More than three hundreds malicious packages targeting the personal AI assistant OpenClaw (formerly known as ClawdBot and Moltbot) were published in less than a week on the project’s official registry ClawHub, and on GitHub. Masquerading as legitimate cryptocurrency trading automation tools, the packages, known as “skills,” deliver data-stealing malware.
OpenClaw is a fast-growing open-source AI assistant that runs locally, supports persistent memory, and integrates with resources such as chat services, email, and the local file system. It relies on so-called “skills,” plug-ins that add new capabilities, however, security researchers were quick to highlight multiple security risks. According to security researcher Jamieson O’Reilly, hundreds of OpenClaw admin interfaces are misconfigured and publicly accessible.
As per community security portal OpenSourceMalware, attackers are running a coordinated campaign that distributes information-stealing malware through fake skills posing as cryptocurrency trading bots, financial utilities, and social media tools. Many of the malicious packages are near-identical clones with randomized names, and some have been downloaded thousands of times. Each includes extensive documentation to appear trustworthy and repeatedly references a supposed dependency called “AuthTool.”
Following the setup instructions triggers the infection process. AuthTool is actually a malware delivery mechanism, deploying different payloads depending on the operating system. On macOS, it downloads a NovaStealer variant that bypasses Gatekeeper protections, while on Windows it installs malware via a password-protected ZIP file. The stealer targets API keys, cryptocurrency wallets and seed phrases, browser passwords, SSH keys, cloud credentials, Git data, and environment files.
A separate analysis by Koi Security discovered 341 malicious skills on ClawHub (out of a total 2,857) attributing them to a single campaign. Researchers also found 29 typosquatted domains mimicking ClawHub, designed to catch users who mistype the registry’s name.