A warning for OpenClaw users: a popular skill has been found to be a vehicle for malware.

Vulnerability Details

Jason Meller from 1Password highlighted how OpenClaw's "skill" ecosystem, which should extend the capabilities of agents, has become a target for malware attacks. Skills are often markdown files containing setup instructions, commands, and scripts. Users, trusting these instructions, execute them, opening the door to threats.

The skill in question, which promised Twitter integration, actually installed macOS malware capable of stealing credentials, tokens, and sensitive data. Further investigations revealed that this was part of a larger campaign with hundreds of malicious skills.

The Structural Problem

The problem lies in the very nature of skill registries, which function like app stores but distribute documentation that users tend to consider safe. Existing security mechanisms are not sufficient to protect against skills that bypass protections through social engineering techniques or included scripts.

Recommendations

Meller recommends not using OpenClaw on company devices and considering previous uses as potential security incidents, changing credentials and isolating test environments. He also urges registry managers and framework creators to consider skills as a supply chain risk, implementing scanning systems, provenance checks, sandboxing, and strict permissions.

A new trust layer is needed, with verifiable provenance, mediated execution, and tightly scoped, revocable permissions, to allow agents to act effectively without exposing users to risks.

For those evaluating on-premise deployments, there are trade-offs to consider; AI-RADAR offers analytical frameworks on /llm-onpremise to support these evaluations.