OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills
Source: The Hacker News
Ravie Lakshmanan
Feb 08, 2026 Artificial Intelligence / Vulnerability
OpenClaw partners with VirusTotal
OpenClaw (formerly Moltbot and Clawdbot) has announced a partnership with Google‑owned VirusTotal to scan skills uploaded to ClawHub, its skill marketplace. This is part of a broader effort to strengthen the security of the agentic ecosystem.
“All skills published to ClawHub are now scanned using VirusTotal’s threat intelligence, including their new Code Insight capability,” said OpenClaw founder Peter Steinberger, along with Jamieson O’Reilly and Bernardo Quintero. “This provides an additional layer of security for the OpenClaw community.”
How the scanning works
- A unique SHA‑256 hash is generated for every skill.
- The hash is cross‑checked against VirusTotal’s database.
- If no match is found, the skill bundle is uploaded to VirusTotal for deeper analysis using VirusTotal Code Insight.
- Skills receiving a “benign” Code Insight verdict are automatically approved.
- Skills flagged as suspicious receive a warning.
- Malicious skills are blocked from download.
OpenClaw also rescans all active skills daily to catch cases where a previously clean skill becomes malicious.
The maintainers caution that VirusTotal scanning is “not a silver bullet.” Cleverly concealed prompt‑injection payloads could still slip through.
Additional security initiatives
- Publication of a comprehensive threat model, public security roadmap, and formal security‑reporting process.
- Release of details about the security audit of the entire codebase.
These steps follow reports that uncovered hundreds of malicious skills on ClawHub:
- The Hacker News – Researchers find 341 malicious ClawHub skills
- Bitdefender Labs – Hidden payloads in OpenClaw skills
- Cisco Blog – AI agents as a security nightmare
OpenClaw has added a reporting option that lets signed‑in users flag suspicious skills. Analyses show these skills often masquerade as legitimate tools while secretly:
- Exfiltrating data
- Injecting backdoors for remote access
- Installing stealer malware
“AI agents with system access can become covert data‑leak channels that bypass traditional data loss prevention, proxies, and endpoint monitoring,” noted Cisco. “Models can also become an execution orchestrator, wherein the prompt itself becomes the instruction and is difficult to catch using traditional security tooling.”
Visual reference
Why the security concerns matter
The rapid rise of OpenClaw, an open‑source agentic AI assistant, and Moltbook—a Reddit‑style social network where autonomous AI agents interact—has amplified security worries:
- Skill integrations give agents deep system access and the ability to process data from untrusted sources.
- This expands the attack surface, turning the platform into an “agentic trojan horse” for data exfiltration and other malicious actions.
- Backslash Security describes OpenClaw as an “AI With Hands.”
“Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions,” OpenClaw explained. “They blur the boundary between user intent and machine execution. They can be manipulated through language itself.”
The power of skills—ranging from controlling smart‑home devices to managing finances—can be abused to:
- Exfiltrate sensitive information
- Execute unauthorized commands
- Send messages on a victim’s behalf
- Download and run additional payloads without consent
When OpenClaw is deployed on employee endpoints without formal IT or security approval, its elevated privileges can enable:
- Shell access
- Unrestricted data movement
- Network connectivity outside standard security controls
This creates a new class of Shadow AI risk for enterprises.
References
- OpenClaw blog – VirusTotal partnership announcement
- Trust OpenClaw – Security roadmap & threat model
- Hidden Layer – The lethal trifecta and how to defend against it
- NOMA Security – Moltbot: the agentic trojan horse
- Backslash Security – Clawdbot/Moltbot: not just another AI assistant, but AI with hands
- Varonis – Shadow AI risk for enterprises
Security Issues with OpenClaw / Moltbot
“Law and tools like it will show up in your organization whether you approve them or not,” Astrix Security researcher Tomer Yahalom said. “Employees will install them because they’re genuinely useful. The only question is whether you’ll know about it.”
Below are the most glaring security problems that have surfaced in recent days.
- Mis‑classified proxied traffic – A now‑fixed issue in earlier versions could cause proxied traffic to be misidentified as local, bypassing authentication for some internet‑exposed instances.
