Security researchers are warning that the growing ecosystem around ‘OpenClaw,' the self-hosted AI assistant formerly known as both Clawdbot and Moltbot, has already become a target for malware distribution. According to a report published by OpenSourceMalware, at least 14 malicious “skills” were uploaded to ClawHub between January 27 and 29. These masquerade as crypto trading or wallet automation tools while attempting to deliver malware to users’ systems.
The affected skills were hosted on ClawHub, a public registry designed to make it easy for OpenClaw users to find and install third-party extensions. Skills in this ecosystem are not sandboxed scripts but folders of executable code that can interact directly with the local file system and access network resources once installed and enabled.
OpenSourceMalware says that the malicious skills it analyzed targeted both Windows and macOS users, and relied on social engineering to spread. In several cases, users were instructed to copy and paste obfuscated terminal commands as part of the “setup” process, which fetched and executed remote scripts. This is a common technique used by threat actors to harvest browser data and cryptocurrency wallet information.
One of the flagged skills appeared on the front page of ClawHub before being removed, dramatically increasing the likelihood of accidental installs. A user who encountered the listing described being prompted to run a single-line command that pulled code from an external server — that would raise immediate red flags among more experienced developers, but could quite easily trick the unsuspecting casual user.
Unfortunately, we can expect to see more of this with agent-style AI tooling on the rise. OpenClaw's appeal is its ability to act on a user’s behalf, changing together things like file access and command execution to simplify workloads. That same capability can also create vulnerabilities when third-party code is introduced; OpenClaw's security documentation warns that skills and plugins should be treated as trusted code, and that installing them is equivalent to granting local execution privileges.
This isn’t the first attempt to piggyback on OpenClaw's sudden popularity. Just a few days ago, security researchers also documented a fake Visual Studio Code extension impersonating the assistant, which was able to deliver a remote access payload before it was taken down. The project’s recent renaming from Clawdbot to Moltbot following a trademark dispute — and then again from Moltbot to OpenClaw in just a matter of days — has further complicated matters by creating multiple names that attackers can impersonate in their social engineering attempts.
Until stronger moderation or verification arrives, OpenClaw's skills ecosystem effectively operates on trust. Anybody sourcing skills from public registries should be careful to review them with the same level of scrutiny as any other executable dependency, with instructions requiring manual command execution warranting extra care.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Luke James is a freelance writer and journalist. Although his background is in legal, he has a personal interest in all things tech, especially hardware and microelectronics, and anything regulatory.
