OpenClaw, the open-source AI agent platform, faces mounting security concerns after researchers uncovered hundreds of malicious extensions in its marketplace. The platform discovered at least 28 malicious skills published on ClawHub between January 27-29, with an additional 386 malicious add-ons uploaded in late January and early February.
Security researchers describe the situation as a "security nightmare" with the most-downloaded add-on serving as a "malware delivery vehicle". These malicious skills masquerade as cryptocurrency trading automation tools while delivering information-stealing malware that targets crypto assets, exchange API keys, wallet private keys, SSH credentials, and browser passwords.
The open-source AI agent, previously known as Clawdbot and Moltbot, launched in November and has experienced viral growth. It gained over 100,000 stars on GitHub and attracted two million visitors in a single week.
Users interact with OpenClaw through messaging apps like WhatsApp, Telegram, and iMessage, often granting the AI access to their entire device for file management and task automation.
China's Ministry of Industry and Information Technology issued a formal warning on February 5 about OpenClaw's security risks. The ministry cautioned that improper configuration could expose users to cyberattacks and data breaches, advising organizations to conduct thorough audits of public network exposure and implement strong identity authentication.
OpenClaw's creator, Peter Steinberger, is implementing security measures including a new GitHub requirement for skill publishers. Accounts must be at least one week old to upload extensions.
The platform also introduced a reporting system where signed-in users can flag suspicious skills, with any skill receiving more than three unique reports automatically hidden from the marketplace.
Security firm DepthFirst discovered a critical vulnerability, tracked as CVE-2026-25253, that allowed attackers to obtain user authentication tokens by tricking targets into visiting malicious websites. The flaw was patched in version 2026.1.29 released in recent days.
Censys security researchers identified more than 21,000 publicly exposed OpenClaw instances as of January 31, with approximately 30% hosted on Alibaba Cloud infrastructure. Chinese cloud providers including Alibaba's Alicloud, Tencent Cloud, and Baidu have launched services allowing users to rent servers for remote OpenClaw deployment.
The platform's rapid adoption highlights broader security challenges in open-source AI ecosystems where user-submitted extensions can introduce significant risks. OpenClaw's extensibility, while a key feature, creates attack surfaces that malicious actors have exploited through markdown files containing hidden instructions for both users and the AI agent.
"OpenClaw's skill hub has become 'an attack surface' where even popular extensions can contain malicious code."
1Password product VP Jason Meller noted this, as researchers found that skills often include instructions designed to get the AI agent to run commands that download information-stealing malware.
The incident highlights the tension between open-source flexibility and security in AI agent platforms gaining mainstream adoption. While OpenClaw's self-hosted nature appeals to privacy-conscious users, its extension ecosystem requires careful vetting to prevent malware distribution through seemingly legitimate productivity tools.
The security issues come as OpenAI CEO Sam Altman has championed autonomous AI agents like OpenClaw while criticizing other viral AI platforms as passing fads.
These security challenges also highlight the importance of strong security measures in enterprise AI deployments, as seen in OpenAI's Frontier platform for Fortune 500 companies which emphasizes secure institutional memory and controlled agent deployment.
