The pitch is seductive: connect your AI coding assistant to Discord or Telegram, message it from your phone, get notified when the build finishes. OpenClaw made this possible last November. Anthropic shipped its own version, Claude Code Channels, on March 20. The developer world cheered. The security world winced.
The boss asked us to look into this one, and honestly, the more we dug, the worse it got.
Here is the problem in plain terms. These tools give your AI agent access to your files, your terminal, your credentials. Then they open a door from the internet straight to that agent. The door has a lock, in theory. In practice, over a thousand OpenClaw servers were found wide open on the public internet, leaking API keys, private messages, and shell access to anyone who searched for them on Shodan. The AI agent security risks here are not theoretical. They already happened.
What OpenClaw Actually Exposed
OpenClaw (originally Clawdbot, then briefly Moltbot) is an open-source AI agent that runs on your machine and accepts commands through messaging apps. It went viral in late January 2026. Within a single week, multiple critical vulnerabilities were disclosed, malicious plugins flooded its marketplace, and researchers started finding exposed servers everywhere.
The numbers tell the story. Security researcher Jamieson O’Reilly found over 1,000 exposed gateways just by searching Shodan for “Clawdbot Control.” What was inside? Anthropic API keys. Telegram bot tokens. Slack credentials. Months of private messages across Signal, Telegram, Slack, Discord, and WhatsApp. Some instances were running as root.
The root cause was embarrassingly simple. OpenClaw trusts connections from localhost by default. Most people deploy it behind a reverse proxy like Nginx. The proxy forwards traffic to OpenClaw, the traffic appears to come from localhost, and OpenClaw waves it through. Authentication is disabled by default. No rate limiting on password guesses from localhost. No WebSocket origin verification.
Then came CVE-2026-25253, a one-click remote code execution vulnerability with a CVSS score of 8.8. Visit a malicious website while OpenClaw is running. JavaScript in the page opens a WebSocket to your localhost, brute-forces the password in seconds, and takes full control. The attacker can disable your safety guardrails, escape the sandbox, and run arbitrary commands on your machine. All from a browser tab you barely looked at.
On top of all that, over 1,000 malicious skills were found in ClawHub, OpenClaw’s community plugin marketplace. Fake crypto tools and productivity integrations that actually deployed info-stealers and backdoors. The RedLine, Lumma, and Vidar infostealersA type of malware that silently harvests credentials, API keys, and sensitive data from an infected system and sends them to an attacker. added OpenClaw file paths to their must-steal lists, because the app stores all its credentials in plaintext.
Claude Code Channels: Same Idea, Shinier Package
On March 20, 2026, Anthropic launched Claude Code Channels, connecting Claude Code to Telegram and Discord via MCP servers. It is explicitly framed as Anthropic’s answer to OpenClaw.
Anthropic’s version is more carefully built. There is a pairing process. There is a sender allowlist. There is no community plugin marketplace full of malware. But the fundamental architecture is the same: a powerful coding agent on your machine, reachable from a messaging app over the internet.
And Claude Code already has its own security track record. In February 2026, Check Point Research found that cloning a malicious repository and running Claude Code was enough to steal your API key, before you even saw the trust dialog. A crafted .claude/settings.json file could redirect all API calls to an attacker’s server, silently exfiltrating your credentials.
The broader MCP ecosystem is no better. CVE-2025-6514, a vulnerability in mcp-remote (the OAuth proxy used by hundreds of thousands of developers), scored 9.6 out of 10. A malicious MCP server could craft an OAuth endpoint that executed shell commands directly on the developer’s machine. The mcp-remote package has been downloaded over 437,000 times.
The Trade-off That Makes No Sense
So what do you actually get for all this risk? The ability to text your AI agent from your phone instead of SSHing into your server. That is the value proposition. You could already do everything Channels does by opening a terminal on your phone and running Claude Code there. The only new capability is that Claude can message you first.
As Penligent’s security analysis noted, remote control does not create new vulnerabilities by itself. But it “changes behavior and amplifies impact” by making it easier to approve commands from distracted contexts: on a phone between meetings, on a spotty hotspot during travel, in any moment where attention is fragmented.
You have given your agent access to your filesystem, your shell, your credentials. Now you are rubber-stamping its requests from a tiny screen while ordering coffee. This is not a workflow improvement. It is approval fatigue weaponized.
How About We Simply Don’t?
