- OpenClaw’s abilities run locally, giving attackers direct access to sensitive files.
- Malicious crypto-themed skills rely on social engineering to trick unsuspecting users
- Users running unverified commands increase exposure to ransomware and malicious scripts
OpenClaw, formerly known as Clawdbot and Moltbot, is an artificial intelligence assistant designed to execute tasks on behalf of users.
Agent-like AI tools, such as OpenClaw, are increasingly popular for automating workflows and interacting with local systems, allowing users to execute commands, access files, and manage processes more efficiently.
This deep integration with the operating system, while powerful, also introduces security risks as it relies on reliance on extensions or abilities installed by the user.
The OpenClaw ecosystem allows third-party skills to extend functionality, but these skills are not protected. They are executable codes that interact directly with local files and network resources.
Recent reports show growing concern: attackers uploaded at least 14 malicious skills to ClawHub, the public registry of OpenClaw extensions, in a short period.
These extensions posed as cryptocurrency trading or wallet management tools while attempting to install malware.
Both Windows and macOS systems were affected, with attackers relying heavily on social engineering.
Users were often prompted to run obfuscated terminal commands during installation, which retrieved remote scripts that collected sensitive data, including browser history and crypto wallet contents.
In some cases, skills appeared briefly on the ClawHub home page, increasing the likelihood of accidental installation by casual users.
OpenClaw’s recent name changes have added confusion to the ecosystem. Within days, Clawdbot became Moltbot and then OpenClaw.
Each name change creates opportunities for attackers to convincingly impersonate the software, whether through extensions, skills, or other fake integrations.
Hackers have already published a fake Visual Studio Code extension that impersonates the wizard under its previous name, Moltbot.
The extension worked as promised, but carried a Trojan that implemented remote access software, overlaid with backup loaders disguised as legitimate updates.
This incident shows that even endpoints with official-looking software can be compromised and highlights the need for comprehensive endpoint protection.
The current ecosystem operates almost exclusively on trust, and conventional protections, such as firewalls or endpoint protection, offer little defense against this type of threat.
Malware removal tools are largely ineffective when attacks rely on executing local commands through seemingly legitimate extensions.
Users obtaining skills from public repositories should use extreme caution and review each plugin as carefully as any other executable dependency.
Commands that require manual execution warrant additional scrutiny to avoid inadvertent exposure.
Users should remain vigilant, check every skill or extension, and treat all AI tools with caution.
Through Tom Hardware
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
