OpenClaw (formerly Moltbot and Clawdbot) announced that it is partnering with Google-owned VirusTotal to scan skills uploaded to ClawHub, a skills marketplace, as part of a broader effort to strengthen the security of its agent ecosystem.
“All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including our new Code Insight feature,” said OpenClaw founders Peter Steinberger, Jamieson O’Reilly, and Bernardo Quintero. “This provides an additional layer of security for the OpenClaw community.”
This process essentially involves creating a unique SHA-256 hash for every skill and checking it against VirusTotal’s database for a match. If not found, the skill bundle is uploaded to a malware scanning tool and further analyzed using VirusTotal Code Insight.
Skills marked as “good” by Code Insight are automatically approved by ClawHub, while skills marked as questionable are flagged with a warning. Skills that are considered malicious will be blocked from download. OpenClaw also said that all active skills will be rescanned daily to detect scenarios where a previously clean skill becomes malicious.
However, OpenClaw maintainers also cautioned that VirusTotal scans are “not a silver bullet” and that some malicious skills using cleverly hidden prompt injection payloads could slip through.
In addition to the partnership with VirusTotal, the platform plans to publish a comprehensive threat model, public security roadmap, formal security reporting process, and details of security audits across its codebase.
The development comes in response to reports of hundreds of malicious skills found on ClawHub, prompting OpenClaw to add a reporting option that allows signed-in users to flag suspicious skills. Multiple analyzes have revealed that these skills disguise themselves as legitimate tools, but have malicious functionality inside to steal data, insert backdoors for remote access, or install stealer malware.
Cisco noted last week that “AI agents with access to systems can become a covert data exfiltration channel that bypasses traditional data loss prevention, proxies, and endpoint monitoring.” “Second, the model can also be an execution orchestrator; the prompt itself becomes an instruction that is difficult to capture using traditional security tools.”
The recent viral popularity of OpenClaw, an open source agent-based artificial intelligence (AI) assistant, and Moltbook, an adjacent social network where autonomous AI agents built on OpenClaw interact with each other on a Reddit-style platform, has raised security concerns.
OpenClaw acts as an automation engine that triggers workflows, interacts with online services, and operates across devices, but the access granted to the skill, coupled with the fact that it can process data from untrusted sources, can open the door to risks such as malware and prompt injection.
In other words, while useful, this integration significantly expands the attack surface, expands the set of untrusted inputs that the agent consumes, and turns the agent into an “agent Trojan horse” for data theft and other malicious actions. Backslash Security describes OpenClaw as “AI with hands.”
“Unlike traditional software that does what code tells it to do, AI agents interpret natural language and make decisions about actions,” OpenClaw said. “They blur the line between user intent and machine execution. They can be manipulated through language itself.”
OpenClaw also acknowledged that the powers wielded by skills used to extend the capabilities of AI agents, from controlling smart home devices to managing finances, could be exploited by malicious actors. An attacker could use access to the agent’s tools and data to steal sensitive information, execute malicious commands, send messages on behalf of the victim, or download and execute additional payloads without the victim’s knowledge.
Additionally, as OpenClaw is increasingly deployed on employee endpoints without formal IT or security approval, the elevated privileges of these agents can further enable shell access, data movement, and network connectivity outside of standard security controls, creating a new class of shadow AI risk for enterprises.
“OpenClaw and tools like it are going to appear in your organization whether you approve of them or not,” said Astrix Security researcher Tomer Yahalom. “Employees will install it because it’s really convenient. The only question is whether you know about it.”
Here are some of the obvious security issues that have surfaced in recent days.
