- OpenClaw skills are executed locally, giving attackers direct access to sensitive files
- Malicious crypto-themed skills rely on social engineering to trick unsuspecting users
- Users running unverified commands increase exposure to ransomware and malicious scripts
OpenClaw, formerly known as Clawdbot and Moltbot, is an AI assistant designed to perform tasks on behalf of users.
Agent-style AI tools such as OpenClaw are increasingly popular for automating workflows and interacting with local systems, enabling users to run commands, access files and manage processes more efficiently.
This deep integration with the operating system, while powerful, also introduces security risks as it relies on trusting user-installed extensions or skills.
OpenClaw’s ecosystem allows third-party skills to extend functionality, but these skills are not sandboxed. They are executable code that interacts directly with local files and network resources.
Recent reports show a growing concern: Attackers uploaded at least 14 malicious skills to ClawHub, the public registry for OpenClaw extensions, in a short period of time.
These extensions posed as cryptocurrency trading or wallet management tools while attempting to install malware.
Both Windows and macOS systems were affected, with attackers relying heavily on social engineering.
Users were often prompted to run obfuscated terminal commands during installation, which fetched remote scripts that collected sensitive data, including browsing history and crypto wallet contents.
In some cases, skills appeared briefly on ClawHub’s front page, increasing the likelihood of accidental installation by casual users.
OpenClaw’s recent name changes have added confusion to the ecosystem. Within days Clawdbot became Moltbot and then OpenClaw.
Each name change creates opportunities for attackers to convincingly impersonate the software, whether through fake extensions, skills, or other integrations.
Hackers have already published a fake Visual Studio Code extension that mimics the assistant under its former name, Moltbot.
The extension worked as promised, but had a Trojan that deployed remote access software, layered with backup loaders disguised as legitimate updates.
This incident shows that even endpoints with official-looking software can be compromised and highlights the need for comprehensive endpoint protection.
The current ecosystem operates almost entirely on trust, and conventional protections such as firewalls or endpoint protection offer little defense against these types of threats.
Malware removal tools are largely ineffective when attacks rely on executing local commands through seemingly legitimate extensions.
Users downloading skills from public repositories should exercise extreme caution and review each plugin as carefully as any other executable dependency.
Commands that require manual execution warrant further investigation to prevent inadvertent exposure.
Users should remain vigilant, verify all skills or extensions, and treat all AI tools with caution.
Via Tom’s hardware
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
