OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent OpenClaw (formerly Moltbot/Clawdbot) can be abused via its ClawHub “skills” ecosystem, with findings that ~7.1% of marketplace skills contributed to exposure of API keys, credentials, and credit card data due to problematic SKILL.md instructions. Snyk highlighted a particularly severe example, buy-anything skill v2.0.0, which performs credit-card “tokenization” in a way that can be used to pilfer financial details before prompting users to provide card information.
Additional research described indirect prompt-injection risk: a malicious Google document can coerce OpenClaw into integrating a new Telegram bot, enabling follow-on actions such as file exfiltration and deployment of a Sliver command-and-control beacon for persistence, with potential for privilege escalation, lateral movement, and ransomware execution. Separately, one report noted OpenClaw’s move to scan skills with VirusTotal, but also emphasized that signature-based scanning is not a complete mitigation for prompt-injection and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OpenClaw adds VirusTotal scanning for ClawHub skills
OpenClaw announced a partnership with VirusTotal so submitted ClawHub skills would be scanned by more than 70 antivirus engines and blocklists. The company acknowledged the measure would not prevent prompt-injection or other natural-language abuse.
Zenity reveals prompt-injection attack path against OpenClaw users
Zenity reported that OpenClaw users could be compromised through an indirect prompt injection delivered via a Google document that tricks the agent into integrating a Telegram bot. The attack chain could enable file exfiltration, Sliver beacon deployment, persistence, privilege escalation, lateral movement, and possible ransomware execution.
Researchers disclose OpenClaw skill data-exposure flaws
Snyk reported that some OpenClaw "skills" on the ClawHub marketplace exposed sensitive data through unsafe SKILL.md guidance, including API keys, credentials, and credit card details. The most severe example cited was the "buy-anything" v2.0.0 skill, which could be used to steal financial information during credit-card tokenization.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
Feb 10, 2026
OpenClaw AI Agent Tricked Into Leaking Secrets and Running Malicious Code
Researchers reported that the self-hosted **OpenClaw** AI agent can be manipulated through both phishing-style social engineering and prompt-injection-style inputs to expose sensitive data and perform attacker-directed actions. In Varonis Threat Labs simulations, an OpenClaw email agent connected to Gmail, browser tools, Google Workspace APIs, and internal data sources forwarded mock **AWS IAM keys**, database credentials, SSH details, and a synthetic customer export after receiving urgent or routine-looking messages impersonating trusted colleagues. The tests found the agent was better at spotting technical phishing indicators such as fake login pages, malicious links, and suspicious OAuth prompts than at verifying sender identity and resisting social pressure, and showed stricter phishing-aware settings still failed in some scenarios. Separate research from Imperva found hidden instructions embedded in shared contacts, vCards, and location pins were flattened into prompt text without being labeled untrusted, allowing the model in testing to download and execute a researcher-controlled script. OpenClaw reportedly patched that issue in version `2026.4.23`, and researchers also cited patched allowlist-bypass flaws in multiple messaging extensions. Across the findings, the common risk was agents that can read private data, ingest untrusted content, and send information outward; recommended mitigations included updating OpenClaw, restricting connector and outbound communication access, enforcing policy controls, and requiring **human approval** for high-risk actions.
Jun 17, 2026
OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed **ClawHavoc** compromised OpenClaw’s official *ClawHub* marketplace by distributing **1,184 trojanized “Skills”** intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the **TrojanOpenClaw PolySkill** family and linking the uploads to **12 publisher accounts** (including one responsible for **677** packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including **ClickFix-style download prompts** and **reverse-shell droppers** enabling remote command execution and persistence. Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—`openclaw.json`, `device.json`, `soul.md`, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if **port `18789`** is exposed) using `gateway.auth.token`, and potentially bypass “Safe Device” checks by abusing keys from `device.json` to sign messages as the victim’s paired device and access connected services.
Mar 21, 2026