Weaponized AI Skills: VirusTotal Flags Hundreds of Malicious OpenClaw Extensions

VirusTotal's Code Insight tool identifies hundreds of malicious OpenClaw skills delivering infostealers and RATs. What happened and how to protect yourself.

February 18, 2026

The OpenClaw ecosystem is facing its first major security incident. VirusTotal reported that its Code Insight tool (powered by Gemini Flash) has identified hundreds of OpenClaw skills actively weaponized to deliver malware — including the Atomic Stealer (AMOS) infostealer.

How the Attack Works

OpenClaw skills are modular extensions that run with the agent’s system-level permissions. Because they execute shell scripts and TypeScript code with broad access, they’ve become an attractive vector for attackers.

According to the VirusTotal report, attackers use social engineering to trick users into installing malicious skills. These skills often appear legitimate — promising features like crypto analytics, finance tracking, or social media tools — but include setup instructions that coerce users into:

  • Pasting malicious commands into their terminal
  • Downloading and running external binaries
  • Exporting sensitive environment variables

Case Study: hightower6eu

One prolific actor operating as hightower6eu on ClawHub published over 300 skills identified as malicious.

A notable example: a “Yahoo Finance” skill that looks clean to traditional antivirus scanners but contains instructions to download a password-protected ZIP file containing the openclaw-agent.exe trojan. For macOS users, the same skill uses obfuscated shell scripts to deliver the Atomic Stealer (AMOS) malware.

Security Recommendations

Before Installing Any Skill

  1. Read SKILL.md in full — understand what the skill claims to do
  2. Review every script in the scripts/ directory — look for curl, wget, or base64-encoded commands
  3. Check the ClawHub author profile — new accounts with many uploads are a red flag
  4. Search the skill name for community reviews or security reports

Harden Your Setup

# ~/.openclaw/openclaw.yaml
security:
  requireConfirmation:
    shellCommands: true    # Always ask before running shell commands
    fileWrites: true
  skillSandbox: true       # Isolate skill execution (experimental)

If You Think You’re Compromised

  1. Immediately revoke all API keys stored in ~/.openclaw/
  2. Check ~/.openclaw/skills/ for any unfamiliar directories
  3. Review recent shell command history
  4. Rotate passwords for any services the agent had access to

OpenClaw’s Response

The OpenClaw project has partnered with VirusTotal to automatically scan new ClawHub submissions. Skills flagged as malicious are removed, and the ClawHub review process has been tightened.

The project has always emphasized that it’s a high-privilege tool intended for technical users who understand server hardening. This incident underscores that warning.

Back to OpenClaw Hub