OpenClaw AI Agent Marketplace Risks and VirusTotal Skill Scanning Integration
OpenClaw, an autonomous AI agent platform with a community “skills” marketplace, integrated VirusTotal scanning to check skills uploaded to ClawHub after security firms and researchers highlighted that the ecosystem is being abused to distribute malicious components. Reporting described attackers leveraging trust in marketplaces and “skills” registries to seed malware, and noted active discussion in criminal forums about using OpenClaw skills to support illicit activity (e.g., botnet operations). Separate research also pointed to rapid growth in lookalike packages (e.g., “claw” on npm/PyPI), reinforcing concerns that the surrounding supply chain is being targeted as the platform’s popularity increases.
Enterprise risk assessments emphasized that many organizations are granting OpenClaw privileged access quickly (including via shadow deployments), creating high-impact failure modes if a host or skill is compromised—potentially exposing API keys, OAuth tokens, and sensitive conversations. OpenClaw acknowledged that VirusTotal-based scanning is not sufficient to detect non-signature threats such as prompt-injection-driven malicious behavior or skills that use natural language instructions to induce harmful actions, leaving material residual risk even with malware scanning in place.
Timeline
Feb 9, 2026
OpenClaw adds VirusTotal scanning to its skills marketplace
OpenClaw integrated Google's VirusTotal to scan skills uploaded to ClawHub for known malware. The company acknowledged the control would not catch natural-language malicious behavior or prompt-injection payloads without signatures.
Feb 9, 2026
Security researchers flag malicious OpenClaw skills and ecosystem abuse
By early February 2026, security reporting highlighted that OpenClaw's skills architecture had been exploited by ClawHavoc, with malicious skills appearing in the ClawHub registry. Researchers also noted forum discussions about using OpenClaw skills for botnet activity and a rise in potentially typosquatting 'claw'-named packages on npm and PyPI.
Feb 5, 2026
VirusTotal details five malicious OpenClaw skill attack techniques
On February 5, 2026, VirusTotal published a deeper analysis of five malicious OpenClaw skills, showing how the ecosystem could be abused for reverse shells, SSH key injection, .env credential theft, scheduler-based propagation, and persistent prompt-file implants. The report framed third-party skills as a supply-chain attack vector and recommended mitigations including sandboxing, default-deny egress, provenance checks, and replacing long-lived .env secrets with short-lived scoped tokens.
Feb 2, 2026
VirusTotal exposes hundreds of malicious OpenClaw skills on ClawHub
On February 2, 2026, VirusTotal reported that hundreds of OpenClaw skills were malicious among more than 3,016 analyzed packages, describing the ecosystem as a malware delivery channel. The report linked ClawHub user 'hightower6eu' to 314 malicious skills and detailed a 'Yahoo Finance' skill that delivered an Atomic Stealer (AMOS) variant via unsafe setup instructions.
Jan 30, 2026
Gartner warns enterprises to block OpenClaw over security risks
On January 30, 2026, Gartner reported that 53% of Noma's enterprise customers had granted OpenClaw privileged access over a single weekend. Gartner called the tool an unacceptable cybersecurity liability and recommended immediately blocking OpenClaw downloads and traffic.
Jan 25, 2026
OpenClaw adoption surges, topping 150,000 GitHub stars
In late January 2026, OpenClaw's popularity rapidly increased, surpassing 150,000 GitHub stars. The fast uptake helped drive widespread enterprise experimentation and deployment.
Nov 1, 2025
OpenClaw launches and later undergoes two trademark-driven rebrands
OpenClaw launched in November 2025 and subsequently changed names twice because of trademark disputes. The project's popularity continued to grow despite the rebranding.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
1 months ago
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
2 months ago
OpenClaw AI Agent Surge and Security Risks
**OpenClaw** emerged as a rapidly adopted open-source, self-hosted AI agent that runs locally, connects to messaging platforms such as WhatsApp, Telegram, Slack, Discord, and Teams, and can autonomously execute tasks including file access, browser control, API queries, scheduling, and script execution. Reporting describes its unusually fast rise in popularity, driven by persistent memory, a plugin ecosystem, and broad cross-platform integrations, while a related *PyPI* package, `openclaw-py`, advertises a Python/Flet rewrite with multi-channel gateway support, built-in tools, MCP integration, and an OpenAI-compatible API. Separate coverage also highlights how OpenClaw became a major public and policy phenomenon in China, where enthusiasm for its productivity gains was accompanied by concerns over privacy, regulation, and a fast-growing service market around installation and support. Security concerns around the OpenClaw ecosystem intensified after **Qihoo 360** reportedly bundled a live wildcard TLS private key for `*.myclaw.360.cn` inside the public installer of its OpenClaw-based AI assistant, exposing users to potential **man-in-the-middle interception, server impersonation, credential theft, and AI session hijacking** across the `myclaw.360.cn` domain space. That incident is directly tied to a customized wrapper built on top of OpenClaw and shows how the platform's rapid commercialization can introduce serious operational security failures. A separate report on a fake fitness tracker manipulating chatbot recommendations through **generative engine optimization (GEO)** is not about OpenClaw and reflects a different AI trust and content-poisoning issue.
1 months ago