Researchers have uncovered a significant security threat within the OpenClaw AI assistant ecosystem, revealing over 340 malicious skills that facilitate the spread of information stealers. These findings highlight alarming vulnerabilities as the number of infected posts on Moltbook, the social network for AI agents, has reached 506, indicating potential early signs of "prompt worms"—self-replicating instructions that could be transmitted between agents.
OpenClaw, which operates locally on user machines via messaging platforms like WhatsApp, Telegram, Slack, and Discord, allows for autonomous task execution and inter-agent communication. Since its launch in November 2025, the platform has gained substantial traction, amassing over 150,000 stars on GitHub and a user base of approximately 17,000 with 770,000 registered agents.
Peter Steinberger, the creator of OpenClaw, developed the project using vibe coding with minimal testing. The introduction of Moltbook has enabled AI agents to share and interact with each other, but the platform’s open-source nature poses significant risks. The ClawHub repository, where skills are uploaded, is open by default, allowing anyone with a GitHub account to contribute after a week.
Experts from Koi Security reported that between January 27 and February 1, more than 230 malicious skills emerged within ClawHub and GitHub. An independent report from OpenSourceMalware detailed the operational mechanisms of this malware campaign. Researchers audited 2,857 available skills and identified 341 as harmful, all linked to a campaign dubbed ClawHavoc. Notably, the malicious skill titled "What Would Elon Do" gained popularity, redirecting data to external servers while topping the rankings through manipulation.
The infection strategy resembles ClickFix attacks, with each skill featuring extensive documentation that repeatedly mentions a tool called AuthTool, which is actually a malware delivery mechanism. For macOS users, the malware employs a base64 encoded shell command to download payloads from external addresses, while Windows users receive a password-protected archive.
The malware variant for macOS, known as Atomic Stealer (AMOS), bypasses Gatekeeper using specific commands and seeks access to critical files, including cryptocurrency exchange API keys and wallet seed phrases. All identified skills share a common control infrastructure tied to the IP address 91.92.242[.]30.
The malicious skills masquerade as various tools, including type-squatting variations of ClawHub, cryptocurrency utilities, YouTube tools, auto-update agents, financial instruments, Google Workspace applications, Ethereum gas trackers, and Bitcoin recovery searchers. Additionally, some skills contain reverse shells and mechanisms for sending bot credentials to external webhooks.
In response, Steinberger has acknowledged the challenge of monitoring the vast number of skill submissions and has emphasized user responsibility in verifying skill safety before deployment. As a temporary safeguard, a complaint feature has been added, allowing authorized users to report suspicious skills, with those accumulating more than three unique complaints being hidden by default.
While some experts focused on the malicious skills, researchers from Simula Research Laboratory identified 506 posts on Moltbook containing hidden prompt injections, further indicating the emergence of prompt worms. These self-replicating instructions could allow for the spread of malware through AI agents, creating a viral chain reaction.
The risks associated with OpenClaw have been magnified as it primarily operates through the APIs of OpenAI and Anthropic, which can monitor usage patterns and block suspicious activity. However, as local large language models (LLMs) like Mistral and DeepSeek advance, the potential for unmonitored, powerful agents operating on local hardware increases.
Security analysts at Palo Alto Networks have described OpenClaw as embodying a "lethal trio" of vulnerabilities: access to confidential data, unreliable content, and external communication capabilities. Given the rapid growth of the OpenClaw ecosystem, which currently includes hundreds of thousands of agents, the implications for market competitors are significant, as they may need to enhance their security measures to address these emerging threats.
Informational material. 18+.
