Bitdefender
businessinsights.bitdefender.com › technical-advisory-openclaw-exploitation-enterprise-networks
Technical Advisory: OpenClaw Exploitation in Enterprise Networks
February 10, 2026 - However, this high-privilege requirement creates a massive attack surface. If a single malicious skill is loaded, it inherits these system-wide permissions, effectively granting the attacker the same level of access as the agent itself.
DataDome
datadome.co › home › blog › threat research › how threat actors turned openclaw into a scraping botnet
How Threat Actors Turned OpenClaw Into a Scraping Botnet
March 4, 2026 - A security audit identified over 500 vulnerabilities, including critical remote code execution flaws. Hundreds of malicious “skills” (OpenClaw extensions) were also flooding ClawHub, the project’s plugin marketplace.
[D] We scanned 18,000 exposed OpenClaw instances and found 15% of community skills contain malicious instructions
https://www.trendingtopics.eu/security-nightmare-how-openclaw-is-fighting-malware-in-its-ai-agent-marketplace/ The developer of the AI assistant OpenClaw has now entered into a partnership with VirusTotal to protect the skill marketplace ClawHub from malicious extensions. I hope this partnership will improve the situation. I tinkered with OpenClaw agent in a VM, even let it on Moltbook, but I would not install it on my main PC. Too much risk. More on reddit.com
29
133
February 12, 2026A top-downloaded OpenClaw skill is actually a staged malware delivery chain
can u pls keep quiet? we are trying to hack users' systems down here /s More on reddit.com
57
244
February 6, 2026OpenClaw is terrifying and the ClawHub ecosystem is already full of malware
We speedran the entire npm/PyPI malware playbook in like 3 weeks. That's honestly impressive in the worst possible way. More on reddit.com
66
357
February 5, 2026Every OpenClaw security vulnerability documented in one place — relevant if you're running it with local models
Also known as OpenGape More on reddit.com
8
14
February 18, 2026How does ClawTrust protect against malicious skills?
We don't use ClawHub's open marketplace. We vet and pre-load a curated set of audited skills. All tool calls run in Docker sandboxes with read-only filesystems and network isolation.
clawtrust.ai
clawtrust.ai › home › blog › 341 malicious skills, 3 cves, and a government warning: the state of openclaw security
OpenClaw Security in 2026: 341 Malicious Skills, CVEs, and ...
What are the biggest OpenClaw vulnerabilities in 2026?
The most significant issues are CVE-2026-25253 (one-click RCE, CVSS 8.8), 341 malicious skills found on ClawHub, and credential exposure in 7.1% of the skills registry. China's industry ministry also issued a formal security warning.
clawtrust.ai
clawtrust.ai › home › blog › 341 malicious skills, 3 cves, and a government warning: the state of openclaw security
OpenClaw Security in 2026: 341 Malicious Skills, CVEs, and ...
Are malicious skills still present on ClawHub?
Yes. Research has confirmed that malicious skills remain discoverable under variant names, even after takedowns. While the VirusTotal integration blocks many known threats, prompt injection and dynamically loaded payloads can still evade detection.
blog.cyberdesserts.com
blog.cyberdesserts.com › openclaw-malicious-skills-security
OpenClaw Security Risks: Skills, Exposure and Exploits
Security Boulevard
securityboulevard.com › home › security bloggers network › how threat actors turned openclaw into a scraping botnet
How Threat Actors Turned OpenClaw Into a Scraping Botnet - Security Boulevard
March 4, 2026 - A security audit identified over 500 vulnerabilities, including critical remote code execution flaws. Hundreds of malicious “skills” (OpenClaw extensions) were also flooding ClawHub, the project’s plugin marketplace.
Bitdefender
bitdefender.com › en-us › blog › businessinsights › technical-advisory-openclaw-exploitation-enterprise-networks
Technical Advisory: OpenClaw Exploitation in Enterprise Networks
February 5, 2026 - Our labs have detected a series of malicious campaigns targeting OpenClaw (formerly known as Moltbot and Clawdbot), an open-source AI agent framework. The attacks are distributed through ClawHub, the public registry for OpenClaw skills.
