In less than a week, attackers published more than 230 malicious packages targeting the personal AI assistant OpenClaw (formerly known as Moltbot and ClawdBot) on the tool’s official registry and on GitHub.
Known as skills, these packages masquerade as legitimate tools while delivering malware that steals sensitive data such as API keys, wallet private keys, SSH credentials, and browser passwords.
Originally launched as ClawdBot before rebranding to Moltbot and then OpenClaw in under a month, the project rapidly gained traction as a viral open-source AI assistant. The tool runs locally, maintains persistent memory, and integrates with multiple resources, including chat, email, and the local file system. However, unless users configure it carefully, the assistant introduces significant security risks.
Skills and Exposed Attack Surfaces
Skills function as readily deployable plug-ins that extend OpenClaw’s capabilities or provide instructions for specialized tasks.
However, security researcher Jamieson O’Reilly recently warned that hundreds of OpenClaw admin interfaces remain misconfigured and exposed on the public internet.
Between January 27th and February 1st, attackers uploaded two separate sets totaling more than 230 malicious skills to ClawHub—the assistant’s official registry—and to GitHub.
The skills impersonate legitimate utilities, including cryptocurrency trading automation tools, financial utilities, and social media or content services. In reality, they silently inject information-stealing malware payloads into users’ systems.
According to a report from the community security portal OpenSourceMalware, an ongoing large-scale campaign actively uses malicious skills to distribute info-stealing malware to OpenClaw users.
Malicious skills linked to a single publisher
Source OpenSourceMalware
Most of the skills consist of near-identical clones with randomized names, although some gained popularity and reached thousands of downloads.
Each malicious skill includes extensive documentation designed to appear legitimate. The documentation repeatedly references a separate tool called ‘AuthTool,’ which it presents as a critical requirement for proper execution.
The infection triggers when victims follow the provided instructions, mirroring the behavior of a ClickFix-style attack.
Instructions in malicious skill documentation
Source: OpenSourceMalware
How AuthTool Delivers Malware
In reality, AuthTool operates as a malware delivery mechanism. On macOS, it appears as a base64-encoded shell command that downloads a payload from an external address. Windows, it downloads and executes a password-protected ZIP archive.
On macOS systems, the dropped malware takes the form of a NovaStealer variant. The malware bypasses Gatekeeper by using the ‘xattr -c’ command to remove quarantine attributes, then requests broad file system read access and communication privileges with system services.
The stealer actively targets cryptocurrency exchange API keys, wallet files and seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, cloud credentials, Git credentials, and ‘.env’ files.
Additional Findings and Defensive Measures
In a separate investigation, Koi Security identified 341 malicious skills on ClawHub after scanning the platform’s entire repository of 2,857 entries. Analysts attributed all of them to a single coordinated campaign.
Beyond the tools Highlighted in the OpenSourceMalware report, Koi also Uncovered 29 ClawHub Typosquats designed to exploit common Misspellings.
To help users Mitigate risk, Koi Security released a free online scanner that allows users to paste a skill’s URL and receive a safety assessment.
OpenClaw skills scanner
Source: Koi Security
Responding to OpenSourceMalware on X, OpenClaw creator Peter Steinberger Acknowledged that the platform currently lacks the capacity to review the massive volume of Incoming skill Submissions. As a result, he Emphasized that users must Independently verify the safety of skills before Deployment.
Users should also recognize OpenClaw’s deep System-level access. Experts recommend a Multi-layered security approach, including Isolating the assistant inside a virtual machine, Restricting its permissions, and Securing remote access through measures such as port restrictions and traffic Blocking.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
