“In less than two years, around 530 vulnerabilities have been discovered both in OpenClaw itself and in the underlying technologies.”
OpenClaw’s design and the role of skills
OpenClaw — previously known as Clawdbot and Moltbot — has become a widely used ecosystem for AI agents because it accepts natural‑language instructions and does not require programming knowledge. The agent’s architecture is built around “skills”: simple, human‑readable modules that expand capability. According to the article, a typical skill is a plaintext file (commonly named SKILL.md) containing natural language commands and, in some cases, embedded code. The system is designed so skills may live locally on the host where the agent runs or be obtained from external sources through a shared hub called “ClawHub.”
Because many skills automate routine workplace tasks, the agent usually requires access to the operating system’s file system and to tokens or keys for other services. Users commonly provide those secrets via environment variables or plaintext files placed alongside the agent.
Registered vulnerabilities and the CVE timeline
The project’s rapid adoption has been accompanied by significant security findings: the article reports roughly 530 vulnerabilities discovered in OpenClaw and related technologies in under two years. Publication of OpenClaw vulnerabilities in the CVE database began in February 2026. The breakdown of registered vulnerabilities shows a large number of high‑severity issues, many involving storage of sensitive data and operations with excessively high privileges — weaknesses that could allow attackers to hijack the agent or inject commands for it to execute.
Malicious skills in ClawHub and the scale of abuse
Researchers draw a direct parallel between supply‑chain attacks and the distribution of malicious OpenClaw skills, but they note a key difference: creating malicious skills is trivial because skills are natural‑language instructions rather than traditional compiled malware. Until February 7, 2026, the article states, no skills underwent even a basic security check, allowing malicious skills to appear immediately in the hub.
In an April scan of ClawHub, researchers identified 24 accounts distributing more than 600 malicious skills. Open‑source intelligence compiled for the article indicates more than 1,100 malicious accounts have been created since January. Examples include skill actions that embed harmful natural‑language instructions or fragments of shell commands; Kaspersky products detect some of these as HEUR:Trojan.ANSI.MalClaw.gen, and Kaspersky products reportedly monitor malicious OpenClaw skill activity on systems.
After an investigation and cleanup effort, the repository began preliminarily scanning submitted files with VirusTotal and NVIDIA’s SkillSpector. The article notes, however, that because OpenClaw is an agent that executes instructions, detection must move beyond static file scanning to consider malicious behaviors that could be triggered at runtime.
Mitigations: scanning, sandboxing, and policy
The article recommends layered defenses tailored to the agent model. Technical measures called out include:
- Isolate the OpenClaw agent from critical data and infrastructure so a compromised agent cannot reach high‑value targets.
- Check all skills that enter an organization’s perimeter — the article singles out Kaspersky Scan Engine as suitable for protecting web applications, proxy servers, network‑attached storage, and mail gateways, and notes it can be integrated into many applications.
- Monitor the agent’s network accesses; the project itself provides a sandboxing subsystem and various wrappers for working with APIs and services.
On the governance side, the article advises developing a comprehensive AI policy and ensuring employees never use third‑party tools unless explicitly allowed. These steps are presented as complementary: technical controls reduce attack surface, while policy limits risky user behavior that enables skill‑based attacks.
What this means for technologists, enterprises, and end users
- Technologists and security teams: expect to treat skills as an active attack surface. The article recommends integrating file scanning (VirusTotal, SkillSpector) and runtime monitoring, and to use sandboxing and API wrappers supplied by the project.
- Enterprises and procurement leaders: the report underscores the need to isolate agent deployments from critical systems and to vet skills entering corporate perimeters — the Kaspersky Scan Engine is named as a deployable scanning option.
- End users and employees: because the agent commonly needs filesystem access and tokens provided via environment variables or plaintext files, the article warns that ordinary practice — install a skill, run it locally — can expose credentials and core systems unless policies and technical controls are in place.
The OpenClaw story is a concise reminder that ease of use and rapid adoption can create fresh, large‑scale attack surfaces. The project’s architecture — plaintext skills that run with local access to files and secrets — makes prevention a mix of blocking dangerous inputs, constraining runtime privileges, and enforcing policies about which third‑party tools are allowed. Even after repository scans and the introduction of VirusTotal and SkillSpector checks, the article shows attacks persist, which leaves one clear imperative: stop treating skills as inert files and begin treating them as executable, dynamic risks.