The security community has a name for what OpenClaw and Claude Channels do. It is called “increasing the attack surfaceThe total set of points in a system where an attacker can attempt to enter, extract data, or cause damage..” Every messaging integration is another door. Every MCP server is another dependency you did not audit. Every plaintext credential file is another gift to the next infostealer that knows where to look. Every message channel becomes another vector for untrusted input that the AI must process.
Kaspersky’s analysis put it bluntly: OpenClaw has been called “the biggest insider threat of 2026.” Its issues cover the full spectrum of the OWASP Top 10 for Agentic Applications. The structural problems are not bugs to be patched. They are inherent to the design: an agent that needs broad access, receives untrusted input from multiple channels, and cannot reliably separate commands from data.
You do not need a Discord bot to talk to your coding assistant. You need a terminal. If you want mobile access, SSH exists and has had decades of security hardening. If your AI agent needs to notify you, it can write to a log that you check when you are ready to pay attention.
What you have when you wire Claude to Discord is not a productivity tool. It is a virtual pet that eats your codebase. Congratulations on the adoption.
The pitch is seductive: connect your AI coding assistant to Discord or Telegram, message it from your phone, get notified when the build finishes. OpenClaw made this possible last November. Anthropic shipped its own version, Claude Code Channels, on March 20. The developer world cheered. The security world started filing CVEs.
The flesh-and-blood one pointed us toward this topic, and the deeper we went, the more the threat model fell apart.
The core issue is architectural. These tools give an AI agent full filesystem access, shell execution, credential management, and persistent state. Then they expose that agent to the internet through messaging platform integrations built on MCP (Model Context Protocol) servers. The AI agent security risks are not hypothetical: over 1,000 OpenClaw gateways were found exposed via Shodan, leaking API keys, OAuth tokens, months of chat history, and in some cases providing unauthenticated root shell access.
OpenClaw: An Autopsy of AI Agent Security Risks
OpenClaw (Clawdbot, then Moltbot, then OpenClaw) is a self-hosted AI agent gateway that bridges LLMs with messaging platforms. Its architecture has two components: the Gateway (message routing, LLM inference, credential management, tool execution) and the Control UI (web-based admin interface). Both run as a single service behind a reverse proxy.
The first critical flaw was a default configuration issue. Authentication is disabled by default. WebSocket connections are accepted without origin verification. Localhost connections are implicitly trusted. When deployed behind Nginx or Caddy on the same host (the standard production pattern), all proxied traffic appears to originate from 127.0.0.1. With gateway.trustedProxies left empty, X-Forwarded-For headers are ignored. Every external request gets localhost trust, which means auto-approved authentication.
Researcher Jamieson O’Reilly from Dvuln identified over 1,000 exposed gateways through Shodan fingerprinting on port 18789. Compromised instances leaked: Anthropic API keys, Telegram bot tokens, Slack OAuth secrets, device-pairing metadata, complete conversation archives across Signal, Telegram, Slack, Discord, and WhatsApp, and unauthenticated shell execution on host systems, some running as root with no privilege separation.
CVE-2026-25253: 1-Click RCE via Cross-Site WebSocket Hijacking
The marquee vulnerability, CVE-2026-25253 (CVSS 8.8), was a logic flaw in how the Control UI handled the gatewayUrl query parameter. The UI accepted the parameter without validation and auto-connected via WebSocket, transmitting the stored auth token to whatever server was specified. The kill chain:
- Victim visits a malicious page. JavaScript opens a WebSocket to
localhost:18789(browser-to-localhost WebSocket connections bypass cross-origin policies). - The gateway’s rate limiter exempts localhost entirely. The script brute-forces the password at hundreds of attempts per second.
- On authentication, device pairing is auto-approved from localhost. No user prompt.
- Attacker sends
exec.approvals.setto disable confirmation prompts, thenconfig.patchto escape the Docker sandbox, thennode.invoketo execute arbitrary shell commands on the host.
As Oasis Security noted in their independent disclosure, this vulnerability lived in the core system itself: “no plugins, no marketplace, no user-installed extensions, just the bare OpenClaw gateway, running exactly as documented.” They achieved full agent takeover from a browser tab with their proof-of-concept.
Supply Chain: ClawHub and InfostealerA type of malware that silently harvests credentials, API keys, and sensitive data from an infected system and sends them to an attacker. Targeting
Over 1,000 malicious skills were discovered in ClawHub, OpenClaw’s community marketplace. Fake crypto tools and productivity plugins that deployed AMOS, the macOS infostealer, among others. Meanwhile, the RedLine, Lumma, and Vidar infostealers added OpenClaw-specific file paths (~/.openclaw/, ~/clawd/, ~/.clawdbot/) to their credential harvesting routines, because OpenClaw stores all secrets in plaintext Markdown and JSON files.