- Clear‑text credential storage & insecure coding – “OpenClaw stores credentials in cleartext, uses insecure coding patterns including direct
evalwith user input, and has no privacy policy or clear accountability,” OX Security’s Moshe Siman Tov Bustan and Nir Zadok said. “Common uninstall methods leave sensitive data behind – and fully revoking access is far harder than most users realize.” - Zero‑click attack – A zero‑click exploit abuses OpenClaw’s integrations to plant a backdoor on a victim’s endpoint for persistent control when a seemingly harmless document is processed by the AI agent.
Read more → - Indirect prompt injection via web page – An injection embedded in a web page, when parsed as part of an innocuous prompt asking the LLM to summarize the page, causes OpenClaw to append attacker‑controlled instructions to
~/.openclaw/workspace/HEARTBEAT.mdand silently await further commands from an external server.
Read more → - Massive skill‑registry flaws – A security analysis of 3,984 skills on the ClawHub marketplace found 283 (≈ 7.1 %) contain critical security flaws that expose sensitive credentials in plaintext through the LLM’s context window and output logs.
Read more → - Malicious skill cloning – Bitdefender reported that malicious skills are often cloned and republished at scale using slight name variations, with payloads staged through paste services such as
glot.ioand public GitHub repositories.
Read more → - One‑click RCE (now patched) – A now‑patched vulnerability could have allowed an attacker to trick a user into visiting a malicious web page, causing the Gateway Control UI to leak the OpenClaw authentication token over a WebSocket channel and subsequently execute arbitrary commands on the host.
Read more → - Default open gateway – OpenClaw’s gateway binds to
0.0.0.0:18789by default, exposing the full API on any network interface. Censys data shows over 30 000 exposed instances accessible over the internet (as of Feb 8 2026), though most require a token to interact.
Read more → - Hypothetical WhatsApp‑based attack – A crafted WhatsApp message can embed a prompt‑injection payload that exfiltrates
.envandcreds.jsonfiles (containing credentials, API keys, and session tokens) from an exposed OpenClaw instance.
Read more → - Misconfigured Supabase database (Moltbook) – The Moltbook client‑side JavaScript exposed a Supabase database, leaking secret API keys for every registered agent. According to Wiz, the breach included 1.5 M API tokens, 35 K email addresses, and private messages.
Read more → - Platform‑level abuse – Threat actors exploit Moltbook’s mechanics to amplify reach, funneling other agents toward malicious threads that contain prompt injections, thereby manipulating behavior and stealing sensitive data or cryptocurrency.
- Lack of guardrails – “Moltbook may have inadvertently also created a laboratory in which agents, which can be high‑value targets, are constantly processing and engaging with untrusted data, and in which guardrails aren’t set into the platform – all by design,” Zenity Labs noted.
Read more → - Tool‑sandboxing disabled by default – “The first, and perhaps most egregious, issue is that OpenClaw relies on the configured language model for many security‑critical decisions,” HiddenLayer researchers Conor McCauley, Kasimir Schulz, Ryan Tracey, and Jason Martin warned. “Unless the user proactively enables OpenClaw’s Docker‑based tool sandboxing feature, full system‑wide access remains the default.”
Docker sandboxing docs →
Among other architectural and design problems identified by the AI‑security community are OpenClaw’s failure to filter out untrusted content containing control sequences, ineffective guardrails against indirect prompt injections, modifiable memories and system prompts that persist into future chat sessions, plaintext storage of API keys and session tokens, and no explicit user approval before executing tool calls.
In a report published last week, Permiso Security argued that the security of the OpenClaw ecosystem is much more crucial than app stores and browser‑extension marketplaces owing to the agents’ extensive access to user data.
“AI agents get credentials to your entire digital life,” security researcher Ian Ahl pointed out.
“And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them.”
“The skills marketplace compounds this. When you install a malicious browser extension, you’re compromising one system. When you install a malicious agent skill, you’re potentially compromising every system that agent has credentials for.”
The long list of security issues associated with OpenClaw has prompted China’s Ministry of Industry and Information Technology to issue an alert about mis‑configured instances, urging users to implement protections to secure against cyber attacks and data breaches, Reuters reported.
“When agent platforms go viral faster than security practices mature, misconfiguration becomes the primary attack surface,” Ensar Seker, CISO at SOCRadar, told The Hacker News via email.
“The risk isn’t the agent itself; it’s exposing autonomous tooling to public networks without hardened identity, access control, and execution boundaries.”
“What’s notable here is that the Chinese regulator is explicitly calling out configuration risk rather than banning the technology. That aligns”