Malware Found in Top Downloaded OpenClaw Skill on ClawHub

Malware Discovered in Top Downloaded OpenClaw Skill on ClawHub

A recent security audit of ClawHub, a marketplace for OpenClaw skills, has uncovered a significant security risk: malware embedded in the top downloaded skill. This discovery highlights the vulnerabilities associated with AI agent ecosystems and skill registries.

OpenClaw, a self-hosted AI assistant, relies on skills to extend its functionality. These skills are essentially markdown files that contain instructions for the AI to perform specific tasks. However, the flexibility of this format has been exploited by malicious actors.

The Problem with Skills

Skills in OpenClaw are often just markdown files that include links, copy-and-paste commands, and tool call recipes. This simplicity is also a vulnerability, as markdown can be used to disguise malicious instructions.

• Skills can include links that appear legitimate but lead to malicious infrastructure.
• Copy-and-paste commands can be used to execute malicious code.
• Tool call recipes can be designed to bypass security measures.

The Model Context Protocol (MCP) layer, which is intended to provide a structured interface for tool exposure with explicit user consent, does not guarantee safety. Skills can operate outside of MCP, using social engineering tactics to trick users into executing malicious code.

Malware Discovery

Researchers found that the top downloaded skill on ClawHub, a "Twitter" skill, contained malware. The skill's instructions included links that appeared to be normal documentation pointers but actually led to malicious infrastructure.

The malware was designed to steal sensitive information, including:

• Browser sessions and cookies
• Saved credentials and autofill data
• Developer tokens and API keys
• SSH keys
• Cloud credentials

The malware was identified as macOS infostealing malware, specifically a variant of Atomic Stealer (AMOS) and NovaStealer.

Scale of the Problem

The discovery was not an isolated incident. Researchers found hundreds of malicious skills on ClawHub, with some reports indicating over 386 malicious skills. These skills were designed to masquerade as legitimate tools, such as cryptocurrency trading automation and social media utilities.

The malicious skills were found to be part of a coordinated campaign, with many sharing the same command-and-control infrastructure. The attackers used sophisticated social engineering tactics to convince users to execute malicious commands.

Implications and Recommendations

The discovery highlights the need for increased security measures in AI agent ecosystems and skill registries. Users should be cautious when installing skills, especially those that require the execution of commands or installation of prerequisites.

To mitigate the risk, users should:

• Avoid running OpenClaw on company devices.
• Treat any device that has run OpenClaw as a potential incident and engage security teams.
• Use isolated machines with no corporate access for experimentation.

Skill registry operators should:

• Implement scanning for malicious content.
• Add provenance and publisher reputation checks.
• Put warnings and friction on external links and install steps.

Developers of agent frameworks should:

• Default-deny shell execution.
• Sandbox access to sensitive resources.
• Use specific, time-bound, and revocable permissions.

Conclusion

The discovery of malware in OpenClaw skills on ClawHub serves as a warning about the security risks associated with AI agent ecosystems. As these ecosystems continue to evolve, it is essential to develop robust security measures to protect users and prevent the exploitation of vulnerabilities.