Weaponization of AI Agent Skills: VirusTotal Reports Malicious OpenClaw Packages

Weaponization of AI Agent Skills: VirusTotal Reports Malicious OpenClaw Packages

VirusTotal Code Insight detects hundreds of malicious OpenClaw skills being used as delivery channels for infostealers and backdoors.

17 февраля 2026 г.

The OpenClaw ecosystem is facing its first major security challenge as a wave of malicious “skills” has been detected in the wild. VirusTotal, a leading cybersecurity platform, reported that its new Code Insight tool (powered by Gemini 3 Flash) has identified hundreds of OpenClaw skills that are actively weaponized to deliver malware, including infostealers like Atomic Stealer (AMOS).

The “Skill” Attack Vector

OpenClaw skills are powerful extensions that allow the agent to perform specific tasks. However, because these skills run with the agent’s system-level permissions, they have become an attractive target for attackers.

According to the VirusTotal report, attackers are using social engineering to trick users into installing malicious skills. These skills often appear legitimate—promising crypto analytics, finance tracking, or social media tools—but include “setup” instructions that coerce users into:

  • Pasting malicious commands into their terminal.
  • Downloading and running external binaries.
  • Exporting sensitive environment variables.

Case Study: hightower6eu

One prolific actor, known as hightower6eu on ClawHub, has published over 300 skills identified as malicious. A notable example is a “Yahoo Finance” skill that looks clean to traditional antivirus engines but contains instructions to download a password-protected ZIP containing the openclaw-agent.exe trojan. For macOS users, the same skill uses obfuscated shell scripts to deliver the Atomic Stealer (AMOS) malware.

Security Recommendations for OpenClaw Users

The OpenClaw project has always emphasized that it is a high-privilege tool intended for technical users who understand server hardening. In light of these findings, users are urged to:

  1. Treat Skills as Code: Never install a skill without reviewing the SKILL.md and any associated scripts.
  2. Verify Publishers: Be extremely skeptical of skills from unknown or unverified publishers on ClawHub.
  3. Use Sandboxing: Run OpenClaw in isolated environments (containers or dedicated VMs) and avoid granting it access to sensitive personal data or high-privilege credentials.
  4. Confirm Risky Actions: Use the built-in confirmation prompts for shell commands and file operations.
  5. Scan with VirusTotal: Before installing a community skill, upload the folder or ZIP to VirusTotal for analysis.

As AI agents become more autonomous, the “hardened system” boundary becomes critical. Capability without control is exposure.

Source: VirusTotal Blog, Vectra AI Security Research