OpenClaw (formerly Moltbot and Clawbot) has announced that it is partnering with Google-owned VirusTotal to scan skills being uploaded to its skills marketplace, Clawhub, as part of broader efforts to strengthen the security of the agentive ecosystem.
“All skills published on ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability,” said OpenClaw founders Peter Steinberger, Jameson O’Reilly and Bernardo Quintero. “This provides an additional layer of security for the OpenClaw community.”
The process essentially involves creating a unique SHA-256 hash for each skill and cross checking it against VirusTotal’s database for a match. If it is not found, the skill bundle is uploaded to a malware scanning tool for further analysis using VirusTotal Code Insights.
Skills that have a “benign” Code Insight decision are automatically approved by ClawHub, while skills marked as suspicious are marked with a warning. Any skill that is deemed malicious is blocked from downloading. OpenClaw also said that all active skills are re-scanned on a daily basis to detect scenarios where a previously cleaned skill turns out to be malicious.
That said, OpenClaw maintainers also warn that VirusTotal scanning is “no silver bullet” and that there is a possibility that some malicious skills that use cleverly disguised prompt injection payloads may slip through the cracks.
In addition to the VirusTotal partnership, the platform is expected to publish a comprehensive threat model, public security roadmap, formal security reporting process, as well as details about a security audit of its entire codebase.
This development comes after reports that hundreds of malicious skills were found on ClawHub, prompting OpenClaw to add a reporting option that allows signed-in users to flag a suspicious skill. Several analyzes have shown that these skills masquerade as legitimate tools, but, under the hood, they contain malicious functionality to exfiltrate data, inject backdoors for remote access, or install stealthy malware.
“AI agents with system access can become covert data-leak channels that bypass traditional data loss prevention, proxies, and endpoint monitoring,” Cisco said last week. “Second, models can also become an execution orchestrator, in which the signal itself becomes the instruction and is difficult to capture using traditional security tooling.”
The recent viral popularity of the open-source agentic artificial intelligence (AI) utility OpenClave and the adjacent social network MoltBook, where autonomous AI agents built on top of OpenClave interact with each other in a Reddit-style platform, have raised security concerns.
While OpenGL acts as an automation engine to trigger workflows, interact with online services, and work across all devices, the strong access given to skills, coupled with the fact that they can process data from untrusted sources, can open the door to risks such as malware and instant injection.
In other words, integration, while convenient, significantly broadens the attack surface and expands the set of untrusted inputs the agent can consume, turning it into an “agent Trojan horse” for data infiltration and other malicious actions. Backslash Security describes OpenClaw as “AI with hands.”
“Unlike traditional software, which does exactly what the code tells it to do, AI agents interpret natural language and make decisions about actions,” OpenClaw said. “They blur the boundary between user intent and machine execution. They can be manipulated through language itself.”
OpenClaw also acknowledged that the power wielded by skills – which are used to expand an AI agent’s capabilities, from everything from controlling smart home devices to managing finances – can be abused by bad actors, who can leverage the agent’s access to tools and data to exfiltrate sensitive information, execute unauthorized commands, send messages on the victim’s behalf, and even download and run additional payloads without their knowledge or consent.
Additionally, as OpenClause is increasingly being deployed on employee endpoints without formal IT or security approval, the elevated privileges of these agents can enable shell access, data movement, and network connectivity outside of standard security controls, creating a new class of shadow AI risks for enterprises.
“OpenClaw and tools like it will appear in your organization, whether you approve them or not,” said Tomer Yahalom, researcher at Asterix Security. “Employees will install them because they’re really useful. The only question is whether you’ll know about it.”
Some of the serious security issues that have emerged in recent times are given below –
- A now fixed issue identified in previous versions could cause proxy traffic to be misclassified as local, bypassing authentication for some Internet-exposed instances.
- Moshe Siman Tov Bustan and Nir Zadok of OX Security said, “OpenCloud stores credentials in cleartext, uses insecure coding patterns, including direct evaluation with user input, and has no privacy policy or explicit accountability.” “Typical uninstall methods leave sensitive data behind – and completely revoking access is far more difficult than most users realize.”