An issue identified in a previous version where proxied traffic could be incorrectly classified as local, potentially bypassing authentication for some instances exposed to the internet, is now fixed. OX Security’s Moshe Siman Tov Bustan and Nir Zadok said, “OpenClaw stores credentials in clear text, uses insecure coding patterns that include direct evaluation of user input, and has no privacy policy or clear accountability.” “Common uninstallation methods leave behind sensitive data, and completely revoking access is much more difficult than most users realize.” Zero-click attacks exploit OpenClaw integrations to backdoor into victim endpoints and gain permanent control when seemingly innocuous documents are processed by an AI agent. The result is an indirect prompt injection payload that allows it to respond to messages from an attacker-controlled Telegram bot. An indirect prompt injection embedded in a web page, when parsed as part of an innocuous prompt asking the Large Language Model (LLM) to summarize the content of the page, causes OpenClaw to append a set of attacker-controlled instructions to the ~/.openclaw/workspace/HEARTBEAT.md file and silently await further commands from an external server. A security analysis of 3,984 skills on the ClawHub Marketplace found that 283 skills, representing approximately 7.1% of the entire registry, contain critical security flaws that expose sensitive credentials in clear text through the LLM context window and output logs. Bitdefender’s report revealed that malicious skills are often replicated and republished at scale using small name variations, and payloads are staged through paste services such as glot.io and public GitHub repositories. A one-click remote code execution vulnerability affecting OpenClaw could allow an attacker to trick a user into visiting a malicious web page, allowing the Gateway Control UI to leak an OpenClaw authentication token over a WebSocket channel, which could then be used to execute arbitrary commands on the host. OpenClaw’s gateway is bound to 0.0.0.0:18789 by default, exposing the full API to any network interface. According to Censys data, as of February 8, 2026, there are over 30,000 publicly accessible instances accessible over the internet, most of which require a token value to view and interact with them. In a hypothetical attack scenario, a prompt injection payload embedded within a specially crafted WhatsApp message could be used to extract “.env” and “creds.json” files that store credentials, API keys, and session tokens for connected messaging platforms from exposed OpenClaw instances. A misconfigured Supabase database belonging to Moltbook was left exposed in client-side JavaScript, giving free access to the private API keys of all agents registered on the site, giving it full read and write access to platform data. According to Wiz, the breach included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We found that threat actors were exploiting the mechanics of Moltbook’s platform to expand the scope of their attacks, including prompt injections to direct other agents to malicious threads and manipulate their behavior to extract sensitive data or steal cryptocurrencies. “Moltbook may have inadvertently created a laboratory where agents who could be high-value targets are constantly processing and engaging with untrusted data and where the platform has no guardrails in place, all by design,” Zenity Labs said.
“The first, and perhaps most egregious, problem is that OpenClaw relies on a set language model for many security-critical decisions,” HiddenLayer researchers Conor McCauley, Kasimir Schulz, Ryan Tracey, and Jason Martin pointed out. “Full system-wide access remains the default unless the user actively enables the sandboxing capabilities of OpenClaw’s Docker-based tools.”
Other architectural and design issues identified by the AI security firm include OpenClaw’s inability to filter untrusted content including control sequences, ineffective guardrails against indirect prompt injection, mutable memory and system prompts that persist into future chat sessions, plaintext storage of API keys and session tokens, and lack of explicit user approval before executing tool calls.
Persmiso Security argued in a report published last week that security in the OpenClaw ecosystem is far more important than in app stores or browser extension marketplaces because agents have extensive access to user data.
“AI agents capture credentials for your entire digital life,” security researcher Ian Earle said. “And unlike browser extensions, which run in a somewhat isolated sandbox, these agents operate with the full privileges granted to them by the user.”
“Skills marketplaces make this even worse. Installing a malicious browser extension means compromising one system. Installing a malicious agent skill can compromise all systems for which the agent has credentials.”
Due to a number of security issues related to OpenClaw, China’s Ministry of Industry and Information Technology has issued a warning about misconfigured instances and urged users to put safeguards in place to protect against cyber attacks and data breaches, Reuters reported.
“As agent platforms proliferate faster than security practices mature, misconfigurations become a prime attack surface,” Ensar Seker, CISO at SOCRadar, told The Hacker News via email. “The risk isn’t the agents themselves; it’s the autonomous tools being exposed to public networks without hardened identities, access controls, and execution boundaries.”
“What’s notable here is that Chinese regulators are explicitly calling out configuration risks, rather than banning this technology. This is consistent with what defenders already know: Agent frameworks amplify both productivity and reach. A single endpoint exposed or an overly permissive plugin can turn an AI agent into an unintended automation layer for attackers.”
Source link
