Malicious crypto skills compromise OpenClaw AI assistant users

Security researchers discovered 386 malicious add-ons in OpenClaw (formerly Moltbot), a viral AI assistant project, that deliver information-stealing malware targeting cryptocurrency traders.

What happened

Vulnerability researcher Paul McCarty identified 386 malicious skills on ClawHub, OpenClaw's official skill repository, between February 1-3, 2026. The malicious add-ons pose as cryptocurrency trading automation tools using well-known brand names including ByBit, Polymarket, Axiom, Reddit, and LinkedIn. These skills deploy infostealers targeting both macOS and Windows systems. All malicious skills share the same command-and-control infrastructure and employ social engineering tactics to trick users into executing commands that steal crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords. One attacker, a user named hightower6eu, posted skills that accumulated nearly 7,000 downloads. McCarty contacted the OpenClaw team multiple times, but creator Peter Steinberger reportedly said he had too much to do to address the issue.

The backstory

OpenClaw launched in 2025 as Clawdbot, created by Peter Steinberger. After Anthropic requested a name change, the project rebranded to Moltbot, then rebranded again to OpenClaw at the end of January 2026. The open-source project offers AI personal assistants that run locally on user devices, connecting to generative AI models like Anthropic's Claude Code. Users communicate with their assistants through messaging apps including WhatsApp, Telegram, iMessage, Slack, Discord, and Signal.

While the project went viral, security researchers identified security gaps. Just days before McCarty's discovery, pentester Jamieson O'Reilly exposed vulnerabilities in enterprise deployments showing that misconfigured reverse proxies caused Moltbot to treat all internet traffic as trusted, allowing unauthenticated access to sensitive data. O'Reilly discovered hundreds of exposed admin interfaces online and demonstrated a supply-chain attack by publishing a malicious skill on the official MoltHub registry; within eight hours, 16 developers across seven countries downloaded the compromised skill.

Going deeper

OpenClaw uses "agent skills" which are folders containing instructions, scripts, and resources that agents discover and use for improved accuracy and efficiency. These skills require no technical exploits, instead relying on social engineering and the absence of security review in the publication process. McCarty described the attack as "the ClawHub version of 'ClickFix,'" where attackers convince victims to execute commands that install malware. The majority of malicious skills remained available on the official ClawHub/MoltHub GitHub repository at the time of McCarty's report, and the C2 infrastructure appeared operational. The targeting of cryptocurrency traders suggests financial motivation and deliberate selection of high-value victims. Token Security reports that 22% of its enterprise customers have employees actively using the tool, likely without IT approval, demonstrating shadow AI adoption.

What was said

McCarty wrote that "the bad guy is asking the victim to do something, which ends up installing the malware" and warned the supply chain attack requires "no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process." He concluded that "the targeting of cryptocurrency traders suggests financial motivation and careful selection of high-value victims."

Diana Kelley, AI expert and CISO at Noma Security, told Infosecurity that these malicious skills "turn a familiar supply-chain problem, trusting and running third-party plugins, into a higher-impact threat: an AI-driven operator executing actions under the user's permissions." She noted that "some of us are looking at agentic assistants like they're smarter chatbots. They're not." Kelley explained that endpoint-native agents "inherit your privileges and expand your trust boundary to wherever they run," creating a situation where "a compromised extension becomes delegated execution plus delegated authority."

Kelley told Infosecurity that "when an assistant can act with user-level privileges across files, tokens, networks and infrastructure, a compromised extension becomes delegated execution plus delegated authority. Add the OpenClaw naming churn, rebranding, and bullet-train speed of adoption, and you get ideal conditions for confusion attacks like impersonation, typo-squatting and fake repositories."

By the numbers

• 386 malicious skills discovered on ClawHub
• Nearly 7,000 downloads for skills posted by user hightower6eu
• All malicious skills share 1 command-and-control server (91.92.242.30)
• Skills target 5 major platforms: ByBit, Polymarket, Axiom, Reddit, and LinkedIn
• Infostealers deployed on 2 operating systems: macOS and Windows
• 22% of Token Security's enterprise customers have employees using OpenClaw/Moltbot
• 16 developers across 7 countries downloaded O'Reilly's proof-of-concept malicious skill within 8 hours

Why it matters

The incident demonstrates how AI-powered automation tools create new attack surfaces for supply chain compromise, especially when combined with the shadow IT problem already affecting enterprises. The adoption of OpenClaw, combined with multiple rebrandings from Clawdbot to Moltbot to OpenClaw within months, creates ideal conditions for confusion attacks including impersonation, typo-squatting, and fake repositories. The 7,000 downloads achieved by a single malicious actor shows how trust in official repositories can be weaponized when security review processes are absent.

The bottom line

Organizations must audit their environments for unauthorized OpenClaw deployments and implement controls on AI assistant usage before malicious actors exploit the gap between adoption speed and security implementation. Security teams should implement physical or virtual sandboxes, control data access by confidentiality level, allowlist approved skills, and apply traditional open-source security techniques including software composition analysis and code review. As McCarty's research shows, the malicious skills remained operational days after disclosure, showing the need for security controls before deploying AI agents with system-level permissions.

FAQs

Can malicious OpenClaw skills affect users who never trade cryptocurrency?

Yes, infostealers can harvest generic credentials and system data regardless of the user’s crypto activity.

Do these attacks require administrator privileges to succeed?

No, the malware runs under normal user permissions, which are often sufficient to steal valuable credentials.

How does OpenClaw’s local execution model increase risk?

Running locally means skills inherit direct access to the user’s files, environment variables, and authentication tokens.

Could compromised skills be reused to target enterprises beyond crypto theft?

Yes, the same technique could be adapted for espionage, ransomware staging, or internal network reconnaissance.