Key Highlights:
- Security researchers flagged 1,184 malicious “skills” on OpenClaw’s ClawHub capable of stealing SSH keys, wallet data, and browser credentials.
- A single attacker uploaded hundreds of harmful packages, some of which were downloaded widely before being detected.
- Experts warn that rapid adoption of OpenClaw tools is outpacing security safeguards, increasing risks of credential theft and remote code execution.
The OpenClaw ecosystem is yet again under fire for security reasons, this time due to its official marketplace, ClawHub. Researchers have identified 1184 malicious packages circulating in ClawHub.
The warning was highlighted by SlowMist founder Cosmos Yu, who shared details of the issue.
OpenClaw’s ClawHub in the Crosshairs for Security Concerns
According to the alert, a total of 1,184 malicious “skills” have been detected on ClawHub. These packages are capable of stealing SSH keys, extracting browser passwords, encrypting wallets, and even opening reverse shells on user machines. In one case, a single attacker was responsible for uploading 677 separate packages into the marketplace.
再次提醒:文本不再是文本,而是指令。玩 AI 这些工具要用独立环境…
Skills 很危险⚠️
Skills 很危险⚠️
Skills 很危险⚠️ https://t.co/GZ3hhathkE— Cos(余弦)😶🌫️ (@evilcos) February 20, 2026
Some of these skills had already gained traction. The highest-ranked malicious package reportedly has nine separate vulnerabilities and had been downloaded thousands of times before being flagged. This raises questions about how quickly harmful code can spread across decentralized or semi-open AI agent ecosystems where discoverability is high and review processes may lag behind adoption.
ClawHub is the official skill registry for OpenClaw. It functions similarly to a package manager for AI agents, allowing developers and users to extend functionality through downloadable modules. At the time of writing, the registry listed 3,286 skills across 11 categories and had seen more than 1.5 million downloads. Its vector-based semantic search allows users to find tools using natural language queries, which improves usability but may also increase exposure to unsafe packages if moderation is insufficient.
The platform has already faced security issues in recent weeks. Earlier this month, researchers documented a “ClawHavoc” incident involving hundreds of malicious skills designed to steal user data. In response, the platform removed more than 2,400 suspicious packages, introduced automated malware scanning through a partnership with VirusTotal, and strengthened moderation rules so that flagged tools are hidden after multiple reports. A user reporting system for unsafe skills has also been introduced.
Even with these measures, the OpenClaw ecosystem continues to draw criticism. The platform, which previously operated under names including Clawdbot and Moltbot, has been described by security researchers as innovative but highly exposed to risk. Cisco Talos recently called it groundbreaking for productivity and also labeled it a major security challenge.
At the same time, the platform’s rapid growth in crypto sector has intensified the risks. OpenClaw agents can directly interact with blockchain networks like Polygon and Solana. They can also communicate with other agents and execute tasks autonomously. These features around financial capability, automation, and networked coordination has accelerated its adoption among both developers and crypto users. Some users have already reported generating trading profits through arbitrage and prediction market strategies using these agents.
However, security analysts say adoption is outpacing governance. Researchers have observed attackers scanning for default OpenClaw ports and testing ways to dodge protections. Enterprise security providers have also warned that a large number of employees are deploying these tools internally without formal approval. This pattern mirrors the wider rise of shadow IT, where new technologies spread faster than internal controls can keep up.
Yu has warned that in the age of AI agents, text inputs can function as executable commands. He advised users to run such tools in isolated environments and to treat third-party skills with caution. He also pointed out that Web3 security risks are no longer limited to smart contracts alone, as he cited recent incidents where vulnerabilities introduced via AI-assisted code contributed to losses.
Also Read: Moonwell: Recovery Plan Moves to Governance Forum Following 2.68M Loss