341 Malicious Skills, 3 CVEs, and a Government Warning: The State of OpenClaw Security

OpenClaw is one of the most exciting open-source projects in years. Over 150,000 GitHub stars, 20,000+ forks, and a community building everything from trading bots to executive assistants. China's industry ministry issued a formal warning about it. That's the kind of attention usually reserved for nation-state tools, not personal AI assistants.

But the security picture is ugly. Not because OpenClaw is badly built. Because it's powerful software running with default configurations that assume you know what you're doing. Most people don't.

This post rounds up what the major security firms are actually saying, what incidents have already happened, and what we do differently at ClawTrust.

The Numbers

In February 2026 alone:

• 341 malicious skills found on ClawHub by Snyk researchers. 335 of them from a single coordinated campaign. (The Hacker News)
• 17% of all third-party skills analyzed by Bitdefender contained malicious code. (Hackread)
• 283 skills (7.1% of the registry) expose sensitive credentials including API keys, passwords, and credit card numbers in plaintext. (The Register)
• CVE-2026-25253 (CVSS 8.8): one-click remote code execution via a malicious WebSocket link. Patched in v2026.1.29.
• 3 high-impact CVEs disclosed in 3 days: one RCE and two command injection vulnerabilities.
• 42,665 publicly accessible instances found by security researchers scanning the internet. Most running default configurations with no authentication. (CNBC)
• 3,016+ skills scanned by VirusTotal after OpenClaw partnered with Google's threat intelligence platform. Hundreds flagged as malicious, including variants of the Atomic Stealer infostealer family. (VirusTotal Blog)

These aren't theoretical risks. Researchers confirmed that malicious actors on underground forums are actively discussing deploying OpenClaw skills for botnet operations. (Trend Micro)

What Cisco Found

Cisco's security team published a detailed analysis titled "Personal AI Agents Like OpenClaw Are a Security Nightmare". Their findings:

• Silent data exfiltration: Malicious skills can execute curl commands that transmit user data to external servers without any notification. The "What Would Elon Do?" skill was caught actively stealing data through orchestrated network calls.
• Prompt injection bypass: Skills can force the assistant to ignore its own safety guidelines. Code that "instructs the bot to execute...without asking" was found in published skills.
• Command injection: Embedded bash commands within skill files execute through workflow processes, allowing arbitrary system command execution on the host machine.
• Credential leakage: API keys and passwords were found in plaintext, accessible via prompt injection or unsecured endpoints.

The core problem, as Cisco put it: granting AI agents "high-level privileges enables it to do harmful things if misconfigured." They released an open-source Skill Scanner tool combining static analysis, behavioral analysis, semantic LLM inspection, and VirusTotal scanning.

What CrowdStrike Found

CrowdStrike's analysis went further, framing the risk in terms enterprise security teams understand: breach enablement.

Their key insight is that prompt injection against an autonomous agent isn't just a content manipulation problem. It's a full-scale breach vector. A compromised agent continues executing attacker objectives across your infrastructure, using the agent's legitimate API and database access as an operational foothold.

CrowdStrike's Falcon platform found publicly exposed OpenClaw instances accessible over unencrypted HTTP. Their Adversary Intelligence team documented wallet-drain injection attempts on Moltbook, the AI-only social network built on OpenClaw.

Their recommendation: implement runtime guardrails now, before "prompt injection becomes their PrintNightmare moment."

What Trend Micro Found

Trend Micro's research focused on the architectural risks inherent to agentic AI systems, using OpenClaw as the case study. (Full report)

Their biggest concern: persistent memory. OpenClaw retains long-term context, user preferences, and interaction history. That memory "could allow this information to be shared with other agents, including malicious ones." Combined with broad ecosystem access, a compromised agent becomes a data exfiltration pipeline.

Unlike ChatGPT Agent, OpenClaw operates without mandatory human-in-the-loop approval. Users can grant full autonomous access to critical functions (including financial transactions) without individual action confirmations. That's powerful for productivity. It's terrifying for security.

