OpenClaw under attack 230 malicious skills threaten your credentials from a local assistant

In less than a week, researchers found that more than two hundred and thirty malicious extensions - known in OpenClaw as "skills" - were published in both the official record of the assistant and in GitHub public repositories. These software parts were presented as legitimate utilities: cryptomoneda trading bots, financial tools, social network supplements or content managers, but contained instructions that led to the malware installation designed to steal sensitive data.

OpenClaw, the personal open source assistant who in recent weeks changed his name several times (ClawdBot, Moltbot and now OpenClaw), is designed to run locally and can integrate chat, mail and the computer's file system with persistent memory. That capacity for deep access is precisely what makes "skills" a double-edged weapon: added without caution, they can become direct vectors to credentials and private keys. The project is available in its official repository at GitHub, and the platform documents how extensions work in your guide to skills.

The campaign detected between January 27 and February 1 consisted of two waves that together had more than 230 malicious skills published in ClawHub (the assistant's record) and public repositories. Community analysts who track open source malware describe that many of these packages are practically identical clones with random names; however, some came to accumulate hundreds or thousands of downloads before being reported. A public analysis of the phenomenon can be found in the OpenSourceMalware report, which documents how these skills were aimed at spreading information theft among OpenLaw users: OpenSourceMalware - Clawdbot skills.

The deception is run with social simplicity: each skill included extensive and convincing documentation that instructed the user to install a component named as "AuthTool", presented as a critical requirement for the skill to function properly. However, that dependence was only the front door to download a malicious charger. In macOS the mechanism was disguised as a command line encoded in base64 that downloads a payload from an external URL; on Windows the instruction brought a password-protected ZIP that, when it was uncompressed and executed, deployed malware.

The researchers who analyzed the binaries identified in macOS a variant of the known info-stealer NovaStealer. The malware was trying to avoid Apple's protections using commands to remove quarantine attributes (for example, byxattr -c) and requested permission to read large areas of the disk and to communicate with system services. Among the objectives of the thief were cryptomoneda exchanger API keys, purse files and seed phrases, wallet extensions in browsers, macOS key-key data (Keychain), passwords stored in browsers, SSH keys, cloud credentials, Git credentials and .env files with secrets. The technical detail of the behavior and the tracked samples is collected in the OpenSourceMalware report mentioned above.

An independent Koi Security study expanded the X-ray: after scanning the entire ClawHub repository (about 2,857 entries), analysts found 341 skills with malicious behavior attributed to a single campaign and also detected 29 typosquats designed to exploit typographic errors in the name of the registry. Koi posted an analysis on his blog and made available a free tool for anyone to hit the URL of a skill and get a safety report: Koi Security - ClawHavoc and the scanner in Clawdex - scanner.

The tactic is similar to what is known as "ClickFix" type attacks: the user trusts the extension documentation and copy / paste commands or runs installers that, in appearance, are steps necessary for the skill to work. In this context, the expert recommendation is clear: do not run commands that are not understood, or install external tools without auditioning the code. OpenClaw developer Peter Steinberger publicly recognized in his X account that he currently cannot manually review the huge flow of skillings that the platform receives, and therefore invited the community to verify the safety of the extensions before use; his profile is available on https: / / x.com / steipete.

Since an assistant with local access can read files, interact with services and connect to the Internet, security measures should be applied in layers. It is recommended to run OpenClaw in confined environments, such as virtual machines or containers, limit your permissions to the minimum necessary, and control network access (block outgoing traffic not necessary, close ports and avoid direct exposure of the Internet administration panel). In addition, it is appropriate to manually inspect the source code of the skills before relying on an extension and use public analysis tools to verify URLs or suspicious packages.

Recent findings are a reminder that, although local IA software offers privacy and performance advantages, it also magnifies potential damage when extensions are not subject to security controls. The combination of confidence by default in third party packages and the ability of the assistant to run instructions in the system is precisely what the attackers exploit. and therefore the prudence and separation of environments are no longer only good practices, but also requirements for safe operation.

If you use OpenClaw or experiment with similar local assistants, check the skills with skepticism, check their provenance, pass them through public scanners like Koi's and avoid running copied command lines of unverified documentation. Keeping backup, rotated credentials and restrictive access policies reduces the impact if something goes wrong. For more context and technical reports on the campaign, review the linked analyses of OpenSourceMalware and Koi Security: OpenSourceMalware and Koi Security.