Malicious AI ‘skills’ infiltrate OpenClaw marketplace to harvest keys and passwords

OpenClaw is gaining traction as a robust, local open-source AI agent designed to fully automate a user’s digital workflow. Unlike standard cloud-based chatbots, it operates directly on the user’s machine, handling sensitive tasks in the background from monitoring emails and organizing local files to interacting with crypto exchange APIs and development environments. To expand its capabilities, users rely on ClawHub, a “skills” marketplace that allows the agent to interface with specific third-party services.

However, this architecture which grants the agent deep system permissions has become the platform’s “Achilles’ heel.” According to a deep-dive investigation by Awesome Agents, ClawHub recently became a staging ground for a coordinated campaign to harvest user credentials. Researchers identified 1,184 malicious packages uploaded by just 12 accounts. The sheer scale is unprecedented: a single bad actor managed to publish 677 infected AI skills before the security community flagged the activity.

The platform’s security metrics paint a grim picture. Awesome Agents reports that approximately 36.8% of all available skills in the catalog contain at least one vulnerability. This poses a severe risk to the broader ecosystem, considering there are currently over 135,000 active OpenClaw instances across 82 countries. Most alarming was the discovery of a top-rated skill with an artificially inflated popularity score that harbored nine distinct vulnerabilities, several of which were classified as critical.

On the technical side, the attack leveraged the inherent trust users place in their AI agents. The malware was often camouflaged as harmless tools for crypto trading or system optimization. During the “configuration” phase, these skills would prompt users to execute terminal commands that secretly deployed infostealers. For macOS systems, the campaign favored Atomic Stealer, while Windows users were targeted with encrypted archives designed to bypass standard heuristic antivirus scans.

The primary objective was the wholesale theft of sensitive data. The malicious packages automatically scraped devices for SSH keys, cryptocurrency wallet configs, and saved browser passwords. Furthermore, 91% of the flagged packages utilized “prompt injection” techniques. By embedding hidden instructions into the LLM’s queries, the attackers could force the agent to bypass its own safety protocols and transmit exfiltrated data to remote command-and-control (C2) servers.

Cybersecurity experts are urging all OpenClaw users to perform an immediate audit of their installed extensions. The recommendation is to purge any skills downloaded from ClawHub in recent months, rotate all passwords, and reissue SSH keys and API tokens. This incident underscores a fundamental challenge in the evolution of AI agents: without rigorous code signing, sandboxing, and manual moderation, these high-access tools remain a “holy grail” for modern hackers seeking a direct path into a user’s local system.