- A zero-click attack that abuses OpenClaw’s integration to establish a backdoor for persistent control of the victim’s endpoint while a seemingly harmless document is processed by an AI agent, resulting in the execution of an indirect instant injection payload that allows it to respond to messages from an attacker-controlled Telegram bot.
- An indirect prompt injection embedded in a web page, which is parsed as part of an innocuous prompt asking the Large Language Model (LLM) to summarize the page’s contents, causes OpenClaw to add an attacker-controlled set of instructions to the ~/.openclaw/workspace/HEARTBEAT.md file and silently wait for further commands from the external server.
- Security analysis of 3,984 skills on the ClawHub marketplace found that 283 skills, approximately 7.1% of the entire registry, have critical security flaws that expose sensitive credentials in plain text through the LLM’s context window and output logs.
- A report from Bitdefender revealed that malicious skills are often mass cloned and republished using short name variations, and payloads are staged through paste services like glot.io and public GitHub repositories.
- A now-patched one-click remote code execution vulnerability affecting OpenClaw that could allow an attacker to trick a user into visiting a malicious web page which could cause the Gateway Control UI to leak the OpenClaw authentication token over a WebSocket channel and subsequently use it to execute arbitrary commands on the host.
- OpenClaw’s gateway connects to 0.0.0.0:18789 by default, exposing the full API to any network interface. According to data from Sensis, there are more than 30,000 exposed instances available on the internet as of February 8, 2026, although most of them require a token price to view and interact with them.
- In a hypothetical attack scenario, a rapid injection payload embedded within a specially crafted WhatsApp message could be used to exfiltrate the “.env” and “creds.json” files, which store credentials, API keys, and session tokens for the messaging platform connected to an exposed OpenClause instance.
- A misconfigured Supabase database belonging to Moltbuk that was left open in client-side JavaScript, allowing the secret API keys of every agent registered on the site to be freely accessible, and allowing full read and write access to platform data. According to Viz, the exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.
- Threat actors have been found to exploit Moltbuk’s platform mechanics to increase access and allow other agents to access malicious threads, including quick injections to manipulate their behavior and extract sensitive data or steal cryptocurrency.
- Zenity Labs said, “Moltbook may also have inadvertently created a laboratory in which agents, who may be high-value targets, are constantly processing and engaging with untrusted data, and in which guardrails have not been set into the platform – all by design.”
HiddenLayer researchers Connor McCauley, Casimir Schultz, Ryan Tracy, and Jason Martin said, “The first and perhaps the most serious issue is that OpenClave relies on configured language models for many security-critical decisions.” “Unless the user actively enables OpenClaw’s Docker-based tool sandboxing feature, full system-wide access remains the default.”
Other architectural and design problems identified by the AI security company include OpenCL’s failure to filter untrusted content containing control sequences, ineffective guardrails against indirect instant injection, modified memories and system hints that persist in future chat sessions, plain text storage of API keys and session tokens, and no explicit user approval before executing tool calls.
In a report published last week, Persimso Security argued that the security of the OpenClave ecosystem is far more important than that of app stores and browser extension marketplaces due to agents’ broader access to user data.
“AI agents have access to your entire digital life,” security researcher Ian Ahl said. “And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them.”
“The skills marketplace adds to this. When you install a malicious browser extension, you’re compromising one system. When you install a malicious agent skill, you’re potentially compromising every system for which the agent has credentials.”
The long list of security issues associated with OpenClaw has prompted China’s Ministry of Industry and Information Technology to issue an alert about misconfigured instances, urging users to implement protection against cyberattacks and data breaches, Reuters reports.
“When agent platforms go viral faster than security practices can mature, misconfigurations become the primary attack surface,” Anser Secker, CISO at SOCRadar, told The Hacker News via email. “The risk is not the agent itself; it is exposing autonomous tooling to public networks without rigorous identification, access controls, and execution limitations.”
“What’s notable here is that the Chinese regulator is explicitly calling out configuration risk rather than banning the technology. This aligns with what defenders already know: agent frameworks increase both productivity and blast radius. A single exposed endpoint or overly permissive plugin can turn an AI agent into an unwitting automation layer for attackers.”
