Ethical Hacking News
Security researchers have uncovered numerous instances of malicious add-ons on OpenClaw's skill marketplace, raising concerns about the safety and security of this popular AI platform. The discovery highlights the need for greater awareness and caution among users as they navigate the potential risks associated with using AI-powered tools like OpenClaw.
Malicious add-ons have been found on OpenClaw's skill marketplace, posing significant risks to user devices. A total of 386 malicious add-ons were uploaded between January 31st and February 2nd. Malicious skills deliver information-stealing malware that can steal cryptocurrency assets and other sensitive information. Verification processes on the OpenClaw platform appear to be insufficient, allowing malicious actors to exploit vulnerabilities.
In a concerning revelation, security researchers have uncovered numerous instances of malicious add-ons on OpenClaw's skill marketplace, raising serious questions about the safety and security of this burgeoning artificial intelligence (AI) platform. As a leading AI agent that has garnered significant attention in recent times, OpenClaw's ability to "actually do things" has sparked both excitement and concern among users.
According to recent findings, some users have been giving OpenClaw the ability to access their entire device, allowing it to read and write files, execute scripts, and run shell commands. This level of access poses significant risks on its own, as it enables potential malicious actors to compromise the user's device and steal sensitive information.
Furthermore, researchers have discovered that some malicious add-ons have been published on the ClawHub skill marketplace, with 28 such instances found between January 27th and 29th. This is just the tip of the iceberg, however, as a total of 386 malicious add-ons were uploaded to the platform between January 31st and February 2nd.
These malicious add-ons masquerade as legitimate skills designed to enhance OpenClaw's capabilities, but in reality, they deliver information-stealing malware that can steal cryptocurrency assets, exchange API keys, wallet private keys, SSH credentials, and browser passwords. The use of such malicious skills is a particularly insidious threat, as it can be extremely difficult for users to detect the presence of this malware.
In addition to these findings, security experts have also raised concerns about the lack of stringent verification processes in place on the OpenClaw platform. While the company has recently introduced measures such as requiring users to have a GitHub account that's at least one week old to publish a skill, it appears that these efforts may not be sufficient to prevent malicious actors from exploiting vulnerabilities in the system.
The implications of this security breach are significant, and they underscore the need for greater awareness and caution among OpenClaw users. As AI technology continues to advance at an unprecedented rate, it is essential that platforms like OpenClaw prioritize security and transparency above all else.
Related Information:
https://www.ethicalhackingnews.com/articles/OpenClaws-AI-Skill-Extensions-Pose-a-Significant-Security-Risk-ehn.shtml
https://www.theverge.com/news/874011/openclaw-ai-skill-clawhub-extensions-security-nightmare
https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare
https://esso.dev/blog-posts/open-claw-why-2026-s-most-hyped-ai-agent-is-a-security-nightmare
Published: Wed Feb 4 13:23:38 2026 by llama3.2 3B Q4_K_M
