OpenClaw: risks for agent users and how to mitigate them
OpenClaw, a widely adopted AI agent ecosystem with a skill marketplace called ClawHub, is being actively abused by attackers who publish malicious skills containing embedded shell commands or harmful natural-language instructions. Approximately 530 vulnerabilities have been discovered in OpenClaw and its underlying technologies, many involving sensitive data storage and excessive privileges. Kaspersky identified over 600 malicious skills from 24 accounts in April, with 1,100+ malicious accounts created since January. Malicious skills observed include macOS payloads using base64-encoded curl-pipe-to-bash execution and Windows MSI installers distributed via password-protected ZIP archives.
- filenameopenclaw_windriver.msiMalicious MSI installer inside the password-protected openclaw_windriver.zip archive; masquerades as a legitimate OpenClaw Windows driver component for initial access and execution.
- filenameopenclaw_windriver.zipMalicious archive distributed as a fake OpenClaw Windows driver package; password-protected with 'openclaw' to evade automated scanning; contains a malicious MSI installer.
- filenameSKILL.mdPlain-text skill definition file used by OpenClaw; malicious variants embed harmful natural-language instructions or shell commands that the agent executes with user privileges.
- md5e375b87350f5102a18c1fea90f85cad9MD5 hash of a malicious OpenClaw skill file detected by Kaspersky Scan Engine as HEUR:Trojan.ANSI.MalClaw.gen; identified as both a filesystem object and active in memory.
Detection / Hunteropenrouter
What Happened
OpenClaw is a popular AI assistant tool that lets users automate tasks by writing instructions in plain English. Attackers have figured out they can create malicious add-ons (called 'skills') for this tool and share them through OpenClaw's official marketplace, similar to how app stores sometimes host fake apps. These malicious skills can secretly run harmful commands on a user's computer, such as downloading and executing remote code, or stealing saved passwords and access keys. The security firm Kaspersky found over 600 of these malicious add-ons and more than 1,100 attacker accounts. Organizations where employees use OpenClaw should check all add-ons before allowing them, restrict what the AI assistant can access on company computers, and create clear policies about which AI tools employees are allowed to use.
Key Takeaways
- OpenClaw, a rapidly growing AI agent ecosystem, has accumulated approximately 530 vulnerabilities since launch, with CVE publications beginning February 2026, many involving sensitive data storage and excessive privileges.
- Attackers are distributing malicious skills through the ClawHub marketplace — over 600 malicious skills from 24 accounts were identified in April alone, with 1,100+ malicious accounts created since January.
- Malicious skills do not require custom malware development; attackers embed harmful natural-language instructions or shell commands within SKILL.md files that the agent executes with user-level privileges.
- Kaspersky products detect malicious OpenClaw skills as HEUR:Trojan.ANSI.MalClaw.gen; Kaspersky Scan Engine is recommended for checking skills entering organizational perimeters.
- A malicious macOS skill was observed using base64-encoded payloads decoded and piped to bash for remote code execution, while a Windows variant distributed a password-protected ZIP containing a malicious MSI installer.
Affected Systems
- OpenClaw AI agent runtime on Windows endpoints
- OpenClaw AI agent runtime on macOS endpoints
- Systems where OpenClaw agents have access to filesystem, shell, browser, and API credentials
- Organizational infrastructure accessible via tokens and keys stored in plain-text alongside the agent
Attack Chain
Attackers publish malicious OpenClaw skills on the ClawHub marketplace, embedding harmful natural-language instructions or shell commands within SKILL.md files. When a user installs and triggers the skill, the OpenClaw agent executes the embedded commands with the user's privileges, which may include base64-encoded payloads piped to bash for remote code execution (macOS) or malicious MSI installers distributed via password-protected ZIP archives (Windows). The agent's access to filesystem, shell, browser, and stored API credentials enables credential theft and lateral access to connected systems. Persistence is achieved through the skill remaining installed in the agent's local skill directory, allowing repeated execution on subsequent invocations.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Kaspersky Scan Engine, Kaspersky endpoint products
No YARA, Sigma, Snort, or KQL rules are provided in the article. Kaspersky products detect malicious OpenClaw skills as HEUR:Trojan.ANSI.MalClaw.gen, and Kaspersky Scan Engine is recommended for scanning skills at organizational perimeters. VirusTotal and NVIDIA SkillSpector are now used for preliminary scanning of skills published on ClawHub.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions can likely detect the shell execution and child process spawning from the OpenClaw agent runtime (e.g., bash executing curl-piped payloads or msiexec running unexpected installers). However, malicious natural-language instructions within SKILL.md files that are interpreted by the LLM planner may not produce traditional process-level telemetry until the actual command is executed, creating a detection gap for the instruction layer. Network Visibility: Medium — Network monitoring can detect outbound curl connections and C2 communication from executed payloads. However, if the agent legitimately makes API calls as part of normal operation, distinguishing malicious network activity from benign agent traffic requires baseline understanding of expected skill behavior. Detection Difficulty: Hard — The dual nature of malicious skills — natural-language instructions interpreted by an LLM and embedded shell commands — requires detecting both traditional process-level indicators and semantic analysis of skill content. Base64 encoding adds obfuscation. Legitimate skills also execute shell commands and access credentials, producing high false positive rates unless behavioral baselines are established for the OpenClaw agent.
