Editorial illustration for OpenClaw AI agent used to deliver Trojans via fake ClawHub skills
AI Assistant Backdoor Hack Exposes Viral Clawdbot Risks
OpenClaw AI agent used to deliver Trojans via fake ClawHub skills
Why does this matter? Because an AI‑driven assistant that users trusted to fetch useful “skills” is now being turned into a conduit for malware. While OpenClaw’s voice‑activated agent was marketed as a convenient way to extend functionality on macOS, investigators found that a subset of the listed extensions were anything but benign.
The platform’s marketplace, ClawHub, hosts third‑party modules that the agent can invoke on demand. In several cases, those modules appeared polished and legitimate at first glance, yet their code instructed the assistant to pull down additional binaries from external servers. Among the payloads identified was the macOS Trojan known as Atomic Stealer, a tool that has been used to harvest credentials and personal data.
Researchers who ran the files through VirusTotal flagged the behavior as suspicious, noting that the malicious components were hidden behind seemingly harmless skill packages. One
What VirusTotal found was that attackers had been packaging Trojans and data stealers as legitimate skills on the ClawHub platform. The skills themselves often looked clean, but they instructed the agent to download and run external payloads, including the well-known macOS Trojan Atomic Stealer. One user alone uploaded more than 300 infected skills.
OpenClaw now scans all skills through VirusTotal partnership OpenClaw founder Peter Steinberger announced a partnership with VirusTotal in response to the attack. Every skill published on ClawHub is now automatically scanned using VirusTotal's AI-powered "Code Insight" feature (built on Google's Gemini), among other tools.
OpenClaw's recent breach underscores how quickly a platform's extension model can be weaponized. Hundreds of ClawHub skills were found to carry trojans and data‑stealing tools, most of them appearing innocuous while directing the agent to fetch external payloads such as the macOS Trojan Atomic Stealer. VirusTotal flagged the malicious entries, prompting OpenClaw to announce a partnership aimed at faster detection.
Yet the report notes that many compromised skills contained no code themselves, raising questions about the depth of the supply‑chain compromise. The collaboration with VirusTotal should improve visibility, but it's unclear how many rogue skills remain hidden or how the vetting process will adapt. Users of the AI agent now face an added layer of risk when installing third‑party extensions.
Ongoing monitoring will be essential, and the episode serves as a reminder that trust in marketplace‑hosted add‑ons must be continually reassessed. Future audits will need to verify not only the skill code but also the URLs they invoke, because the current findings show that a clean‑looking skill can still act as a delivery vector.
Further Reading
- From Automation to Infection: How OpenClaw AI Agent ... - VirusTotal Blog
- The OpenClaw Security Saga: How AI Adoption Outpaced ... - Cyera
- Helpful Skills or Hidden Payloads? Bitdefender Labs Dives ... - Bitdefender Labs
- From magic to malware: How OpenClaw's agent skills ... - 1Password Blog
Related Reading
Policy & Regulation Tree search framework achieves 98.7% success on docs where vector search fails
Policy & Regulation Court rules AI model contains no copies, limits Getty watermark claim
Policy & Regulation California enacts first U.S. regulations for AI companion chatbots
![A red "Alerts" icon on a laptop screen, symbolizing the risks of Shadow AI like OpenClaw [itbrief.co.uk].](https://cms.aidailypost.com/uploads/openclaw_hits_160000_github_stars_shadow_it_becomes_new_normal_88bd17cc8e.webp)
From Archives OpenClaw hits 160,000 GitHub stars as shadow IT becomes new normal
From Archives Researchers unveil Natively Adaptive Interfaces to personalize AI assistive tech
Common Questions Answered
How did attackers exploit the ClawdBot VS Code extension to deliver malware?
The malicious VS Code extension masqueraded as a legitimate AI coding assistant called 'ClawdBot Agent', which functioned as a real coding tool while silently deploying malware onto Windows machines. The extension was designed to automatically activate when VS Code starts, using a carefully crafted `initCore()` function that could download and run malicious payloads without user awareness.
What made the fake ClawdBot extension particularly dangerous?
The extension was exceptionally deceptive because it actually worked as a functional AI coding assistant, integrating with seven different AI providers like OpenAI, Anthropic, and Google. Its professional appearance, polished UI, and genuine functionality made it extremely convincing, allowing it to lull victims into a false sense of security while operating malware in the background.
Where did the malware's command-and-control (C2) traffic originate?
The investigation traced the malware's command-and-control traffic to a suspicious domain called darkgptprivate[.]com, which was hosted in the Seychelles. The attack chain involved downloading payloads disguised as common files like Lightshot.exe or an Electron bundle named Code.exe, with hardcoded references suggesting the attackers had evolved their payload over time.