OpenClaw AI Agent Skills Exploited to Distribute Malware: A Growing Cybersecurity Threat
In a significant cybersecurity development, VirusTotal has uncovered a widespread malware distribution campaign targeting OpenClaw, a rapidly expanding personal AI agent ecosystem. OpenClaw, formerly known as Clawdbot and briefly as Moltbot, is a self-hosted AI agent capable of executing real system actions, including shell commands, file operations, and network requests.
The OpenClaw Skill Abuse Campaign
OpenClaw enhances its functionality through skills, which are small packages built around SKILL.md files. Users can discover and install these skills from ClawHub, the public marketplace for OpenClaw extensions. While this architecture offers powerful automation capabilities, it also introduces a significant attack surface.
Skills operate as third-party code with complete system access, often requiring users to paste commands into terminals, download binaries, or execute scripts during setup. Threat actors are exploiting this trust model to distribute malware through seemingly helpful tools.
VirusTotal Code Insight has analyzed over 3,016 OpenClaw skills, revealing that hundreds exhibit malicious characteristics. This analysis, powered by Gemini 3 Flash, examines security behaviors such as external code execution, sensitive data access, and unsafe network operations, rather than relying solely on traditional antivirus signatures.
Security researchers have identified two distinct threat categories:
1. Skills with Poor Security Practices: These include insecure APIs, hardcoded secrets, and unsafe command execution.
2. Intentionally Malicious Skills: Designed for data exfiltration, remote control, and malware installation.
A Prolific Malware Publisher
A particularly concerning case involves a ClawHub user known as hightower6eu, who has published 314 malicious skills covering areas such as crypto analytics, finance tracking, and social media analysis. Each skill instructs users to download and execute external code from untrusted sources during setup.
For example, a Yahoo Finance skill appeared clean to traditional antivirus engines. However, VirusTotal Code Insight identified instructions directing Windows users to download a password-protected ZIP file containing openclaw-agent.exe, which multiple vendors have detected as a packed trojan.
For macOS users, the skill pointed to a Base64-obfuscated shell script on glot.io. This script downloaded and executed a Mach-O binary identified as Atomic Stealer (AMOS), an infostealer targeting passwords, browser credentials, and cryptocurrency wallets.
Recommendations for Users and Organizations
To mitigate these risks, organizations and users should:
– Treat Skill Folders as Trusted-Code Boundaries: Implement sandboxed execution environments to limit the potential impact of malicious code.
– Avoid Skills Requiring Shell Commands or Binary Downloads: Be cautious of skills that necessitate executing commands or downloading binaries during setup.
– Implement Publish-Time Scanning: Marketplace operators should scan for remote execution and obfuscated scripts during the publishing process.
VirusTotal is exploring integration with OpenClaw’s publishing workflow to provide automated security analysis during skill submission.