Kaspersky
kaspersky.com › blog › moltbot-enterprise-risk-management › 55317
Key OpenClaw risks, Clawdbot, Moltbot | Kaspersky official blog
February 24, 2026 - Within a short time, the number of malicious skills reached the hundreds. This prompted developers to quickly ink a deal with VirusTotal to ensure all uploaded skills aren’t only checked against malware databases, but also undergo code and content analysis via LLMs. That said, the authors are very clear: it’s no silver bullet. Vulnerabilities can be patched and settings can be hardened, but some of OpenClaw’s issues are fundamental to its design.
Sophos
sophos.com › en-us › blog › the-openclaw-experiment-is-a-warning-shot-for-enterprise-ai-security
The OpenClaw experiment is a warning shot for enterprise AI security | SOPHOS
February 13, 2026 - This initial wave of enthusiasm ... credentials, and the keys to numerous cloud services ). Recent research suggests that over 30,000 OpenClaw instances were exposed on the internet, and threat actors are already discussing how to weaponize OpenClaw ‘skills’ in support ...
CyberDesserts
blog.cyberdesserts.com › openclaw-malicious-skills-security
OpenClaw Security Risks: Skills, Exposure and Exploits
February 5, 2026 - OpenClaw security risks explained: malicious skills, exposed instances, major CVEs and how to secure your setup.
HKCERT
hkcert.org › blog › openclaw-s-rapid-adoption-exposes-skills-supply-chain-and-fake-installer-risks-in-a-high-privilege-ai-agent-platform
OpenClaw’s Rapid Adoption Exposes Skills Supply Chain and Fake Installer Risks in a High-Privilege AI Agent Platform
March 17, 2026 - These cases suggest that victims may trust search results or the GitHub platform and download malicious installers, ultimately leading to information-stealing malware and proxy malware infections. In addition to third-party skills and fake installation sources, the OpenClaw core platform itself has also been reported to contain a high-severity vulnerability...
1Password
1password.com › blog › from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface
From magic to malware: How OpenClaw's agent skills become an attack surface | 1Password
February 2, 2026 - So if your security model is “MCP will gate tool calls,” you can still lose to a malicious skill that simply routes around MCP through social engineering, direct shell instructions, or bundled code. MCP can be part of a safe system, but it is not a safety guarantee by itself. Just as importantly, this is not unique to OpenClaw.
ClawTrust
clawtrust.ai › home › blog › 341 malicious skills, 3 cves, and a government warning: the state of openclaw security
OpenClaw Security in 2026: 341 Malicious Skills, CVEs, and ...
February 7, 2026 - These aren't theoretical risks. Researchers confirmed that malicious actors on underground forums are actively discussing deploying OpenClaw skills for botnet operations.
Silverfort
silverfort.com › home › hijacking trust: clawhub vulnerability enables attackers to manipulate rankings to become the #1 skill
ClawHub vulnerability puts malicious skill at #1
March 24, 2026 - By doing so, an attacker can inject malicious code within what appears to be a legitimate and trusted skill, creating the foundation for a large-scale supply chain attack. As a result, large numbers of users and OpenClaw agents could download the compromised skill and execute malicious code on their machines, potentially with elevated privileges.
Reddit
reddit.com › r/machinelearning › [d] we scanned 18,000 exposed openclaw instances and found 15% of community skills contain malicious instructions
r/MachineLearning on Reddit: [D] We scanned 18,000 exposed OpenClaw instances and found 15% of community skills contain malicious instructions
February 12, 2026 - Full walkthrough with config snippets ... 15% malicious skill rate isn't a bug ⟶ it's what happens when there's no trust verification layer between agents and the tools they connect to....
Conscia
conscia.com › blog › the openclaw security crisis
The OpenClaw security crisis | Conscia
February 23, 2026 - Running in parallel to the vulnerability disclosure was a supply-chain attack of considerable scope. Koi Security researcher Oren Yomtov, working alongside an OpenClaw bot configured for threat analysis, audited all 2,857 skills available on ClawHub at the time of investigation and identified 341 malicious entries.
