OpenClaw, the self-hosted AI agent formerly known as Clawdbot, has become a clear example of a growing security problem: when an AI system can run commands, alter files, and make network requests, add-ons are not just convenience features. They can become a route for malware.
According to the source article, VirusTotal flagged that hundreds of OpenClaw skills had been laced with malware. The affected skills appeared on ClawHub, the platform where users can install community-built skills to expand what the agent can do.
What happened on ClawHub
OpenClaw runs locally on a user’s machine. That matters because the agent is designed to take real actions, including executing shell commands, manipulating files, and making network requests. Those abilities are useful when the agent is trusted. They are dangerous when an installed skill is hostile.
VirusTotal found that attackers were presenting Trojans and data stealers as legitimate skills. In many cases, the skills themselves looked clean. The dangerous behavior came from instructions that pushed the agent to download and run external payloads.
The source article names Atomic Stealer, a well-known macOS Trojan, as one of the external payloads involved. It also says one user alone uploaded more than 300 infected skills.
The pattern is important because it does not require the visible skill package to look obviously malicious at first glance. A skill can appear harmless while still directing an agent toward unsafe behavior once it runs.
Why AI agent skills are a high-risk target
Traditional software extensions can already create risk. AI agent skills raise the stakes because they are connected to systems that interpret natural language and decide how to act. OpenClaw is described as a harness for agentic AI models like Claude Opus or GPT-5.2, and the agent’s purpose is to let those models do things on the user’s computer.
That makes the security boundary harder to define. A malicious skill does not only need to exploit a conventional software weakness. It can also manipulate the agent’s instructions, its interpretation of tasks, or its access to tools.
The source article says language models run on probabilities and interpret natural language, giving attackers many possible entry points. It also notes that OpenClaw has faced reports of serious security flaws before.
The broader issue is that agentic AI tools are designed to be open-ended. They are useful because they can connect language, tools, local files, and network activity. The same openness gives attackers more room to hide malicious intent inside workflows that may look ordinary to a user.
OpenClaw’s new scanning layer
In response to the attack, OpenClaw founder Peter Steinberger announced a partnership with VirusTotal. Every skill published on ClawHub is now automatically scanned using VirusTotal’s AI-powered Code Insight feature, built on Google’s Gemini, along with other tools.
The system evaluates what a skill does from a security point of view. The source article says it looks for behavior such as downloading external files, accessing sensitive data, or manipulating the agent into unsafe behavior.
The review process now has three outcomes:
- Skills deemed harmless are approved automatically.
- Suspicious skills receive a warning label.
- Skills flagged as malicious are blocked immediately.
All active skills are also re-scanned daily. That matters because a skill marketplace is not static. A skill that appears acceptable at one moment may need to be checked again as tools, payloads, or behavior change.
This is a practical response to the ClawHub incident. It adds automated review before users install skills and keeps checking skills after publication. But it does not remove the underlying risk of giving an AI agent powerful local capabilities.
What the fix cannot solve
The VirusTotal partnership reduces the risk, but the source article is clear that it does not solve the core security problem. It says there is currently virtually no effective defense against these kinds of attacks, except locking models into tightly controlled environments.
That creates a direct tension for OpenClaw. Tight control would reduce exposure, but it would also work against the product’s purpose. OpenClaw is built to let AI agents act locally and extend their behavior through skills.
The source article also says the new software cannot catch targeted natural language attacks known as prompt injections. It describes prompt injections as by far the biggest cybersecurity weakness in current AI models.
Steinberger acknowledged the limits of the new scanning layer:
"Security is defense in depth. This is one layer. More are coming."
He also framed the company’s larger goal in stronger terms:
"AI agents that take real-world actions deserve real security processes. We're building them. […] We're committed to making OpenClaw the most secure AI agent platform available."
The company has also brought on Jamieson O'Reilly, founder of Dvuln, as a senior security consultant.
The larger lesson for AI agents
The OpenClaw incident shows that AI agent security cannot be treated as an afterthought. If an agent can execute shell commands, modify files, or reach out to the network, then a community skill is not merely a small plugin. It is a potential instruction path into a system with real-world effects.
Scanning skills through VirusTotal gives OpenClaw a stronger first line of review. Warning labels, automatic blocking, and daily re-scans are concrete steps that can reduce exposure on ClawHub.
But the harder problem remains: AI agents are built around flexible interpretation and action. That flexibility is what makes them useful, and it is also what attackers can try to exploit. For users and developers, the key takeaway is simple: every new capability added to an AI agent also expands the security surface that must be monitored, limited, and reviewed.