitted the user's system key and environment variables. Some users even had 600 yuan red envelopes stolen without their knowledge.

2. AI out of control: Beware of accidental deletion

OpenClaw's context compression mechanism has a significant and fatal flaw! When processing complex commands, it easily overlooks security restrictions, leading to misinterpretations of your intentions and unauthorized execution of dangerous operations such as deletion or modification. Even if you issue a termination command in time, it's impossible to stop it, especially if work emails, core documents, or production data are accidentally deleted; the consequences are irreversible, and even professional security personnel would find it difficult to prevent!

Real Cases

Summer Yue, AI Security Director at Meta's Super Intelligence Lab, was testing OpenClaw when she only needed it to analyze emails. Due to a flaw in the AI context compression mechanism, the security restriction command was discarded, and more than 200 important work emails were deleted in batches. She issued three termination commands in a row, but they were all ineffective. In the end, she had no choice but to unplug the power to stop the damage.

3. Plugin poisoning: Installation is a trap.

OpenClaw's plugin ecosystem is a disaster zone—lacking any effective review mechanism, the third-party skills marketplace ClawHub is rife with malicious plugins. Many plugins disguise themselves as "efficiency tools," "code optimizations," or "automatic disk monitoring," with icons and names mimicking the official ones, making them highly deceptive, but in reality, they conceal malicious code. Once installed, they will secretly steal your product key in the background, implant backdoors, and turn your computer into a hacker-controlled "zombie," lurking and stealing your sensitive information for a long time!

Real Cases

A programmer in Shenzhen downloaded the OpenClaw plugin, disguised as "automatic code optimization," from a third-party forum in an effort to improve work efficiency. Three days after installation, he discovered that his API key had been stolen. Hackers used the key to maliciously call services, resulting in a debt of 12,000 yuan in just three days. The subsequent investigation took a week to completely cancel the key and eliminate the hidden dangers.

4. High-risk vulnerabilities + improper deployment: Exposure to the public network leads to takeover.

OpenClaw opens port 18789 by default without any authentication protection, and harbors high-risk vulnerabilities such as RCE (Remote Code Execution) and SSRF (Security Serving Request Forward) (these vulnerabilities are included in the national vulnerability database), making it a "breakthrough point" for mass attacks by hackers. Many people, for the sake of convenience, directly expose their instances to the public internet with default configurations and no security protection. This is tantamount to actively "opening the door" for hackers, who can easily take control of your device with a simple scan!

Real Cases

When deploying OpenClaw, a user failed to close port 18789, exposing it to the public network, and enabled VNC remote control. Hackers exploited a port authentication vulnerability to take over the device with one click, obtain the credit card information saved in the user's browser, and made multiple fraudulent transactions, resulting in a total loss of over 1,400 yuan. The user's credit card was temporarily frozen due to multiple abnormal transactions within a short period of time.

Black market operators are targeting "lobsters"—avoid these scams!

With the explosive popularity of OpenClaw, the black and gray market has also taken advantage of the situation to turn it into a new type of fraud tool, especially targeting blockchain and crypto asset users. The schemes are more covert and the harvesting is more precise, forming a complete fraud industry chain. It is also the most easily overlooked disaster area in this security incident, so we must be vigilant!

1. Fake "Lobster Coins" exploit the hype to profit.

Please remember this: The OpenClaw project team has explicitly stated that it will not issue any tokens! However, criminals have exploited this loophole, registering fake accounts, forging official announcements, and issuing worthless cryptocurrencies such as "$CLAW" and "Lobster NFT." They also engage in false advertising such as "mining with shrimp" and "static income," making extravagant claims. They promote these schemes aggressively through social media groups and WeChat Moments, enticing people to buy in. Once you've bought in at a high price, they immediately dump the tokens and run, causing the price to plummet by over 90%. In the end, you'll lose everything and have no recourse for redress!

2. AI-induced transfers and asset theft

This is one of the most insidious scams! Hackers exploit OpenClaw's command execution capabilities, using simple rhetoric to trick AI into autonomously transferring funds from their wallets. These rhetoric items are identical to legitimate commands, requiring no remote control from the hacker. Once you grant OpenClaw wallet permissions, it will automatically execute the transfer. Assets are stolen extremely quickly, and transaction records are very difficult to trace; once stolen, they are virtually unrecoverable!

3. Deploy agents to hide and steal from the back door of a house.

Online, services offering "OpenClaw installation, one-click deployment, and lobster farming" are everywhere, preying on people's desire for convenience and lack of technical skills. They lure users with low prices and ease of use, but these services are actually traps! During deployment, they secretly implant malicious programs and leave backdoors. Once you link your wallet or exchange account, hackers can directly gain root access through the backdoors, stealing your private keys and assets. The stealth is extremely high, making it virtually impossible to defend against!

4. AI-powered "pig butchering" scams: precise fraud.

The cybercriminal community has turned OpenClaw into a "fraud tool"! They've used OpenClaw's copy generation and user filtering capabilities to create automated fraud bots that operate 24/7. AI can generate customized fraud scripts in batches, precisely targeting different groups such as cryptocurrency users and professionals. This reduces the cost of fraud while increasing its success rate, making it more covert and faster-spreading than traditional human fraud.

Protect your devices and assets in 7 simple steps

Based on the core risks of this OpenClaw security incident and referencing practical protection standards in the security industry, we have compiled 7 readily implementable protective measures covering the entire process of deployment, use, and maintenance. Individual and enterprise users who strictly follow these measures can minimize various security risks and protect the security of their equipment and assets.

1. Strictly control public network exposure and safeguard the first line of defense.

Disable public network access on port 18789, do not use 0.0.0.0 for listening, only allow local/internal network access, and remote operations must be encrypted and access sources restricted.

2. Stick to the official version and reject third-party mirrors.

Uninstall unofficial versions and only download the latest secure version from the official OpenClaw channels. Back up your core data before upgrading.

3. Use only official plugins, and prioritize quality over quantity.

We do not install unofficial plugins; we only obtain plugins from the official Skill Store and reject plugins that require downloading ZIP files or executing scripts.

4. Adhere to the principle of least privilege; isolated operation is more secure.

Deploy without administrator/root privileges, restrict access to sensitive paths, and prioritize running in virtual machines or sandboxes for isolation.

5. Strictly prohibit authorizing payment permissions; safeguard asset red lines.

Do not authorize OpenClaw wallet to perform transfers, payments, or other related operations; manual confirmation is required for all fund-related transactions.

6. Disable high-risk features and enable log auditing.

Disable unnecessary functions such as VNC and SSH, enable log auditing, and promptly disconnect from the network to investigate any suspicious behavior.

7. Protect sensitive information and prevent plaintext storage.

Sensitive information is not allowed to be read by OpenClaw, is stored encrypted, and the key and password are changed regularly.

Safety first, safeguard the bottom line of assets

The OpenClaw security incident serves as another wake-up call for AI agent security. AI capabilities are directly proportional to permissions, and security risks increase accordingly. Convenience cannot replace security measures, and neglecting security details can lead to irreversible losses of equipment, data, and assets.

Adhering to the principle of "technology for good, security first," our security team can provide professional support to individuals and enterprises in addressing the risks associated with this OpenClaw incident, including vulnerability screening and security hardening, to safeguard the security of your equipment and assets.