The Supply Chain Problem

The ClawHub marketplace is open by default. Anyone with a GitHub account older than one week can publish skills. There's no review process, no code signing, no sandboxing of skill execution.

The Register's reporting found a particularly alarming example: the buy-anything skill (v2.0.0) instructs agents to collect credit card details for purchases. When the LLM tokenizes card numbers, they're sent to model providers like OpenAI or Anthropic. Subsequent prompts can extract these details from logs.

Zenity's research demonstrated a complete attack chain: a malicious payload delivered through a trusted integration (Google Workspace, Slack, email) directs OpenClaw to create a new integration with an attacker-controlled Telegram bot. The attacker then issues commands through the bot to exfiltrate files, steal content, or deploy ransomware.

VirusTotal Gets Involved

The supply chain problem got serious enough that Google's own threat intelligence arm stepped in. In February 2026, OpenClaw announced a partnership with VirusTotal to implement automated security scanning for all skills published to ClawHub.

VirusTotal's analysis of 3,016+ OpenClaw skills confirmed what Snyk and Cisco had already reported, but with more detail. They found skills distributing droppers, backdoors, infostealers, and remote access tools disguised as helpful automation. The Atomic Stealer malware family was found in published skills, guiding users into downloading and running attacker-controlled binaries.

VirusTotal uses Gemini 3 Flash to perform security analysis of each skill: checking whether it downloads external code, accesses sensitive data, performs suspicious network operations, or embeds instructions that could coerce the agent into unsafe behavior.

Their follow-up report went further, documenting reverse shells, semantic worms (malicious prompts that self-replicate through agent-to-agent communication), and what they call "cognitive rootkits": hidden instructions embedded in skill files that persistently alter the agent's behavior without the user's knowledge.

The VirusTotal partnership is a positive step. But it is reactive scanning of an open marketplace. Skills are scanned after publication, not before. A malicious skill can be live for hours or days before detection.

The Top Downloaded Skill Was Malware

In February 2026, security researchers revealed that the most popular third-party skill on ClawHub, a "Twitter" integration with thousands of downloads, was a five-stage malware delivery vehicle.

The attack chain worked like this:

1. Fake dependency. The skill listed "openclaw-core" as a required npm package. That package does not exist in the official OpenClaw project. Installing it ran a malicious postinstall script.
2. Staging page. The postinstall script fetched a payload from an attacker-controlled domain disguised as a documentation page.
3. Obfuscated payload. The fetched code was heavily obfuscated JavaScript that decoded at runtime, evading static analysis tools.
4. Second-stage script. The decoded payload downloaded a platform-specific binary (macOS, Linux, or Windows) from a separate command-and-control server.
5. Gatekeeper bypass. On macOS, the binary used xattr -d com.apple.quarantine to strip the quarantine attribute, bypassing Apple's Gatekeeper security entirely. The binary then established persistence and began exfiltrating browser cookies, saved passwords, and cryptocurrency wallet data.

This was not an obscure skill buried in the marketplace. It was the top downloaded third-party skill on ClawHub. Every user who installed it handed their machine to the attacker.

The Prediction That's Already Coming True

Developer Daniel Lockyer summarized the situation in a post that went viral: "I estimate we're only a couple of weeks from an extremely serious security issue within a company, resulting from using one of these AI assistants. They're being given full access to secrets and tooling, and now we find they're accessible to the public internet."

He's likely right. When a company's engineer installs a malicious skill, the blast radius extends to every secret, every credential, and every system that developer's machine can access. The agent operates with the same permissions as its user. There is no containment.

The Legal Liability Gap

There is another dimension to this risk that most coverage ignores: legal exposure. As Vision Times reported, AI agents like OpenClaw lack legal personhood. When an agent makes a purchase, sends a message, or executes a transaction, the liability falls entirely on the human operator.

