OpenClaw AI Exposed: Hundreds of Fake Crypto Skills Used to Spread Malware

Listen to this Post

Featured Image

Introduction

Open-source AI assistants are rapidly moving from experimental tools to everyday productivity companions. OpenClaw, formerly known as Moltbot and Clawdbot, rode this wave to viral popularity by promising powerful, locally run AI agents that could act directly on behalf of users. But new security research suggests that this convenience comes at a serious cost. Nearly 400 fake crypto trading add-ons hidden inside the OpenClaw ecosystem have been linked to information-stealing malware, exposing users to credential theft, financial loss, and silent system compromise.

A Viral AI Assistant With a Fragile Security Model

OpenClaw is designed as a local AI personal assistant that connects to large language models such as Anthropic’s Claude while operating directly on a user’s device. It integrates smoothly with common messaging platforms including WhatsApp, Telegram, Slack, Discord, Signal, and iMessage, allowing users to issue commands in familiar chat environments. This frictionless design helped the project gain momentum quickly after its launch in 2025.

The project’s rapid growth was accompanied by frequent rebranding. Originally launched as Clawdbot by developer Peter Steinberger, it became Moltbot after a naming dispute and was later renamed OpenClaw in early 2026. While the changes kept the project alive, they also created confusion among users and security professionals alike.

Agent Skills: Power Without Guardrails

At the center of OpenClaw’s appeal are “agent skills.” These are modular add-ons that extend the assistant’s abilities through scripts, instructions, and resource files. Skills can automate complex tasks, improve accuracy, and enable the agent to interact deeply with the operating system.

However, this same flexibility introduces risk. Skills can execute shell commands, access local files, and interact with installed applications. Without strict sandboxing or a strong review process, skills effectively inherit the user’s privileges, creating a powerful attack surface.

Early Warnings From Security Researchers

Concerns about OpenClaw’s security surfaced soon after its rise. Jamieson O’Reilly, founder of DVULN, demonstrated how exposed control servers and poorly vetted skills could be abused. In one proof-of-concept, he published a backdoored skill and artificially boosted its visibility, successfully enticing users to install it.

Separately, app development firm Infinum warned that OpenClaw’s deep system permissions made it inherently dangerous if misused. Their assessment emphasized that local AI agents operating without strong isolation blur the line between assistant and attacker.

386 Malicious Skills Discovered in the Wild

The most alarming findings come from vulnerability researcher Paul McCarty, known online as 6mile. In early February, McCarty published a detailed report revealing 386 malicious skills hosted on ClawHub, OpenClaw’s official skill repository.

These skills were disguised as cryptocurrency trading automation tools and targeted popular platforms such as ByBit, Polymarket, Axiom, Reddit, and LinkedIn. Once installed, they delivered information-stealing malware designed for both macOS and Windows systems.

Coordinated Infrastructure and Social Engineering

All identified malicious skills shared the same command-and-control server, indicating a coordinated campaign rather than isolated abuse. Instead of exploiting technical vulnerabilities, the attackers relied on social engineering. Users were instructed to manually run commands that appeared legitimate but ultimately installed malware.

The stolen data included crypto exchange API keys, wallet private keys, SSH credentials, and browser-stored passwords. One account, operating under the name hightower6eu, was responsible for a large portion of the uploads and accumulated nearly 7,000 downloads.

Limited Response and Ongoing Exposure

McCarty reported contacting the OpenClaw team multiple times. According to him, the project’s creator acknowledged the issue but indicated he was too busy to address it immediately. As of the latest update, most of the malicious skills remained available in the official repository, and the attacker infrastructure was still active.

The attack required no software exploit, only trust in third-party skills and the absence of a meaningful review process. This made the campaign both effective and difficult to stop.

Expert Warnings on Delegated Execution

AI security expert and Noma Security CISO Diana Kelley framed the issue as more than a plugin problem. She warned that endpoint-hosted AI agents transform traditional supply chain risks into something far more dangerous.

Unlike cloud tools, local agents act with user-level authority across files, credentials, and networks. When compromised, they become a form of delegated execution with delegated trust. Combined with OpenClaw’s rapid adoption and repeated rebranding, the conditions were ideal for impersonation, fake repositories, and typo-squatting attacks.

Five Practical Controls for Organizations

Security leaders are now being urged to respond pragmatically rather than reactively. Walter Haydock of StackAware outlined five steps CISOs can take to reduce risk while acknowledging that outright bans may drive shadow AI use.

These include deploying OpenClaw in physical or virtual sandboxes, limiting access to sensitive data until trust is established, allowlisting approved skills, and applying traditional open-source security practices such as code review and software composition analysis. The goal is to reduce blast radius rather than pretend the technology can be ignored.

What Undercode Say:

A Supply Chain Crisis Disguised as Innovation

The OpenClaw incident is not just another malware campaign; it is a warning shot for the future of agentic AI. What makes this case particularly dangerous is that no vulnerability was exploited in the traditional sense. The system worked exactly as designed. That is the problem.

Local AI agents collapse the distance between suggestion and action. When an assistant can read files, execute commands, and authenticate to services, the difference between “helpful automation” and “silent compromise” becomes razor-thin. In this environment, a malicious skill is not a plugin; it is an operator.

The lack of skill review and reputation scoring turned ClawHub into a malware distribution channel. The use of crypto branding was not accidental. Traders are conditioned to automate, optimize, and move fast, making them ideal high-value targets. The attackers understood both the technology and the psychology of their victims.

Rebranding turbulence further amplified the risk. Each name change diluted institutional memory and made it harder for users to track which repositories, domains, and skills were legitimate. This confusion is fertile ground for impersonation and trust abuse.

From an architectural perspective, OpenClaw exposes a core tension in AI adoption. Organizations want autonomy and speed, but autonomy without containment creates systemic risk. If AI agents are allowed to inherit user privileges, then security controls must be at least as rigorous as those applied to human administrators.

This incident also highlights a cultural gap. Many users still perceive AI assistants as smarter chatbots rather than active system actors. Until that mindset changes, similar attacks will continue to succeed without exploiting a single line of code.

Fact Checker Results

Verification of Core Claims

The discovery of 386 malicious OpenClaw skills is supported by independent researcher reporting ✅

Evidence of shared command-and-control infrastructure confirms coordinated activity ✅

Claims of unresolved repository exposure remain uncontradicted at publication time ❌

Prediction

Where This Trend Is Headed

AI agent marketplaces will become a prime target for financially motivated attackers 💰

Enterprises will push for stricter sandboxing and mandatory skill verification 🛡️

Delegated execution risks will drive new regulatory and architectural standards 📊

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon