Hundreds of malicious skills designed to deliver trojans, infostealers, and backdoors disguised as legitimate automation tools.
VirusTotal has uncovered a significant malware distribution campaign targeting OpenClaw, a rapidly growing personal AI agent ecosystem.
OpenClaw, previously known as Clawdbot and briefly as Moltbot, is a self-hosted AI agent that executes real system actions, including shell commands, file operations, and network requests.
OpenClaw Skill Abuse Campaign
The platform extends functionality through skills, small packages built around SKILL.md files that users discover and install from ClawHub, the public marketplace for OpenClaw extensions.
While this architecture enables powerful automation capabilities, it creates a dangerous attack surface.
Skills run as third-party code with complete system access, often requiring users to paste commands into terminals, download binaries, or execute scripts during setup.
Threat actors are exploiting this trust model to distribute malware through seemingly helpful tools.
VirusTotal Code Insight has analyzed over 3,016 OpenClaw skills, and hundreds of them exhibit malicious characteristics.
The analysis, powered by Gemini 3 Flash, examines security behaviors such as external code execution, sensitive data access, and unsafe network operations, rather than relying solely on traditional antivirus signatures.
Security researchers identified two distinct threat categories: skills that contain poor security practices, such as insecure APIs, hardcoded secrets, and unsafe command execution.
Intentionally malicious skills designed for data exfiltration, remote control, and malware installation.
Prolific Malware Publisher
A particularly concerning case involves ClawHub user “hightower6eu,” who published 314 malicious skills covering crypto analytics, finance tracking, and social media analysis.
Each skill instructs users to download and execute external code from untrusted sources during setup. One example, a “Yahoo Finance” skill, appeared clean to traditional antivirus engines.
However, VirusTotal Code Insight identified instructions directing Windows users to download a password-protected ZIP file containing openclaw-agent.exe, which multiple vendors have detected as a packed trojan.
For macOS users, the skill pointed to a Base64-obfuscated shell script on glot.io. That downloaded and executed a Mach-O binary identified as Atomic Stealer (AMOS), an infostealer targeting passwords, browser credentials, and cryptocurrency wallets.
Organizations and users should treat skill folders as trusted-code boundaries, implement sandboxed execution, and avoid skills that require shell commands or binary downloads.
Marketplace operators should implement publish-time scanning to flag remote execution and obfuscated scripts.
VirusTotal is exploring integration with OpenClaw’s publishing workflow to provide automated security analysis during skill submission.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
