- OpenClaw skills run locally, giving attackers direct access to sensitive files
- Crypto-Themed Malicious Skills Rely on Social Engineering to Deceive Unsuspecting Users
- Users running unverified commands increase their exposure to ransomware and malicious scripts
OpenClaw, formerly known as Clawdbot and Moltbot, is an AI assistant designed to perform tasks on behalf of users.
Agent-based AI tools such as OpenClaw are increasingly popular for automating workflows and interacting with local systems, allowing users to execute commands, access files, and manage processes more efficiently.
This deep integration with the operating system, while powerful, also introduces security risks because it relies on trust in user-installed extensions or skills.
The OpenClaw ecosystem allows third-party skills to extend functionality, but these skills are not sandboxed. This is executable code that interacts directly with local files and network resources.
Recent reports indicate a growing concern: attackers have uploaded at least 14 malicious skills to ClawHub, the public registry for OpenClaw extensions, in a short period of time.
These extensions presented themselves as cryptocurrency trading or portfolio management tools while attempting to install malware.
Windows and macOS systems were affected, with attackers relying heavily on social engineering.
Users were often prompted to run obfuscated terminal commands during installation, which fetched remote scripts harvesting sensitive data including browser history and crypto wallet contents.
In some cases, skills appeared briefly on the first page of ClawHub, increasing the risk of accidental installation by casual users.
OpenClaw’s recent name changes have added confusion to the ecosystem. In a few days, Clawdbot became Moltbot then OpenClaw.
Each name change creates opportunities for attackers to convincingly impersonate the software, whether through fake extensions, skills, or other integrations.
Hackers have already released a fake Visual Studio Code extension that masquerades as the assistant under its former name, Moltbot.
The extension worked as promised, but contained a Trojan that deployed remote access software, coupled with backup loaders disguised as legitimate updates.
This incident shows that even endpoints with official-looking software can be compromised and highlights the need for comprehensive endpoint protection.
The current ecosystem runs almost entirely on trust, and conventional protections such as firewalls or endpoint protection offer little defense against this type of threat.
Malware removal tools are largely ineffective when attacks rely on local command execution via seemingly legitimate extensions.
Users seeking skills from public repositories should exercise extreme caution and review each plugin as carefully as any other executable dependency.
Orders that require manual execution require further review to avoid inadvertent exposure.
Users should remain vigilant, check each skill or extension, and treat all AI tools with caution.
Via Tom’s material
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
