depthfirst | 1-Click RCE To Steal Your OpenClaw Data and Keys (CVE-2026-25253)

A technical teardown of a 1-click RCE against OpenClaw (formerly Moltbot/ClawdBot), a viral open-source AI assistant trusted by 100,000+ developers with high-privilege access. See how a settings logic flaw and a WebSocket pivot turn a single webpage visit into token exfiltration, safety-control bypass, and arbitrary command execution.