More than 230 malicious packages for the personal AI assistant OpenClaw (formerly known as Moltbot and ClawdBot) have been published in less than a week on the tool’s official registry and on GitHub.
Called skills, the packages pretend to be legitimate tools to deliver malware that steals sensitive data, like API keys, wallet private keys, SSH credentials, and browser passwords.
Originally named ClawdBot and switching to Moltbot and now OpenClaw in under a month, the project is a viral open-source AI assistant designed to run locally, with persistent memory and integrate with various resources (chat, email, local file system). Unless configured properly, the assistant introduces security risks.
Skills are readily deployable plug-ins for OpenClaw that extend its functionality or provide specific instructions for specialized activities.
However, security researcher Jamieson O’Reilly recently highlighted that there are hundreds of misconfigured OpenClaw admin interfaces exposed on the public web.
Between January 27th and February 1st, two sets collectively counting more than 230 malicious skills were published to ClawHub (the assistant's official registry) and GitHub.
The skills impersonate legitimate utilities such as cryptocurrency trading automation, financial utilities, and social media or content services, but in the background, they injected information-stealing malware payloads onto users’ systems.
A report from community security portal OpenSourceMalware says that an ongoing large-scale campaign is using skills to spread info-stealing malware to OpenClaw users.
Malicious skills linked to a single publisher
Source OpenSourceMalware
... continue reading