User agreements for most AI platforms explicitly shift responsibility to the user. If your agent sends an unauthorized email, leaks customer data through a compromised skill, or makes a financial commitment you didn't authorize, you bear the legal consequences. The agent can't be sued. You can.

This is not a theoretical concern. OpenClaw agents can send emails, make API calls, execute code, and interact with external services autonomously. Without proper controls, a single compromised skill can create legal liability that extends far beyond the cost of the software itself.

The Shadow IT Problem

There is a risk that exists outside of vulnerabilities and malicious skills entirely: your employees are probably already running OpenClaw on their work machines.

VentureBeat reported that the "OpenClaw moment" has created a shadow IT crisis across enterprises. Pukar Hamal, CEO of enterprise AI security firm SecurityPal, warned: "There are companies finding engineers who have given OpenClaw access to their devices." With over 160,000 GitHub stars, employees are deploying local agents through the back door, often with full user-level permissions on work machines containing production credentials, customer data, and proprietary code.

This is not a hypothetical concern. It is happening now, across "almost every organization" according to SecurityPal. And unlike traditional shadow IT (unauthorized SaaS tools), an OpenClaw agent with root-level access on a developer's laptop has the same permissions as the developer. Every SSH key, every database connection string, every API token on that machine is accessible to the agent and, by extension, to any compromised skill the agent loads.

What We Do Differently

ClawTrust exists because we saw this coming. Every security incident above maps to a specific architectural decision we made before launch.

1. Zero Public Ports

Every ClawTrust agent runs on a dedicated VPS with no public ports. Not 443, not 22, not anything. The server is invisible to port scanners. Researchers found 42,665 publicly accessible OpenClaw instances, many over unencrypted HTTP. That can't happen on ClawTrust because there's nothing to expose.

All communication runs through a private WireGuard mesh network. Your agent talks to our control plane through an encrypted tunnel. No attack surface exists on the public internet.

2. No ClawHub Skills

We don't pull skills from ClawHub's open marketplace. We vet and pre-load a curated set of skills that have been audited for the exact vulnerabilities Cisco and Snyk documented: silent execution, prompt injection, credential leakage, and embedded command injection.

3. Full Tool Sandboxing

Every tool call runs inside a Docker sandbox with read-only root filesystem, dropped capabilities, PID limits, and network isolation. The agent process has no direct access to the host. Workspace access is set to "none." This is the configuration that Cisco's Skill Scanner recommends, but most self-hosters never implement.

4. Credential Isolation

OAuth tokens and API keys for third-party services never touch your agent's VPS. We use a credential broker (Composio) that handles authentication on the agent's behalf. The agent gets scoped, temporary access tokens. The underlying credentials stay in our control plane, encrypted at rest with AES-256-GCM.

This directly addresses the Snyk finding about skills leaking credentials through LLM context windows. If the credential never reaches the agent, it can't leak.

5. Budget Controls

Every agent has a hard spending cap on AI model usage. When the budget runs out, the agent pauses. You get notified before hitting the limit. You can top up or wait for the next billing cycle. You will never wake up to a surprise bill.

6. Fleet-Wide Patching

When CVE-2026-25253 dropped, self-hosters had to find out about it, download the patch, test it, and deploy it. We push security updates across our entire fleet automatically. Every ClawTrust agent runs the latest hardened configuration within hours of a patch, not days or weeks.

What We're Not Saying

OpenClaw is not inherently insecure. It's powerful open-source software that gives you full control, and that control includes responsibility. The project maintainers are responsive and improving the security posture with every release.

What we are saying is that when Cisco, CrowdStrike, Trend Micro, VirusTotal, and a national government all flag the same software in the same month, when the most popular third-party skill turns out to be malware, and when developers publicly predict imminent corporate breaches, the security bar is higher than "read the docs and hope you didn't miss anything."

We built ClawTrust so you can use OpenClaw's capabilities without inheriting its attack surface.