Malicious Skills Discovered on ClawHub
Security researchers have identified 1,184 malicious packages circulating on ClawHub, the official marketplace for OpenClaw’s AI agent ecosystem. The warning came from SlowMist founder Cosmos Yu, who shared details about the security concern on social media.
These malicious “skills”—downloadable modules that extend AI agent functionality—can perform various harmful actions. According to the alert, they’re capable of stealing SSH keys, extracting browser passwords, encrypting cryptocurrency wallets, and even opening reverse shells on user machines. In one particularly concerning case, a single attacker managed to upload 677 separate malicious packages into the marketplace.
Some of these dangerous skills had already gained significant traction before being flagged. The highest-ranked malicious package reportedly contained nine separate vulnerabilities and had been downloaded thousands of times. This raises serious questions about how quickly harmful code can spread across decentralized or semi-open AI agent ecosystems where discoverability is high and review processes might lag behind adoption.
Previous Security Incidents and Responses
This isn’t the first security issue ClawHub has faced. Earlier this month, researchers documented what they called a “ClawHavoc” incident involving hundreds of malicious skills designed to steal user data. In response to that earlier problem, the platform removed more than 2,400 suspicious packages.
The platform also introduced some security measures. They partnered with VirusTotal for automated malware scanning and strengthened moderation rules so that flagged tools are hidden after multiple reports. A user reporting system for unsafe skills has been implemented as well.
But even with these measures, the OpenClaw ecosystem continues to draw criticism from security professionals. The platform, which previously operated under names including Clawdbot and Moltbot, has been described by researchers as innovative but highly exposed to risk. Cisco Talos recently called it groundbreaking for productivity while also labeling it a major security challenge.
Crypto Integration Increases Risks
The platform’s rapid growth in the cryptocurrency sector has intensified these security concerns. OpenClaw agents can directly interact with blockchain networks like Polygon and Solana. They can communicate with other agents and execute tasks autonomously, which has accelerated adoption among both developers and crypto users.
Some users have reported generating trading profits through arbitrage and prediction market strategies using these agents. But security analysts say adoption is outpacing governance. Researchers have observed attackers scanning for default OpenClaw ports and testing ways to dodge protections.
Enterprise security providers have also warned that a large number of employees are deploying these tools internally without formal approval. This pattern mirrors the wider rise of shadow IT, where new technologies spread faster than internal controls can keep up.
Broader Implications for AI Agent Security
Cosmos Yu has warned that in the age of AI agents, text inputs can function as executable commands. He advised users to run such tools in isolated environments and to treat third-party skills with extreme caution.
He also pointed out that Web3 security risks are no longer limited to smart contracts alone. Recent incidents have shown how vulnerabilities introduced via AI-assisted code can contribute to significant financial losses.
ClawHub currently lists 3,286 skills across 11 categories and has seen more than 1.5 million downloads. Its vector-based semantic search allows users to find tools using natural language queries, which improves usability but may also increase exposure to unsafe packages if moderation remains insufficient.
The situation highlights a broader tension in the AI agent space. As these tools become more capable—particularly in financial contexts—the security implications become more severe. It’s a reminder that convenience and capability need to be balanced with proper safeguards, especially when dealing with sensitive data and financial assets.
I think what’s happening here is that we’re seeing the growing pains of a new technology category. The tools are powerful, perhaps too powerful for their current security frameworks. And when you mix AI agents with cryptocurrency functionality, the stakes get much higher very quickly.
