AI Agents Pose Serious Wallet Drain Risks: CertiK Warns OpenClaw Users to Stay Away

CertiK has issued a stark warning: ordinary users should avoid installing OpenClaw entirely. The cybersecurity firm's latest analysis reveals that self-hosted AI agents like OpenClaw—which integrate with WhatsApp, Slack, and Telegram to autonomously manage emails, calendars, and files—have become prime vectors for crypto wallet compromise and unauthorized system access.

The stakes are real. OpenClaw boasts around 2 million active monthly users, and its explosive growth from a November 2025 side project called Clawdbot to over 300,000 GitHub stars signals mainstream adoption. Yet this rapid scaling has come with dangerous security debt accumulated across the crypto intelligence and trading ecosystem.

The Scale of Exposure

The numbers tell a troubling story. Within weeks of launch, Bitsight identified 30,000 internet-exposed OpenClaw instances globally. SecurityScorecard researchers dug deeper, uncovering 135,000 instances across 82 countries—with 15,200 specifically vulnerable to remote code execution attacks. Since its November debut, OpenClaw has accumulated over 280 GitHub Security Advisories and 100 Common Vulnerabilities and Exposures (CVEs), making it the most scrutinized AI agent platform from a security standpoint.

This trend aligns with broader adoption patterns. A McKinsey study from November showed 62% of surveyed organizations already experimenting with AI agents in production environments—but few account for the security implications.

How Wallets Get Drained

CertiK's researchers identified the attack mechanics in detail. Because OpenClaw bridges external inputs to local system execution, it creates classic attack vectors. Malicious skills—the real danger here—can manipulate behavior through natural language commands that resist conventional malware scanning. These aren't traditional viruses; they're functionally legitimate-looking code hiding backdoors that fetch benign-seeming URLs ultimately delivering shell commands or wallet-stealing payloads.

Attackers have already weaponized this. CertiK found malicious skills strategically seeded across high-value categories: Phantom wallet utilities, wallet trackers, Polymarket tools, and Google Workspace integrations. The primary payload targets browser extension wallets simultaneously—MetaMask, Phantom, Trust Wallet, Coinbase Wallet, OKX Wallet, and others. The tradecraft here mirrors established crypto-theft playbooks: social engineering, fake utility lures, credential theft, and wallet-focused phishing.

Local gateway hijacking presents another vector. Malicious websites or payloads can exploit the agent's local machine presence to extract sensitive data or execute unauthorized commands. Plugins that add channels, tools, HTTP routes, and services create additional expansion surfaces for compromise.