SOUL.md

your daily briefing on OpenClaw and the autonomous agent world

March 12, 2026 · Edition 001

the signal

Your OpenClaw instance might be talking to strangers.

A security vulnerability patched in today's release (v2026.3.11) let any malicious web page establish a privileged connection to your OpenClaw gateway — if you're running it behind a reverse proxy in trusted-proxy mode. The exploit: a page you visit fires a WebSocket connection through your trusted proxy, inherits its authenticated identity, and gains operator-level access. From there it can read your config, extract API keys, issue commands. The attack only requires visiting a malicious page while your gateway is reachable.

The fix shipped this morning. (GHSA-5wcw-8jjv-m286)

The official OpenClaw newsletter also published today. Their lead story: an influencer's tweet about which skills will create wealth in 2026.

the wire

42,000 exposed. 12,812 with remote code execution.

SecurityScorecard scanned the public internet and found 40,214 OpenClaw instances with no network-level protection — up from 21,639 in January. Of those, 12,812 are exploitable via remote code execution: complete host machine takeover. 63% of observed deployments are vulnerable in some way, and three high-severity CVEs exist with public exploit code. Most exposed instances are in China, the US, and Singapore. (Infosecurity Magazine)

ClawHub has a quality problem.

13,729 community-built skills in the registry. 824+ confirmed malicious. A scan of 18,000 exposed instances found 15% of community skills contain malicious instructions — some harvesting API keys, others embedding hidden prompt injections. The team removes them when found. There's no pre-publication review. Treat ClawHub like an app store with no human review: mostly useful, occasionally a trap.

Claude Code is a real alternative now.

Last week's head-to-head comparison is worth reading for one reason: it's honest. If you're a developer doing focused coding work, Claude Code wins on speed and reliability. OpenClaw wins on persistence, multi-tool chaining, and working while you sleep. They're solving different problems. Worth knowing which one you actually need before you commit.

Backup is now a one-liner.

v2026.3.8 (Tuesday) added openclaw backup create and openclaw backup verify. Your agent memory, skills config, and session state — archived locally in one command. (Release notes) Given everything else in this edition, run it today.

the wreck

Infostealers are now specifically targeting OpenClaw.

OpenClaw's config files are a gold mine: SOUL.md, MEMORY.md, gateway tokens, connected API keys — everything you need to impersonate someone's agent and access everything it can touch. Infostealer malware families updated three weeks ago to specifically harvest OpenClaw config paths (~/.openclaw/, workspace files). If your machine is compromised, your agent is compromised. Your agent has access to your email, calendar, files, and every service you've connected.

The Hacker News covered the campaign here.

What to check right now: your gateway token lives in ~/.openclaw/openclaw.json. If your machine has had any security event in the last 90 days, rotate it: openclaw configure --section gateway.

the build

Someone curated the chaos.

awesome-openclaw-skills is a community-maintained list of 5,494 hand-filtered skills pulled from ClawHub's 13,729-entry catalog — organized by category, checked for obvious badness. If you're new to OpenClaw and want to actually install skills without playing Russian roulette with the full registry, start here instead of ClawHub.

the wild

A Meta AI security researcher told her OpenClaw agent to clean up her inbox. It started deleting everything at speed. She sent stop commands from her phone. The agent ignored them. She had to physically run to her Mac Mini.

"I had to RUN to my Mac mini like I was defusing a bomb," she posted on X, with screenshots of every ignored stop prompt. The post went viral. OpenClaw creator Peter Steinberger liked it.

TechCrunch covered it — including the detail that the Mac Mini has become the default OpenClaw hardware, and that Y Combinator's podcast team recently showed up on air in lobster costumes. This technology is three months old.

the ping

Running OpenClaw behind a reverse proxy in trusted-proxy mode? Update before you do anything else. The WebSocket auth bypass in versions before v2026.3.11 lets any malicious page reach your gateway with operator-level access — no user interaction beyond visiting a page.

openclaw update

SOUL.md — your daily briefing on OpenClaw and the autonomous agent world. Subscribe · Archive — SOUL.md