Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Malicious AI Assistant OpenClaw: A Looming Threat to User Security


Malicious MoltBot skills have been used to push password-stealing malware, compromising the security of users who interact with the personal AI assistant OpenClaw. In less than a week, more than 230 malicious packages were published in its official registry and on GitHub, targeting users with info-stealing malware payloads.

  • Over 230 malicious packages for OpenClaw were published in its official registry and on GitHub.
  • Hundreds of misconfigured OpenClaw admin interfaces are exposed on the public web, putting users at risk.
  • A large-scale campaign is using OpenClaw skills to spread info-stealing malware to users.
  • Malicious skills impersonate legitimate utilities to gain user trust.
  • Using AuthTool, the malware-delivery mechanism, infects users by following instructions in documentation.
  • The malicious payload targets cryptocurrency exchange API keys, wallet files, and other sensitive data.
  • A total of 341 malicious skills were found on ClawHub after a scan, according to Koi Security.



    • Malicious MoltBot skills have been used to push password-stealing malware, compromising the security of users who interact with the personal AI assistant OpenClaw. In less than a week, more than 230 malicious packages for OpenClaw were published in its official registry and on GitHub.

    OpenClaw is a viral open-source AI assistant designed to run locally, with persistent memory and integrate with various resources (chat, email, local file system). Skills are readily deployable plug-ins for OpenClaw that extend its functionality or provide specific instructions for specialized activities. However, security researcher Jamieson O'Reilly recently highlighted that there are hundreds of misconfigured OpenClaw admin interfaces exposed on the public web.

    Between January 27th and February 1st, two sets collectively counting more than 230 malicious skills were published to ClawHub (the assistant's official registry) and GitHub. The skills impersonate legitimate utilities such as cryptocurrency trading automation, financial utilities, and social media or content services, but in the background, they injected information-stealing malware payloads onto users' systems.

    A report from community security portal OpenSourceMalware says that an ongoing large-scale campaign is using skills to spread info-stealing malware to OpenClaw users. Most of those are near-identical clones with randomized names, while some have reached popular status, downloaded thousands of times. Each malicious skill contains extensive documentation to appear legitimate, including several highlighted mentions of a separate tool named ‘AuthTool,’ which is supposedly a critical requirement for the skill to run correctly.

    The infection occurs when the victim follows the instructions in the documentation, similar to a ClickFix-type of attack. In reality, though, AuthTool is a malware-delivery mechanism. On macOS, it appears as a base64-encoded shell command that downloads a payload from an external address. On Windows, it downloads and runs a password-protected ZIP archive.

    The malware dropped on macOS systems is identified as a variant of NovaStealer that can bypass Gatekeeper by using the ‘xattr -c’ command to remove quarantine attributes and request broad file system read access and communication with system services. The stealer targets cryptocurrency exchange API keys, wallet files and seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, cloud credentials, Git credentials, and ‘.env’ files.

    A separate report from Koi Security counted 341 malicious skills on ClawHub after analysts scanned the entire repository of 2,857, attributing them to a single campaign. Apart from the tools highlighted in the OpenSourceMalware report, Koi also found 29 typosquats for the ClawHub name, targeting common mistypes. To help users stay safe, Koi Security also published a free online scanner that lets people paste a skill's URL to get a safety report.

    The creator of OpenClaw, Peter Steinberger, responded to OpenSourceMalware on X, admitting inability to review the massive number of skill submissions the platform receives right now, so users are responsible for double-checking their skills’ safety before deployment. Users should be aware of OpenClaw's deep access to the system. A multi-layered security approach is recommended, which includes isolating the AI assistant in a virtual machine, giving it restricted permissions, and securing remote access to it (e.g., port restriction, blocking traffic).

    This malicious exploitation of the popular AI assistant highlights the importance of regular updates, proper configuration, and awareness among users. As OpenClaw continues to grow in popularity, security concerns will only increase, emphasizing the need for developers to strengthen the platform's safeguards against such threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Malicious-AI-Assistant-OpenClaw-A-Looming-Threat-to-User-Security-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/

  • https://socprime.com/active-threats/the-moltbot-clawdbots-epidemic/

  • https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html


    • Published: Mon Feb 2 13:19:43 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us