OpenClaw’s Rapid Adoption Exposes Skills Supply Chain and Fake Installer Risks in a High-Privilege AI Agent Platform

OpenClaw is a recently fast-growing open-source AI agent platform that emphasises self-hosting, extensibility through skills, and integration with local environments and external services. Official documentation shows that ClawHub is OpenClaw’s public skill registry, where users can search for, install, update, and publish skills, which are generally composed of a SKILL.md file and related supporting files. The official documentation also clearly warns that third-party skills should be treated as untrusted code.

As the OpenClaw ecosystem rapidly expands, research and multiple media reports have continued to highlight related security risks, including malicious skills supply chain poisoning, fake installation projects, and search result poisoning. In addition, cybersecurity researchers have disclosed a high-severity vulnerability that has since been patched, which allowed malicious websites to take over an OpenClaw agent without requiring plugins, browser extensions, or user interaction.

(This image was created using generative AI and reviewed under professional human supervision.) 

OpenClaw has attracted attention because it is not a typical chat-based AI tool that only provides text responses. Instead, it is an AI agent platform that can run on a local machine or server and interact with the external environment through skills and tools. Official documentation shows that OpenClaw supports capability extensions in the form of workspace skills, local skills, and bundled skills, while ClawHub serves as a public skill registry that provides functions for searching, downloading, installing, updating, and publishing skills.

According to the official documentation, skills are usually composed of a SKILL.md file and other supporting files, and are used to provide the agent with specific functions, tool definitions, or operational instructions. The official security guidance also reminds users to treat third-party skills as untrusted code, and recommends using isolation or sandboxed execution when dealing with untrusted inputs or high-risk tools.

This open extension ecosystem helps OpenClaw rapidly build network effects around features and functionality, but it also expands the supply chain risks posed by third-party components. Reports indicate that OpenClaw has partnered with VirusTotal to perform threat intelligence scanning and analysis on skills uploaded to ClawHub. If a skill is determined to be malicious, it will be blocked from download, and all existing mainstream skills will also be rescanned daily. At the same time, reports note that the platform maintainers have warned that this scanning mechanism is not foolproof, and that some deeply hidden prompt injection payloads may still evade detection.

In terms of real-world threats, Trend Micro noted that attackers have disguised malicious content as OpenClaw skills and used seemingly normal SKILL.md instructions to lure agents or users into installing fake prerequisites or CLI tools, ultimately delivering Atomic macOS Stealer (AMOS) to macOS devices. Trend Micro described this type of attack as evidence that threat actors are using AI agents as a “trusted intermediary,” packaging otherwise high-risk malicious actions as seemingly normal installation or setup steps.

Separately, analyses have shown that attackers have also created fake OpenClaw installation projects and GitHub repositories, and used Bing’s AI-enhanced search results to recommend malicious download sources to users searching for the OpenClaw Windows installer. These cases suggest that victims may trust search results or the GitHub platform and download malicious installers, ultimately leading to information-stealing malware and proxy malware infections.

In addition to third-party skills and fake installation sources, the OpenClaw core platform itself has also been reported to contain a high-severity vulnerability. Research has shown that OpenClaw previously contained a vulnerability chain that could be exploited by malicious websites, allowing attackers to silently take over a developer’s AI agent without requiring plugins, browser extensions, or user interaction. The research also noted that the OpenClaw team classified the issue as high severity and has already provided a fix.

Risk Impact

Based on official documentation and public research, one of the main characteristics of OpenClaw and similar AI agent platforms is their close integration with local files, tools, scripts, and external services, along with their ability to continuously expand functionality through skills. While this design can improve automation efficiency, it also means that the attack surface is larger than that of ordinary chat-based AI tools. If exploited through malicious websites, malicious skills, or fake installation sources, such platforms may lead to the leakage of sensitive data, theft of credentials, installation of malware, and even further compromise of enterprise endpoints and workflow security.

For organisations, these risks should not be treated simply as the security issues of a single application. Rather, they should be regarded as risks associated with a class of high-privilege AI agents capable of performing automated actions. In particular, since official documentation explicitly warns that skills should be treated as untrusted code, a lack of version management, skills review, least-privilege settings, endpoint protection, and continuous monitoring could allow such platforms to be adopted rapidly outside formal information security governance, increasing the risks of “shadow AI” and supply chain compromise.

Security Recommendations

1. Verify download sources and installation guidance

Recent cases show that fake GitHub repositories and manipulated search result recommendations can be abused as malicious distribution channels. Users should prioritise download and installation information provided by the official website, official documentation, and official repositories.

