“Security Nightmare”: How OpenClaw Is Fighting Malware in Its AI Agent Marketplace

It has seen great hype, but was already called a security nightmare: the open-source AI assistant OpenClaw (formerly Clawdbot/Moltbot) by Austrian developer Peter Steinberger. The developer of the AI assistant OpenClaw has now entered into a partnership with VirusTotal to protect the skill marketplace ClawHub from malicious extensions.

Google’s threat database now scans all uploaded skills for malware components and suspicious code. This is because OpenClaw, depending on configuration, has far-reaching system rights, can control applications, and install software independently. Users issue commands via messaging services such as Signal, among other things. This functionality makes the system an attractive target for attackers, who have already distributed hundreds of malware-infected extensions on ClawHub.

Numerous manipulated skills discovered

Security researchers from VirusTotal report in an analysis that they have already encountered numerous manipulated skills that do not perform the promised functions, but instead secretly read out passwords and transmit them to criminals. The risks extend across the entire spectrum of possible attacks: extensions can exfiltrate sensitive information, execute unauthorized commands, send messages on behalf of the user, or download and launch external malware.

Since OpenClaw, with appropriate permissions, can for example gain full access to password managers, this creates an immense security risk. The developers emphasize that AI agents represent a fundamental change compared to traditional software, as they interpret natural language and make decisions independently, which blurs the boundaries between user intent and machine execution.

Multi-stage scanning process with AI-powered analysis

The implemented security system works in several steps: First, uploaded skills are deterministically packaged into a ZIP archive and provided with metadata. The system calculates a SHA-256 hash as a unique fingerprint of the entire package and checks it against the VirusTotal database. If the file is already known and an analysis result is available, the evaluation takes place immediately. Otherwise, the system uploads the complete package for examination via the VirusTotal API. Skills with benign results are automatically released, suspicious extensions receive a warning but remain available, while skills classified as malicious are immediately blocked. All active extensions undergo daily rescans to detect subsequently injected malware.

A central role is played by VirusTotal’s Code Insight function, which is based on a Large Language Model and works with Gemini. This AI-powered analysis not only examines what an extension claims to do, but analyzes from a security perspective what actions the code actually performs. The system detects whether an extension downloads and executes external code, accesses sensitive data, performs network operations, or contains instructions that could prompt the agent to behave unsafely.

Protection only against already known trojans and backdoors

Those responsible also explicitly emphasize that this measure does not represent a complete solution. The primarily signature-based approach only finds already known trojans and backdoors. Carefully crafted payload prompts can circumvent the system, as can extensions that trigger malicious actions through natural language instructions without exhibiting classic malware signatures. However, the partnership offers protection against known malware, enables behavioral analysis even against novel threats, creates transparency in the supply chain, and signals commitment to security.

OpenClaw has hired Jamieson O’Reilly, founder of Dvuln and co-founder of Aether AI as well as member of the CREST Advisory Council, as lead security advisor. In the coming days, the company intends to publish a comprehensive threat model for the entire ecosystem, present a public security roadmap with concrete goals, disclose details of a complete code review, and establish a formal process for reporting security vulnerabilities with defined response times. The information will be consolidated on a dedicated platform for security transparency.