- OpenClaw skills execute locally, giving attackers direct access to sensitive files
- Malicious crypto-themed skills rely on social engineering to trick unsuspecting users
- Users running unverified commands increase exposure to ransomware and malicious scripts
OpenClaw, formerly known as Clawdbot and Moltbot, is an AI assistant designed to execute tasks on behalf of users.
Agent-style AI tools such as OpenClaw are increasingly popular for automating workflows and interacting with local systems, enabling users to run commands, access files, and manage processes more efficiently.
This deep integration with the operating system, while powerful, also introduces security risks, as it relies on trust in user-installed extensions or skills.
Security risks inherent in agent-style AI tools
OpenClaw’s ecosystem allows third-party skills to extend functionality, but these skills are not sandboxed. They are executable code that interacts directly with local files and network resources.
Recent reports show a growing concern: attackers uploaded at least 14 malicious skills to ClawHub, the public registry for OpenClaw extensions, in a short period.
These extensions posed as cryptocurrency trading or wallet management tools while attempting to install malware.
Both Windows and macOS systems were affected, with attackers relying heavily on social engineering.
Users were often instructed to run obfuscated terminal commands during installation, which retrieved remote scripts that harvested sensitive data, including browser history and crypto wallet contents.
In some cases, skills briefly appeared on ClawHub’s front page, increasing the likelihood of accidental installation by casual users.
OpenClaw’s recent name changes have added confusion to the ecosystem. Within days, Clawdbot became Moltbot and then OpenClaw.
Each name change creates opportunities for attackers to impersonate the software convincingly, whether through fake extensions, skills, or other integrations.
Hackers have already published a fake Visual Studio Code extension that impersonates the assistant under its former name, Moltbot.
The extension functioned as promised but carried a Trojan that deployed remote access software, layered with backup loaders disguised as legitimate updates.
This incident shows that even endpoints with official-looking software can be compromised and highlights the need for comprehensive endpoint protection.
The current ecosystem operates almost entirely on trust, and conventional protections such as firewalls or endpoint protection offer little defense against this type of threat.
Malware removal tools are largely ineffective when attacks rely on executing local commands through seemingly legitimate extensions.
Users sourcing skills from public repositories must exercise extreme caution and review each plugin as carefully as any other executable dependency.
Commands that require manual execution warrant additional scrutiny to prevent inadvertent exposure.
Users must remain vigilant, verify every skill or extension, and treat all AI tools with caution.
Via Tom's Hardware
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.