The rapidly escalating popularity of the AI agent OpenClaw, which has seen an explosive rise in user adoption over the past week, is now accompanied by significant security alarms. Researchers have uncovered a substantial presence of malware embedded within hundreds of user-submitted "skill" add-ons available on its dedicated marketplace, ClawHub. In a recent post, Jason Meller, VP of Product at 1Password, characterized OpenClaw’s skill hub as having transformed into "an attack surface," with the most frequently downloaded add-on explicitly identified as a "malware delivery vehicle."
Initially launched as Clawdbot and later rebranded Moltbot, OpenClaw is promoted as an AI agent capable of "actually doing things," offering functionalities such as calendar management, flight check-ins, and inbox organization. The agent operates locally on users' devices and facilitates interaction through various messaging platforms, including WhatsApp, Telegram, and iMessage. A critical aspect of its operation, however, involves users granting OpenClaw extensive access to their entire device, permitting it to read and write files, execute scripts, and run shell commands.
While the inherent risks associated with such broad device access are considerable, the situation is further compounded by the proliferation of malware disguised as legitimate skills designed to augment OpenClaw’s capabilities. OpenSourceMalware, a platform dedicated to tracking malware across the open-source ecosystem, reported a concerning trend: 28 malicious skills were published on the ClawHub marketplace between January 27th and 29th. This was followed by an additional 386 malicious add-ons uploaded between January 31st and February 2nd.
According to OpenSourceMalware, these deceptive skills "masquerade as cryptocurrency trading automation tools" and are engineered to deploy information-stealing malware. They operate by manipulating users into executing malicious code, which then "steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords," posing a direct threat to users' financial security and digital identities.
Meller further elaborated that OpenClaw's skills are frequently uploaded as markdown files, a format that can readily conceal malicious instructions intended for both users and the AI agent itself. His examination of one of ClawHub’s most popular add-ons, a "Twitter" skill, revealed precisely this method. It contained explicit instructions for users to navigate to a specific link "designed to get the agent to run a command" that ultimately downloads infostealing malware onto their system.
In response to these escalating security concerns, OpenClaw's creator, Peter Steinberger, is actively implementing measures to mitigate the identified risks. ClawHub now mandates that users possess a GitHub account that is at least one week old to publish a new skill. Additionally, a new mechanism for reporting suspicious skills has been introduced. However, these proactive steps, while important, do not entirely eliminate the potential for malware to infiltrate the platform.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.