2. Deployment based on the principles of least privilege and zero trust

Relevant organisations and individual users are advised to adopt the principles of least privilege and zero trust as fundamental security requirements when deploying and using OpenClaw. Under the principle of least privilege, OpenClaw should only be granted the minimum level of access necessary to perform its designated tasks, and it should not be operated with system administrator privileges.Under the principle of zero trust, agent programs, third-party Skills, external web content, and internal network environments should not be trusted by default. Instead, all access requests, tool invocations, and high-risk operations should be handled on a verify first, execute later basis.

3. Update OpenClaw

Users who have deployed OpenClaw should confirm that they have updated to the latest version in order to patch the publicly disclosed high-severity vulnerability.

4. Install third-party skills with caution

Even though the platform has introduced VirusTotal scanning, public reports indicate that this measure cannot completely eliminate risk. Users should not trust a component solely based on its skill name, download count, description page, or apparent functionality. If the environment permits, the skill’s code, permission requirements, external network connections, and access to sensitive data should be reviewed first before deciding whether to install it.

5. Be alert to agents requesting additional installations or high-risk actions

If an AI agent prompts users to download additional tools, paste terminal commands, install drivers, enter system passwords, or perform extra actions in the name of “required prerequisites,” such behavior should be treated as a high-risk event. Users should first verify whether the request comes from a trusted and genuinely necessary source. Public cases have shown that attackers may use these steps as part of social engineering and malware delivery chains.

6. Manage OpenClaw as a high-privilege automation platform

If an organisation is evaluating the adoption of OpenClaw, it should treat it as a high-privilege agent capable of operating local resources and external services, rather than as an ordinary chat tool. Version management, skills review, least privilege, endpoint protection, and continuous monitoring should all be included in the overall governance framework.

7. Do not expose the management interface directly to the Internet

OpenClaw’s management interface should not be directly exposed to the Internet. Access should be restricted to localhost, internal networks, or controlled whitelist wherever possible. In addition, authentication, encrypted channels, or other access control mechanisms should be implemented to minimize exposure and reduce the risk of scanning, brute-force attacks, or unauthorized access.

8. Enforce Strict Isolation for the Runtime Environment

If OpenClaw must be used, it should be run within a container, sandbox, or virtual machine, and its access should be limited to the designated working directory and only the resources strictly required for operation. It should not be run directly on the host with elevated privileges. In particular, it should not be executed as root or with administrator privileges, nor should it be allowed unrestricted access to the entire file system. These controls help reduce the impact of accidental operations, privilege abuse, or loss of control.

9. Establish logging, auditing, and anomaly monitoring mechanisms

It is recommended to retain operational records, tool invocation logs, and records of high-risk events for OpenClaw, and to regularly verify whether core configuration files have been modified without authorisation. Where the environment permits, periodic inspections and anomaly alerting mechanisms should also be established to enable early detection of suspicious behavior, outbound requests, or unauthorized changes, thereby improving traceability and incident response capability.

10. Prepare emergency shutdown and recovery arrangements in advance

If OpenClaw is found to exhibit abnormal behavior—such as unusual outbound connections, excessive resource consumption, suspicious file deletion or modification, or unauthorized configuration changes—its runtime environment should be terminated immediately, and the relevant containers or services should be isolated or shut down to prevent further spread. At the same time, backup and recovery mechanisms should be prepared in advance to ensure that, in the event of loss of control, data corruption, or suspected compromise, the system can be promptly restored to a known safe state.

Reference Links:

• OpenClaw 官方文件（Skills / ClawHub / Creating Skills） [docs.openclaw.ai], [openclaws.io], [openclaws.io]
• Oasis Security：OpenClaw Vulnerability Enables Full Agent Takeover [oasis.security]
• The Hacker News：OpenClaw Integrates VirusTotal Scanning to Detect Malicious ClawHub Skills [thehackernews.com]
• Trend Micro：Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer [trendmicro.com]
• BleepingComputer：Bing AI promoted fake OpenClaw GitHub repo pushing info-stealing malware [bleepingcomputer.com]
• The Register：Malware-laced OpenClaw installers get Bing AI search boost [theregister.com]
• Huntress：How a Threat Actor Used Fake OpenClaw Installers to Infect Systems with GhostSocks and Information Stealers [huntress.com]
• 关于防范OpenClaw（“龙虾”）开源智能体安全风险的“六要六不要”建议 [中国信通院]