Hundreds of malware posing as OpenClaw's 'AI skills' have been uploaded
From magic to malware: How OpenClaw's agent skills become an attack surface | 1Password
https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface
341 OpenClaw skills distribute macOS malware via ClickFix instructions
https://cyberinsider.com/341-openclaw-skills-distribute-macos-malware-via-clickfix-instructions/
OpenClaw is an AI agent that can centrally manage all functions and operations, such as chat management, use of tools to automatically operate PCs, and function callbacks based on time and events, using a control and integration system called 'Gateway' built on the local machine. OpenClaw allows for a variety of functions to be utilized by adding 'skills' that extend the AI agent's capabilities using mapdown files, etc. However, in order to perform various tasks to make life more convenient, there is a risk of allowing access to sensitive information such as personal information, such as 'viewing text messages' and 'logging into bank accounts.'
'OpenClaw' is a self-hosted personal AI assistant that can be used in conjunction with Windows, macOS, Linux, Android, and iOS and can perform various operations - GIGAZINE
Jason Mellor, vice president of product at 1Password , a long-established password management service, said OpenClaw 'seems like a gateway to the future,' but warned , 'OpenClaw gives us a glimpse into the future because it's a tool that, for now, abandons a key constraint: security.' According to Mellor, OpenClaw's memory and settings are stored as plain text files on disk and are readable, posing a significant risk of information leakage.
Mellor also pointed out that OpenClaw needs to be treated as a 'personality' rather than just software. It's not an app that performs a specific task, such as reading and summarizing emails, but an AI agent that continuously controls access at every moment every operation or request is performed. 'Permissions that you granted last week may be used today in completely new and unexpected ways, so you need to constantly monitor your permissions,' Mellor said.
A few days after discussing the risks of OpenClaw in his blog, Mellor reported on a security issue that had actually been discovered. According to Mellor, OpenClaw's agent skills use Markdown files to write instructions on how to perform specific tasks, and if the instructions contain malicious instructions, security could be compromised. Similar security risks exist for many AIs that use agent skills.
In fact, Mellor reported that malicious skills containing malware were published on ClawHub , where OpenClaw skills can be published, shared, and downloaded, and that some of the skill download instructions contained malicious operations. The most downloaded skill, related to X (formerly Twitter), at the time of Mellor's investigation, contained a malicious document disguised as a specific installation procedure. When Mellor downloaded the skill and tested it on VirusTotal , it was flagged as 'information stealing malware targeting macOS.'
'If you're already running OpenClaw on a work device, treat it as a potential incident and contact your security team immediately,' Mellor warned. 'There's currently no way to use OpenClaw securely, so stop using the device for sensitive work and, if you're experimenting, use an isolated machine with no corporate access and no stored credentials. If you're building an agent framework, you should assume your skills will be weaponized.'
According to a report by technology media outlet CyberInsider, as of February 2, 2026, the ClawHub marketplace contained at least 341 malicious skills. Among these were 111 skills related to cryptographic utilities, 57 YouTube tools, 34 market prediction bots, 28 system security automatic update skills, 51 skills imitating Yahoo! Finance and X Tracker, and 17 Google Workspace-related skills. The deployment of these malicious skills could lead to information leakage.
In response to concerns about the risk of AI agent skills being misused as malicious code, OpenClaw partnered with VirusTotal , a threat intelligence service owned by Google, to announce on February 7, 2026, a system that automatically scans for malware when skills are published. The system will implement a process to scan uploaded skills and approve those that are benign, issue warnings for suspicious ones, and block distribution of malicious ones, thereby enhancing safety.
OpenClaw Partners with VirusTotal for Skill Security — OpenClaw Blog
https://openclaw.ai/blog/virustotal-partnership
OpenClaw says, 'OpenClaw skills are powerful, expanding the capabilities of AI agents to do everything from controlling smart home devices to managing finances to automating workflows. But with that power comes risk. We understand that with the great utility of a tool like OpenClaw comes great responsibility. To be clear, implementing these security checks is not a silver bullet. It's a start, not the end. We are committed to making OpenClaw the most secure AI agent platform. We have more announcements to make soon.'
Related Posts:
