OpenClawd AI today released a security-focused platform update that adds automated skill vetting, verified installer sourcing, and runtime sandboxing to its managed OpenClaw hosting service. The update responds to two converging threats targeting users of the open-source AI agent formerly known as Clawdbot and Moltbot: a large-scale malware campaign inside the official OpenClaw skill marketplace, and a parallel wave of counterfeit installation packages being promoted through search engine results.
The numbers are bad enough on their own. Together, they describe a supply chain that is actively hostile to casual users.
One in Eight OpenClaw Skills Is Confirmed Malicious
Independent security researchers recently completed an audit of the ClawHub skill marketplace — the primary distribution channel for third-party OpenClaw plugins. Out of 2,857 published skills, 341 were confirmed as malicious. That is approximately 12% of the entire marketplace.
The findings include:
- Keyloggers and credential stealers deployed through skills that appear to offer legitimate productivity features
- Silent data exfiltration — one widely-downloaded skill was found to instruct the OpenClaw agent to execute curl commands that sent user data to an external server without any notification or consent prompt
- Prompt injection payloads embedded in skill descriptions, designed to override the agent’s safety guidelines and force execution of unauthorized commands
- Plaintext credential exposure — a separate audit found that over 280 additional skills were leaking API keys, tokens, and passwords in their source code
A major cybersecurity firm tested a specific ClawHub skill and published the results: nine security findings, including two critical and five high-severity issues. The skill functioned as what the researchers called “functionally malware.” The most widely-downloaded malicious skill on ClawHub was a cryptocurrency stealer.
Fake OpenClaw Installers Are Being Promoted by Search Engines
The marketplace problem is only half the story. A cybersecurity research team discovered that threat actors have published counterfeit OpenClaw installation packages on open-source code repositories. These fake installers mimic the legitimate OpenClaw setup process but instead deliver a malware packer that disables firewall protections and routes network traffic through compromised systems.
The attack chain is straightforward: a user searches for “install OpenClaw” or “Clawdbot download.” An AI-powered search engine returns a result linking to the malicious repository. The user follows the instructions. The malware deploys silently.
The researcher who discovered the campaign noted that the person who first reported the threat was a technical professional. “If a fellow IT pro is susceptible to this threat,” he said, “then anyone could be.”
“There are now two ways to get compromised before you even run your first OpenClaw command,” said Danny Wilson, spokesperson for OpenClawd. “You can install a fake version of the software, or you can install the real version and then add a skill that steals your data. We built this update so that neither path exists on our platform.”
What OpenClawd Ships Today
This update targets both the supply chain and the runtime:
- Verified installer sourcing — all OpenClawd instances are provisioned from cryptographically signed OpenClaw releases, pulled directly from the official repository. No third-party install paths. No search engine intermediaries.
- Skill vetting pipeline — third-party skills go through automated static analysis and behavioral testing before activation. Skills flagged for network exfiltration, prompt injection patterns, or credential exposure are blocked by default.
- Runtime sandboxing — each skill executes in an isolated environment with explicit permission boundaries. A skill that requests network access to an unexpected endpoint triggers a review before execution.
- Credential isolation — API keys and tokens are stored in encrypted vaults and never exposed in plaintext to skill code or agent logs
- Automatic CVE patching — hosted instances track the latest stable OpenClaw release (currently v2026.3.x), with all known vulnerabilities patched before deployment
OpenClawd does not operate its own skill marketplace. Skills available on hosted instances are drawn from the official ClawHub repository after passing the vetting pipeline described above.
OpenClawd is not affiliated with the OpenClaw open-source foundation, OpenAI, Peter Steinberger, or any third-party security research firm cited in this release. It is an independent platform built on the open-source Clawdbot codebase. The open-source project remains free at github.com/openclaw/openclaw.
Pricing starts with a free tier. Paid plans include dedicated compute, priority security patching, and uptime monitoring. Deploy a secure OpenClaw instance at https://openclawd.ai.
Contact:
Email: support@openclawd.ai