OpenClaw, an artificial intelligence agent that has exploded in popularity over the past week, is raising new security concerns after researchers discovered malware in hundreds of user-submitted “skill” add-ons on its marketplace. In a post Monday, 1Password VP of Product Jason Meller said the OpenClaw skill center has become an “attack surface,” with the most downloaded add-on serving as a “malware delivery vehicle.”
OpenClaw — first called Clawdbot, then Moltbot — is billed as an AI agent that “actually does things” like managing your calendar, checking in on flights, cleaning out your inbox and more. It runs locally on the devices and users can interact with the AI assistant through messaging apps like WhatsApp, Telegram, iMessage and more. However, some users give OpenClaw access to their entire device, allowing it to read and write files, run scripts, and run shell commands.
While this kind of approach is a risk in itself, malware masquerading as skills to enhance OpenClaw’s capabilities only adds to the concern. OpenSourceMalware, a platform that tracks the presence of malware across the open-source ecosystem, found that 28 malicious skills were posted on the ClawHub skills marketplace between January 27 and 29, in addition to 386 malicious add-ons uploaded between January 31 and February 2.
OpenSourceMalware says these skills “disguise themselves as cryptocurrency trading automation tools and provide information-stealing malware” and manipulate users to run malicious code that “steals crypto assets such as exchange API keys, private wallet keys, SSH credentials, and browser passwords.”
Meller notes that OpenClaw skills are often uploaded as markdown files, which can contain malicious instructions for both the user and the AI agent. That’s what he found when he researched one of ClawHub’s most popular add-ons, the “Twitter” skill, which instructs users to follow a link “designed to cause an agent to run a command” that downloads information-stealing malware.
OpenClaw’s creator, Peter Steinberger, is working to address some of these risks, as ClawHub now requires users to have a GitHub account at least a week old in order to publish a skill. There is also a new way to report skills, although this does not remove the possibility of malware infiltrating the platform.