Hundreds of malicious skills designed to deliver trojans, infostealers<\/a>, and backdoors disguised as legitimate automation tools.<\/p>\n VirusTotal has uncovered a significant malware distribution campaign targeting OpenClaw, a rapidly growing personal AI agent ecosystem.<\/p>\n OpenClaw, previously known as Clawdbot and briefly as Moltbot, is a self-hosted AI agent<\/a> that executes real system actions, including shell commands, file operations, and network requests.<\/p>\n The platform extends functionality through skills, small packages built around SKILL.md files that users discover and install from ClawHub, the public marketplace for OpenClaw<\/a> extensions.<\/p>\n While this architecture enables powerful automation capabilities, it creates a dangerous attack surface.<\/p>\n Skills run as third-party code with complete system access, often requiring users to paste commands into terminals, download binaries, or execute scripts during setup.<\/p>\n Threat actors are exploiting this trust model to distribute malware<\/a> through seemingly helpful tools.<\/p>\n VirusTotal Code Insight has analyzed over 3,016 OpenClaw skills, and hundreds of them exhibit malicious characteristics.<\/p>\n The analysis, powered by Gemini 3 Flash, examines security behaviors such as external code execution, sensitive data access, and unsafe network operations, rather than relying solely on traditional antivirus signatures.<\/p>\n Security researchers identified two distinct threat categories: skills that contain poor security practices, such as insecure APIs, hardcoded secrets, and unsafe command execution.<\/p>\n Intentionally malicious skills designed for data exfiltration, remote control, and malware<\/a> installation.<\/p>\n A particularly concerning case involves ClawHub user \u201chightower6eu,\u201d who published 314 malicious skills covering crypto analytics, finance tracking, and social media analysis.<\/p>\n Each skill instructs users to download and execute external code from untrusted sources during setup. One example, a \u201cYahoo Finance\u201d skill, appeared clean to traditional antivirus engines<\/a>.<\/p>\n However, VirusTotal Code Insight identified instructions directing Windows users to download a password-protected ZIP file<\/a> containing openclaw-agent.exe, which multiple vendors have detected as a packed trojan.<\/p>\n For macOS users, the skill pointed to a Base64-obfuscated shell script on glot.io. That downloaded and executed a Mach-O binary identified as Atomic Stealer (AMOS)<\/a>, an infostealer targeting passwords, browser credentials, and cryptocurrency wallets.<\/p>\n Organizations and users should treat skill folders as trusted-code boundaries, implement sandboxed execution, and avoid skills that require shell commands or binary downloads.<\/p>\n Marketplace operators should implement publish-time scanning to flag remote execution and obfuscated scripts.<\/p>\n VirusTotal is exploring integration<\/a> with OpenClaw\u2019s publishing workflow to provide automated security analysis during skill submission.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post OpenClaw AI Agent Skills Abused by Threat Actors to Deliver Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nOpenClaw Skill Abuse Campaign<\/strong><\/h2>\n
![\"Users](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1Srb_eHOJL8glBt4xpqYobCiNWxVaElpEZaGTVL2WN48IsAuMCt5pJaZcgZdU8LEvrSP1ZJldOJujfpCApze8PWw-TzKlIdtgHaVRAeN1u-1BifrT-4u1vjR4DUm9yQm9hmoRD3czYvJJTB-g-DxsDdOzUsrjSgHObj96TyY_X1VFEfg4-jtxVACByDM\/s1600\/Screenshot%25202026-02-03%2520103627%2520%25281%2529.webp?ssl=1\")
![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-rBT0GzRpxmx2pddYiD-F9k0qhqi9mM8l1h24txFKQL9V33X5H9gAlYRCpL3sMouSnU2IZlMkVT9-5ARfV7AEP3fGB_AwaVnyytH1Ptny8fVQ9luwJ4yCtY8h4iOt6Jd0eJ3yIax9g0uE2ZCWPIRGv7uwp-Ag2rWL5Htp7QoweAyCiAvsz2fqRnujwUo\/s1600\/Screenshot%25202026-02-03%2520103846%2520%25281%2529.webp?ssl=1\")
![\"Base64-obfuscated](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjow7nPFaJJWtnifafCO8z8Jx2Snk7BRXSJkcrduILpddl1I71TT29jlDY40nsSmxKlm_Che8X4nzIfPTv53n3MZLZoip02iwoINPKLjfo1tHAGY_mb8q4hWkH2v-pT5G4vL8pKfupopyXupztj6xlZVV2OhTvyp0G7B8-VKt0gEQZPWZNbrR3f9BgM7TI\/s1600\/Screenshot%25202026-02-03%2520103742%2520%25281%2529.webp?ssl=1\")
![\"Gemini](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0HVsvh4m649kda8u_qVatG_Ztv6RKsVdsHZJ2Y4rATuxDymsvZLWnJ_FHEXUBOog0xCqe7mt69hfOlDIsio-wI6sbuvMxKymWM-uSgdX89Z27Iw4ZPRRyJid6CKaVJujzxufRrmA-bx5ztkvF62ovMHzl50EvK8r93qHqTsZqvAbUAaHGU0P3xkePvns\/s1600\/Screenshot%25202026-02-03%2520103911%2520%25281%2529.webp?ssl=1\")
<\/figcaption><\/figure>\nProlific Malware Publisher<\/strong><\/h2>\n