Malicious 'Skill' Threat on OpenClaw: Crypto Users Targeted
Security researchers have revealed that the expanding ecosystem of the popular AI assistant OpenClaw has become a target for malware distribution. Last month, 14 fake 'skills' uploaded to ClawHub attempted to trick users and install malicious software on their systems.
Spread Through Public Registry
According to a report published by OpenSourceMalware, at least 14 malicious 'skills' were uploaded to ClawHub between January 27-29. These add-ons, masquerading as tools like cryptocurrency trading or wallet automation, aim to deliver malware to users' systems.
Windows and macOS Users at Risk
ClawHub is a public registry designed to make it easier for OpenClaw users to find and install third-party add-ons. In this ecosystem, 'skills' are not isolated scripts but executable code folders that, once installed and activated, can directly access the local file system and use network resources.
The analyzed malicious skills reportedly target both Windows and macOS users and employ social engineering techniques to spread. In some cases, users are asked to copy and paste encrypted terminal commands as part of the 'installation' process. These commands fetch and execute scripts from remote servers.
Risk Featured on the Front Page
It is reported that one of the flagged skills appeared on ClawHub's front page before being removed, significantly increasing the likelihood of accidental installation. One user reported encountering a listing that requested running a one-line command, which pulled code from an external server. While such practices raise red flags for experienced developers, they can easily deceive unsuspecting ordinary users.
Trust-Based Ecosystem and Inherent Risks
OpenClaw's appeal lies in its ability to simplify workflows by bundling operations like file access and command execution on behalf of the user. However, this capability can also create security vulnerabilities when third-party code is involved. OpenClaw's security documentation warns that skills and add-ons should be treated as trusted code and that installing them is equivalent to granting local execution privileges.
The project's renaming from Clawdbot to Moltbot and then, within just a few days, from Moltbot to OpenClaw following a trademark dispute has further complicated the issue by creating multiple names that attackers could mimic in social engineering attempts.
Future Risks and Necessary Precautions
Until a stronger review or verification mechanism is in place, OpenClaw's skill ecosystem effectively continues to operate on a trust basis. Anyone sourcing skills from public registries must scrutinize them with the same level of caution as other executable dependencies, showing extra vigilance against instructions requiring manual command execution.
This is not the first attempt to capitalize on OpenClaw's sudden popularity. Just a few days ago, security researchers documented a fake Visual Studio Code add-on impersonating the assistant, which was found capable of delivering a remote access payload before being taken down. Similarly, security policies and moderation shortcomings on open-source platforms can leave users vulnerable to various threats.
