OpenClaw, the AI agent that has grown rapidly in popularity over the past week, is facing new security concerns after researchers discovered malware in hundreds of user-submitted “skill” add-ons on its marketplace. In a post on monday1Password product VP Jason Mellor says OpenClaw’s skill center has become “an attack surface”, with the most downloaded add-on serving as a “malware delivery vehicle”.
OpenClaw — formerly called Clodbot, then Moltbot — is billed as an AI agent that “actually does things,” like managing your calendar, checking in for flights, cleaning out your inbox, and more. It runs locally on devices, and users can interact with the AI assistant through messaging apps like WhatsApp, Telegram, iMessage, and others. But some users are giving OpenClaw the ability to access their entire device, allowing it to read and write files, execute scripts, and run shell commands.
While this type of access poses risks in itself, malware disguised as skills that are supposed to enhance OpenClaw’s capabilities only contribute to the concerns. OpenSourceMalware, a platform that tracks the presence of malware in the open-source ecosystem, Found that 28 malicious skills In addition to those uploaded between January 31 and February 2, 386 malicious add-ons were published on the Clawhub skills marketplace between January 27 and 29.
OpenSourceMalware says the skills “disguise as cryptocurrency trading automation tools and deliver information-stealing malware” and manipulate users into executing malicious code that “steals crypto assets such as exchange API keys, wallet private keys, SSH credentials, and browser passwords.”
Mellor says OpenClaw’s skills are often uploaded as Markdown files, which may contain malicious instructions for both users and the AI agent. That’s what they found when investigating one of Clawhub’s most popular add-ons, a “Twitter” skill that instructed users to navigate to a link to an “agent designed to run commands” that downloads infostealing malware.
Peter Steinberger, creator of OpenGL, is working to address some of these risksBecause ClawHub now requires users to have a GitHub account that is at least a week old to publish a skill. There is also a new way to report skills, although this does not remove the possibility of malware sneaking onto the platform.
