The rapid development of artificial intelligence has recently led to the emergence of numerous innovative tools that promise to make our everyday lives considerably easier. However, one of these projects, known as MoltBot, ClawdBot and finally OpenClaw, has recently made headlines in the cyber security community. While OpenClaw is designed as an open-source AI assistant with local data storage and a wide range of integration options, a recent report by BleepingComputer shows how quickly such platforms can be misused by criminals. In less than a week, more than 230 malicious data packets, known as skills, were published on the tool's official registry and on GitHub. These incidents highlight a growing problem: platforms often grow faster than the security mechanisms designed to protect them. The Neustadt-based security specialists at 8com address this threat in their blog and provide tips on how to deal with it.

The attackers use a sophisticated social engineering method to trick users into installing malware. The malicious skills masquerade as legitimate tools, such as for automated crypto trading, financial analysis or social media content management. To inspire trust, these packages often come with extensive documentation that looks deceptively genuine. A central component of this deception is a supposed utility programme called AuthTool, which is touted in the documentation as an essential prerequisite for the respective skill to function. If the user follows the instructions for installing this tool, they set off a chain of infection reminiscent of known ClickFix attacks, because in reality, AuthTool hides a mechanism for installing password stealers and other highly dangerous malware.

Technically speaking, the approach differs depending on the victim's operating system. On macOS systems, the malware often appears as a Base64-encoded shell command that downloads a payload from an external server. These are often variants of NovaStealer, which specifically bypasses security mechanisms such as Apple's Gatekeeper by deleting quarantine attributes and requesting extensive file access rights. On Windows, on the other hand, a password-protected ZIP archive is usually downloaded and executed to deceive antivirus scanners. The goal of these attacks is to steal sensitive information: From API keys for crypto exchanges to browser passwords and SSH credentials to private keys for wallets and access data for cloud services, anything that could be of value to cybercriminals is targeted. What is particularly explosive is that the malware also specifically searches for environment variables in .env files, which often contain unencrypted data for software development.

Analyses by security researchers such as Jamieson O'Reilly and organisations such as Koi Security show the enormous scale of this campaign. In some cases, over 340 malicious skills have been identified that apparently originate from a single source or campaign. Many of these packages are nearly identical clones with randomly generated names that aim to appear at the top of the registry's search results. Some of these fake tools had already been downloaded thousands of times before they were recognised as a threat. The inventor of OpenClaw, Peter Steinberger, admitted to experts that it is currently impossible to manually check the enormous flood of newly submitted skills. This means that the responsibility for security lies solely with the end user, which is a considerable hurdle in such a complex environment.

To protect against such threats, a multi-layered security approach is essential. Experts strongly advise running AI assistants that require extensive system rights in isolated virtual machines. In addition, permissions should be granted restrictively and network traffic should be closely monitored. It is also advisable to use specialised scanners that check URLs of skills for known signatures of malicious code before integrating them into your own working environment. The MoltBot and OpenClaw cases are a cautionary example of how, in the age of AI-supported automation, not only the possibilities but also the risks are increasing exponentially. Scepticism towards third-party extensions therefore remains the most important tool in the arsenal of any security-conscious internet user.

Video