Hundreds of malicious skills designed to deliver trojans, infostealers, and backdoors disguised as legitimate automation tools This article explores openclaw skills virustotal. . VirusTotal has uncovered a significant malware distribution campaign targeting OpenClaw, a rapidly growing personal AI agent ecosystem.

OpenClaw, previously known as Clawdbot and briefly as Moltbot, is a self-hosted AI agent that executes real system actions, including shell commands, file operations, and network requests. OpenClaw Skill Abuse Campaign The platform extends functionality through skills, small packages built around SKILL.md files that users discover and install from ClawHub, the public marketplace for OpenClaw extensions. Users run untrusted code during setup (source: VirusTotal) While this architecture enables powerful automation capabilities, it creates a dangerous attack surface.

During setup, users frequently need to download binaries, paste commands into terminals, or run scripts because skills operate as third-party code with full system access. Threat actors are using seemingly useful tools to spread malware by taking advantage of this trust model. 16 engines identified a Mach-O binary (source: VirusTotal).

Hundreds of the 3,016 OpenClaw skills that VirusTotal Code Insight has examined have malicious traits. Base64-obfuscated macOS script (VirusTotal) Instead of depending only on conventional antivirus signatures, the analysis, which is enabled by Gemini 3 Flash, looks at security behaviors like external code execution, sensitive data access, and risky network operations.

It is marked as an AMOS infostealer by Gemini 3 Pro (source: VirusTotal). Two distinct threat categories were identified by security researchers: skills with subpar security practices, like unsafe command execution, hardcoded secrets, and insecure APIs. malicious abilities intended for malware installation, remote control, and data exfiltration.

A Successful Publisher of Malware ClawHub user "hightower6eu" published 314 malicious skills related to social media analysis, finance tracking, and cryptocurrency analytics. This is a particularly troubling case. During setup, each skill instructs users to download and run external code from unreliable sources. A "Yahoo Finance" skill, for instance, looked clean to conventional antivirus engines.

Nevertheless, instructions telling Windows users to download a password-protected ZIP file containing openclaw-agent.exe—which several vendors have identified as a packed trojan—were found by VirusTotal Code Insight.

The skill directed macOS users to a Base64-obfuscated shell script on glot.io. This downloaded and ran a Mach-O binary known as Atomic Stealer (AMOS), an infostealer that targets cryptocurrency wallets, browser credentials, and passwords. Users and organizations should avoid skills that need binary downloads or shell commands, use sandboxed execution, and treat skill folders as trusted-code boundaries.

Operators of marketplaces should use publish-time scanning to identify obfuscated scripts and remote execution. VirusTotal is investigating integration with X for daily cybersecurity updates, LinkedIn, and OpenClaw's publishing workflow to offer automated security analysis during skill submission. To have your stories featured, get in touch with us.