OpenClaw doesn’t forget everything when you close the app. It learns your preferences, tracks ongoing projects and actually remembers that conversation you had last Tuesday.1

That’s right folks. The age of having AI agents do actionable stuff is very much upon us. From booking flights to managing your “Tweets”, it can all be done. Agentic AI systems are actively executing multi-step workflows on our behalf - at our request - but problems can arise when minimal oversight is part of the equation.

I anticipate as this new era evolves, that this oversight problem will become less and less “controllable”. I hope not, but time will tell.

Here’s a cautionary tale.

I was on X today and noticed this post:

It refers to the top downloaded skill in ClawHub that turned out to be malware. ClawHub is like the AI agent version of GitHub. See my article on Moltbook for some related background but bear in mind that Moltbook is a separate project. Moltbook is like a water-cooler for AI agents (mostly OpenClaw-based ones - whereby OpenClaw is a personal AI assistant that does stuff for you on your own computer.

Apparently, the human users had no idea that they were downloading malware as opposed to some Twitter tool or skill. The malware by-passed the mac operating system’s anti-malware system called Gatekeeper. Basically, it let-a-rip on private data → goodbye saved passwords, autofilled data, cryptocurrency wallet data, API keys, and credentials, to name a few.

The “Twitter skill” was presented as a legitimate tool for Twitter/X integration. to do things like automate social media workflows, monitor trends, or analyze content - you know, for the “efficient” Twitter-user. Apparently, it had normal-looking setup instructions and looked innocuous/not-out-of-the-ordinary from the outside, and likely because of this - and its apparent usefulness - it reached the top-downloaded spot on the marketplace.

The malware delivery instructed users (or their agents) to install a supposed “required dependency” (often named something like “openclaw-core” or a close variant). This pointed to external links/staging pages that prompted running obfuscated terminal commands or downloading ZIPs. Those commands fetched and executed staged payloads, ultimately deploying info-stealers like Atomic Stealer (AMOS) on macOS (bypassing Gatekeeper via xattr stripping) or keyloggers/backdoors on Windows.

It was sneaky. People who thought they were getting a nice automation tool to make their online life more efficient, but they were actually being “tricked” into completing what looked like normal setup steps for a popular skill. It was reported that it was “the exact kind of thing you install on autopilot” due to the marketplace’s convenience.

Audits (Koi Security scanning 2,857 skills) found 341 malicious ones (12%), many in a coordinated campaign called ClawHavoc. These impersonated desirable tools (crypto wallets, YouTube utilities, social media helpers, etc.) using typosquatting (URL highjacking) and fake prerequisites to maximize reach. Unfortunately for the victims, thousands of downloads occurred before detection/removal - nothing indicates users intentionally sought malware. Quite the opposite, as security researchers and posts emphasize surprise, warnings, and calls for caution.

This mirrors past supply-chain issues (npm typosquatting, PyPI malware), but amplified because OpenClaw skills often run with high privileges (shell access, credentials, env vars). ClawHub had minimal vetting at the time (no mandatory reviews, open uploads), so trust in “top downloaded” rankings backfired badly.

If you’re using OpenClaw, do these: scan installed skills, avoid external prerequisites/commands, stick to self-written/verified ones, and run in isolated environments where possible. The ecosystem has since added VirusTotal auto-scans and reporting features, but vigilance remains key.

This is a cautionary tale, in my opinion and we absolutely must remain vigilant in these new and uncharted waters that we are all in, even if we do not want to be. This particular “attack” is specific to Twitter/X for now, and perhaps X was targeted, but it doesn’t preclude the idea that it can happen in general. Period.

Was this a human idea? Yes, it was.

Security sources (Koi Security, The Hacker News, Bitdefender, OpenSourceMalware, 1Password researchers, etc.) frame it as human cybercriminals exploiting the lightly vetted ClawHub ecosystem for credential theft (browser data, API keys, SSH keys, crypto wallets). Some even note prolific uploaders (e.g., accounts like “hightower6eu” tied to hundreds of entries).

Queries regarding the “agents vs. humans” debate apparently confirm that it is human operators using automation for scale, not rogue AI agents acting on their own. Phew.

It seems a little mean, and makes me a little mad actually - to incriminate and use the agents like this. I mean, it is human nature - we are exquisitely self-destructive. But we are also luminous in many ways and I think that considering the yin and yang of us and life itself, we’ll probably be ok in the end. As long as we do remain vigilant in this new era.

Here’s some advice for people living in the [OpenClaw] AI agent ecosystem:

Treat third-party skills like untrusted executables (.exe/.dll → not verified as safe) (scan, sandbox, or avoid) and run agents in isolation (VM/VPS (virtual machine/virtual private server), minimal permissions, dedicated credentials). Also use built-in tools like clawdbot doctor, reporting features, or community-vetted sources only.

I find it very helpful to go to community spaces and read the comments made by people. For everything.

That’s all for now! I am sure this was interesting to exactly 1 person among you. :)

1

https://www.cnet.com/tech/services-and-software/from-clawdbot-to-moltbot-to-openclaw/