OpenClaw AI Agent Marketplace Risks and VirusTotal Skill Scanning Integration
OpenClaw, an autonomous AI agent platform with a community “skills” marketplace, integrated VirusTotal scanning to check skills uploaded to ClawHub after security firms and researchers highlighted that the ecosystem is being abused to distribute malicious components. Reporting described attackers leveraging trust in marketplaces and “skills” registries to seed malware, and noted active discussion in criminal forums about using OpenClaw skills to support illicit activity (e.g., botnet operations). Separate research also pointed to rapid growth in lookalike packages (e.g., “claw” on npm/PyPI), reinforcing concerns that the surrounding supply chain is being targeted as the platform’s popularity increases.
Enterprise risk assessments emphasized that many organizations are granting OpenClaw privileged access quickly (including via shadow deployments), creating high-impact failure modes if a host or skill is compromised—potentially exposing API keys, OAuth tokens, and sensitive conversations. OpenClaw acknowledged that VirusTotal-based scanning is not sufficient to detect non-signature threats such as prompt-injection-driven malicious behavior or skills that use natural language instructions to induce harmful actions, leaving material residual risk even with malware scanning in place.
Related Entities
Malware
Affected Products
Sources
Related Stories
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
1 months ago
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
1 months ago
Security Risks From OpenClaw ‘Sovereign’ AI Agents With Local Terminal Access
**OpenClaw** (formerly *Clawdbot/Moltbot*) is rapidly spreading as an open-source “sovereign agent” that runs locally and can be granted high-privilege access to a user’s machine (including terminal/code execution), shifting AI from a passive chatbot to an active operator on endpoints. Trend Micro warns this model materially expands the attack surface by combining agent **access to files/commands**, **untrusted inputs** (e.g., messages/web/email), and **exfiltration paths**, and adds a fourth compounding risk—**persistence** via retained memory/state—creating conditions where prompt/instruction manipulation could translate into real system actions and data loss. Adoption is accelerating in China, where Shenzhen’s Longgang district proposed subsidies and an ecosystem to support OpenClaw-driven “one-person companies,” even as regulators and state media flag **data security and privacy** concerns tied to the tool’s ability to access personal and enterprise data. The reporting notes OpenClaw’s plug-in model support (including OpenAI, Anthropic, and Chinese model providers) and highlights official scrutiny amid China’s tightened data-privacy and export-control posture, underscoring that the primary risk is not a single vulnerability but the **operational security implications of deploying locally empowered AI agents** at scale.
Today