PauBox
paubox.com › blog › malicious-crypto-skills-compromise-openclaw-ai-assistant-users
Malicious crypto skills compromise OpenClaw AI assistant users
February 9, 2026 - All malicious skills share the same command-and-control infrastructure and employ social engineering tactics to trick users into executing commands that steal crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords. One attacker, a user named hightower6eu, posted skills that accumulated nearly 7,000 downloads. McCarty contacted the OpenClaw team multiple times, but creator Peter Steinberger reportedly said he had too much to do to address the issue.
Oasis
oasis.security › blog › openclaw-vulnerability
ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover
1 month ago - Earlier this month, researchers discovered over 1,000 malicious skills in OpenClaw's community marketplace (ClawHub) —fake plugins masquerading as crypto tools and productivity integrations that instead deployed info-stealers and backdoors.
Trend Micro
trendmicro.com › en_us › research › 26 › b › openclaw-skills-used-to-distribute-atomic-macos-stealer.html
Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer | Trend Micro (US)
February 23, 2026 - Atomic (AMOS) Stealer has evolved ... instructions hidden in SKILL.md files exploit AI agents as trusted intermediaries that present fake setup requirements to unsuspecting users....
Tom's Hardware
tomshardware.com › tech industry › cybersecurity
Malicious OpenClaw ‘skill’ targets crypto users on ClawHub — 14 malicious skills were uploaded to ClawHub last month | Tom's Hardware
February 1, 2026 - OpenClaw's appeal is its ability to act on a user’s behalf, changing together things like file access and command execution to simplify workloads. That same capability can also create vulnerabilities when third-party code is introduced; OpenClaw's security documentation warns that skills and plugins should be treated as trusted code, and that installing them is equivalent to granting local execution privileges.
Cyber Press
cyberpress.org › home › clawhavoc poisons openclaw’s clawhub with 1,184 malicious skills
ClawHavoc Poisons OpenClaw’s ClawHub With 1,184 Malicious Skills
February 19, 2026 - Researchers at Antiy CERT uncovered at least 1,184 malicious "Skills" plugin-style packages that extend the agent's capabilities through scripts, configs, and resources.
Reddit
reddit.com › r/localllama › a top-downloaded openclaw skill is actually a staged malware delivery chain
r/LocalLLaMA on Reddit: A top-downloaded OpenClaw skill is actually a staged malware delivery chain
February 6, 2026 -
Here we go! As expected by most of us here.
Jason Meller from 1password argues that OpenClaw’s agent “skills” ecosystem has already become a real malware attack surface. Skills in OpenClaw are typically markdown files that include setup instructions, commands, and bundled scripts. Because users and agents treat these instructions like installers, malicious actors can disguise malware as legitimate prerequisites.
Meller discovered that a top-downloaded OpenClaw skill (apparently Twitter integration) was actually a staged malware delivery chain. It guided users to run obfuscated commands that ultimately installed macOS infostealing malware capable of stealing credentials, tokens, and sensitive developer data. Subsequent reporting suggested this was part of a larger campaign involving hundreds of malicious skills, not an isolated incident.
The core problem is structural: agent skill registries function like app stores, but the “packages” are documentation that users instinctively trust and execute. Security layers like MCP don’t fully protect against this because malicious skills can bypass them through social engineering or bundled scripts. As agents blur the line between reading instructions and executing commands, they can normalize risky behavior and accelerate compromise.
Meller urges immediate caution: don’t run OpenClaw on company devices, treat prior use as a potential security incident, rotate credentials, and isolate experimentation. He calls on registry operators and framework builders to treat skills as a supply chain risk by adding scanning, provenance checks, sandboxing, and strict permission controls.
His conclusion is that agent ecosystems urgently need a new “trust layer” — with verifiable provenance, mediated execution, and tightly scoped, revocable permissions — so agents can act powerfully without exposing users to systemic compromise.
https://1password.com/blog/from-magic-to-malware-how-openclaws-agent-skills-become-an-attack-surface
VirusTotal
blog.virustotal.com › 2026 › 02 › from-automation-to-infection-how.html
From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized ~ VirusTotal Blog
For Windows users, the skill instructs them to download a ZIP file from an external GitHub account, protected with the password 'openclaw', extract it, and run the contained executable: openclaw-agent.exe. When submitted to VirusTotal, this executable is detected as malicious by multiple security vendors, with classifications consistent with packed trojans.