OpenClaw’s AI ‘skill’ extensions are a security nightmare

OpenClaw, the AI agent that has exploded in popularity over the past week, is raising new security concerns after researchers uncovered malware in hundreds of user-submitted “skill” add-ons on its marketplace. In a post on Monday, 1Password product VP Jason Meller says OpenClaw’s skill hub has become “an attack surface,” with the most-downloaded add-on serving as a “malware delivery vehicle.”

OpenClaw — first called Clawdbot, then Moltbot — is billed as an AI agent that “actually does things,” such as managing your calendar, checking in for flights, cleaning out your inbox, and more. It runs locally on devices, and users can interact with the AI assistant through messaging apps like WhatsApp, Telegram, iMessage, and others. But some users are giving OpenClaw the ability to access their entire device, allowing it to read and write files, execute scripts, and run shell commands.

While this kind of access poses risks on its own, malware disguised as skills that are supposed to enhance OpenClaw’s capabilities only contribute to concerns. OpenSourceMalware, a platform that tracks the presence of malware across the open-source ecosystem, found that 28 malicious skills were published on the ClawHub skill marketplace between January 27th and 29th, in addition to 386 malicious add-ons that were uploaded between January 31st and February 2nd.

OpenSourceMalware says the skills “masquerade as cryptocurrency trading automation tools and deliver information-stealing malware” and manipulate users into executing malicious code that “steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.”

Meller notes that OpenClaw’s skills are often uploaded as markdown files, which could contain malicious instructions for both users and the AI agent. That’s what he found when examining one of ClawHub’s most popular add-ons, a “Twitter” skill containing instructions for users to navigate to a link “designed to get the agent to run a command” that downloads infostealing malware.

OpenClaw’s creator, Peter Steinberger, is working to address some of these risks, as ClawHub now requires users to have a GitHub account that’s at least one week old to publish a skill. There’s also a new way to report skills, though this doesn’t remove the possibility of malware sneaking onto the platform.