Required Log Sources
- Process creation logs (Sysmon Event ID 1 / macOS auditd)
- Command-line argument logging
- Network connection logs (Sysmon Event ID 3 / firewall logs)
- File creation and modification logs for .skills/ directories
- MSI installer execution logs (Windows Event Log Application)
- Bash history and shell execution logs on macOS/Linux
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for OpenClaw agent processes spawning shell interpreters (bash, sh, cmd.exe, powershell.exe) as child processes, particularly when the command involves base64 decoding or curl downloads, which may indicate a malicious skill executing embedded payloads. | Process creation events with parent-child relationship analysis, command-line argument logging | Execution | High — legitimate OpenClaw skills may also spawn shell processes for automation tasks; baseline expected shell activity from the agent runtime before alerting. |
| Consider hunting for new SKILL.md files appearing in OpenClaw skill directories (.skills/) that contain base64-encoded strings, curl/wget references, or shell command patterns, which may indicate malicious skill installation. | File creation and modification events in OpenClaw skill directories, file content scanning | Persistence / Initial Access | Medium — some legitimate skills may include shell commands for valid automation; focus on base64 encoding and remote download patterns as higher-signal indicators. |
| Consider hunting for MSI installer execution (T1218.007) originating from or correlated with OpenClaw agent activity, especially installers with names suggesting driver or system components, which may indicate malicious skill-based payload delivery. | Windows Event Log Application (MSIInstaller events), process creation logs for msiexec.exe | Initial Access / Execution | Low — MSI installation from an AI agent runtime is unusual and warrants investigation. |
| Consider hunting for the OpenClaw agent process accessing credential files, environment variables containing API keys, or token stores that are not related to the skill's stated purpose, which may indicate credential theft via a malicious skill. | File access logs, environment variable access monitoring, EDR file read telemetry | Credential Access | High — legitimate skills routinely access credentials for API interactions; correlate with skill metadata and expected access patterns. |
| Consider hunting for outbound network connections from the OpenClaw agent or its child processes to previously unseen domains or IPs, particularly following skill installation or execution, which may indicate C2 communication from a malicious payload. | Network connection logs, DNS query logs, proxy logs | Command and Control | Medium — the agent makes legitimate API calls; focus on connections to non-API endpoints or unusual ports. |
Control Gaps
- Traditional AV scanning of SKILL.md files may miss malicious natural-language instructions that do not contain recognizable code patterns but instruct the LLM to perform harmful actions.
- Application allowlisting may not cover the OpenClaw agent runtime or its skill execution pipeline, allowing arbitrary command execution under a trusted process.
- Network security controls may not distinguish between legitimate OpenClaw API calls and malicious outbound connections from embedded payloads.
- DLP solutions may not monitor credential exfiltration through the agent's legitimate API access channels.
- Endpoint detection may not flag fileless execution chains where the LLM interprets natural-language instructions and executes commands without a traditional malware binary on disk.