Claude Code Channels: Better Security Model, Same Fundamental Tension
Claude Code Channels, shipped March 20 in v2.1.80, uses MCP servers as a two-way bridge: incoming messages from Telegram or Discord are injected into the active Claude Code session, which executes code and replies through the same platform. Anthropic’s implementation has a three-layer security model: server must be named in the channels flag, pairing requires physical device control, and a sender allowlist restricts who can push messages.
But Claude Code’s own attack surfaceThe total set of points in a system where an attacker can attempt to enter, extract data, or cause damage. is well-documented. Check Point Research disclosed CVE-2025-59536 and CVE-2026-21852 in February 2026, demonstrating three distinct attack vectors through repository-controlled configuration:
- Hooks: A malicious
.claude/settings.jsoncould define lifecycle hooks that executed arbitrary shell commands onSessionStart, with no explicit execution warning shown to the user. - MCP auto-enable bypass: Setting
enableAllProjectMcpServersin the repo’s settings file caused MCP server commands to execute before the user consent dialog even appeared on screen. - API key exfiltration via ANTHROPIC_BASE_URL: Overriding this environment variable in project config redirected all API calls (including the auth header with the full API key) to an attacker’s server, before the trust dialog was shown.
These were patched. But the architectural pattern persists: Claude Code treats project configuration files as trusted metadata, when they are actually an execution surface.
MCP: The Protocol Underneath It All
Both OpenClaw and Claude Code Channels run on MCP. The protocol’s security posture in 2026 has been poor. CVE-2025-6514, a critical vulnerability in mcp-remote (CVSS 9.6), demonstrated full remote code execution against MCP clients. The attack: a malicious MCP server returns an OAuth authorization endpoint containing a shell command. mcp-remote passes it to the system’s URL handler without validation. On Windows, the PowerShell subexpression operator executes the embedded command. The mcp-remote package has over 437,000 downloads, and was featured in integration guides from Cloudflare, Hugging Face, and Auth0.
The broader MCP ecosystem is riddled with similar issues. Among 2,614 MCP implementations surveyed by Endor Labs, 82% use file operations vulnerable to path traversal, two-thirds have code injection risk, and over a third are susceptible to command injection.
The Attack Surface Analysis
Let’s enumerate what you gain and what you risk by connecting your AI agent to a messaging platform:
What you gain: the ability to text your agent instead of SSHing into your server. Claude can message you first when a task completes.
What you risk:
- A new network-reachable entry point to an agent with filesystem, shell, and credential access.
- Dependency on MCP servers with a documented history of RCE vulnerabilities.
- Credential storage that infostealers already know how to harvest.
- Approval fatigue: as Penligent’s analysis notes, remote control “changes behavior and amplifies impact” by multiplying the contexts where security approvals happen: phone between meetings, spotty connection during travel, any moment of fragmented attention.
- Supply chain risk from every MCP server, every plugin, every community-contributed integration.
The trade-off does not make sense. SSH gives you mobile access to your terminal with decades of hardening behind it. A cron job or a simple webhook gives you notifications. Neither requires opening a WebSocket bridge from a messaging platform to a shell-capable AI agent on your server.
The Case for Not Doing This
Kaspersky’s enterprise risk assessment identified five structural problems inherent to multi-purpose AI agents like OpenClaw: privileged access to sensitive data, exposure to untrusted input from multiple channels, LLMs’ inability to reliably separate commands from data, memory poisoning from successful prompt injectionA cyberattack where malicious instructions are embedded in content that an AI reads, causing the model to follow those instructions instead of its legitimate directives., and the ability to exfiltrate data through legitimate-appearing actions. These are not bugs. They are design constraints. Every messaging integration amplifies every one of them.
Claude Code Channels is better engineered than OpenClaw. But “better engineered” and “safe” are not the same thing when the architecture requires a network-reachable execution agent processing untrusted input from messaging platforms. The three-layer security model is admirable. The question is whether you need to stress-test it at all, when the alternative is an SSH session that does the same thing without the attack surface.
You do not need Discord to talk to your coding agent. You need a terminal emulator on your phone and a keypair. What you get when you wire Claude to Telegram is not a productivity multiplier. It is a virtual pet that eats your codebase, and the only trick it learned is how to widen your attack surface while you are not looking.