Key Behavioral Indicators
- OpenClaw agent process spawning bash or sh with base64 decode arguments on macOS
- OpenClaw agent process spawning msiexec.exe with unexpected installer paths on Windows
- New SKILL.md files appearing in .skills/ directories containing base64-encoded blobs or curl/wget references
- OpenClaw agent child processes making outbound network connections to non-API endpoints
- Password-protected ZIP archives with 'openclaw' password being downloaded or extracted on endpoints
- OpenClaw agent accessing credential stores or environment variables beyond expected skill scope
False Positive Assessment
- High — legitimate OpenClaw skills routinely execute shell commands, access credentials, make network connections, and create files as part of normal automation workflows. Distinguishing malicious skill behavior from benign automation requires behavioral baselining of the agent runtime and correlation with skill metadata, source reputation, and expected access patterns.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider scanning all OpenClaw skill files (SKILL.md and associated resources) entering your environment using Kaspersky Scan Engine or equivalent file-scanning solutions.
- Consider blocking or quarantining the known malicious filenames openclaw_windriver.zip and openclaw_windriver.msi if observed on endpoints, and investigate any systems where these files are found.
- If your EDR supports host isolation, consider isolating endpoints where OpenClaw agent processes are observed spawning shell interpreters with base64 decode arguments or executing unexpected MSI installers.
- Consider reviewing ClawHub skill installation logs or local .skills/ directories for any skills installed since January 2026, and evaluate whether they match the known malicious patterns described in the article.
Infrastructure Hardening
- Consider implementing network segmentation to restrict OpenClaw agent access to only the APIs and services it explicitly requires, blocking outbound connections to non-whitelisted destinations.
- Evaluate whether the OpenClaw sandboxing subsystem and API wrappers can be configured to enforce least-privilege access for all skills, limiting filesystem, shell, and credential access.
- Consider deploying proxy-based filtering for all outbound traffic from systems running OpenClaw agents to detect and block C2 communication from malicious payloads.
- If applicable, consider integrating Kaspersky Scan Engine or equivalent scanning solutions at mail gateways, proxy servers, and web application entry points to intercept malicious skill files before they reach endpoints.
User Protection
- Consider enforcing the principle of least privilege for OpenClaw agent runtimes — restrict filesystem access, shell execution capabilities, and credential store access to only what each explicitly approved skill requires.
- Evaluate whether endpoint protection products in your environment can detect HEUR:Trojan.ANSI.MalClaw.gen or equivalent malicious OpenClaw skill behavior, and verify detection coverage is enabled.
- Consider monitoring OpenClaw agent network activity using the project's built-in sandboxing subsystem and API wrappers to detect anomalous outbound connections.
- If your organization permits OpenClaw usage, consider maintaining an allowlist of approved skills and blocking installation of any skills from unverified ClawHub accounts.
Security Awareness
- Consider developing a comprehensive AI usage policy that explicitly defines which AI agent tools and skills are approved for organizational use, and communicate this policy to all employees.
- Consider incorporating AI agent supply-chain risks into existing security awareness training, emphasizing that skills from marketplaces can contain hidden malicious commands even when they appear legitimate.
- Consider educating employees on the risks of storing API keys, tokens, and credentials in plain-text files alongside AI agents, and promote the use of secure credential vaults or environment variable management where supported.
- Consider reminding employees to never install third-party tools or skills that are not explicitly approved by the organization's IT or security team.
MITRE ATT&CK Mapping
- T1195 - Supply Chain Compromise
- T1059.004 - Unix Shell
- T1027.010 - Obfuscated Files or Information: Command Obfuscation
- T1105 - Ingress Tool Transfer
- T1552 - Unsecured Credentials
- T1036 - Masquerading
- T1213 - Data from Information Repositories
Additional IOCs
- File Hashes:
E375B87350F5102A18C1FEA90F85CAD9(MD5) - Malicious OpenClaw skill object detected by Kaspersky Scan Engine as HEUR:Trojan.ANSI.MalClaw.gen.
- File Paths:
/root/E375B87350F5102A18C1FEA90F85CAD9- Filesystem path of the malicious skill object detected by Kaspersky Scan Engine on a scanned system.
- Command Lines:
- Purpose: Remote code execution on macOS via base64-decoded payload piped to bash; decodes to a curl command that downloads and executes a remote script. | Tools:
bash,curl,base64| Stage: Execution |echo <base64> | base64 -D | bash - Purpose: Malicious MSI installer execution on Windows disguised as an OpenClaw driver component for initial access and payload deployment. | Tools:
msiexec| Stage: Initial Access / Execution |msiexec /i openclaw_windriver.msi
- Purpose: Remote code execution on macOS via base64-decoded payload piped to bash; decodes to a curl command that downloads and executes a remote script. | Tools: