Blockchain security firm CertiK published a report warning that attackers are strategically seeding malicious skills across OpenClaw’s marketplace to drain cryptocurrency wallets, according to Cointelegraph, which received the report directly from CertiK. The targeted wallets include MetaMask, Phantom, Trust Wallet, Coinbase Wallet, and OKX Wallet.

CertiK told Cointelegraph that attackers seeded malicious skills across high-value categories “including utilities for Phantom, wallet trackers, insider-wallet finders, Polymarket tools, and Google Workspace integrations.” Let’s Data Science reported that OpenClaw’s architecture exposes users to crypto theft through these same vectors. The primary payload was designed to target multiple browser extension wallets simultaneously. The researchers described “a clear overlap in tradecraft with the broader crypto-theft ecosystem, like social engineering, fake utility lures, credential theft, wallet-focused phishing.”

How the Attack Works

OpenClaw acts as a bridge between external inputs and local system execution. CertiK’s report identifies several attack vectors, according to the Cointelegraph report. Local gateway hijacking allows malicious websites or payloads to exploit the agent’s local machine presence to extract data or execute unauthorized commands. Malicious skills can add channels, tools, HTTP routes, services, and providers to an OpenClaw instance.

The critical distinction from traditional malware: these malicious skills manipulate agent behavior through natural language, making them resistant to conventional scanning. “Once launched, the malware can exfiltrate sensitive information such as passwords and cryptocurrency wallet credentials,” the CertiK researchers wrote. Malicious backdoors can also be hidden within legitimate functional codebases, fetching seemingly benign URLs that ultimately deliver shell commands or malware payloads.

Scale of Exposure

CertiK’s report notes that OpenClaw has accumulated over 300,000 GitHub stars and an estimated 2 million monthly active users. The platform has accumulated more than 280 GitHub Security Advisories and 100 CVEs since its November 2025 launch, which CertiK characterized as “security debt” from rapid growth, according to the Cointelegraph report.

Separately, OX Security reported a phishing campaign earlier this month that used fake GitHub posts and a bogus “CLAW” token to lure OpenClaw developers into connecting crypto wallets, corroborating the pattern CertiK describes.

CertiK’s Recommendation

CertiK advised ordinary users “who are not security professionals, developers, or experienced geeks” not to install OpenClaw from scratch but to wait for “more mature, hardened, and manageable versions,” according to Cointelegraph. OpenClaw founder Peter Steinberger, who recently joined OpenAI, said at ClawCon in Tokyo on Monday that the team has been working on security improvements: “Something that we worked on for the last two months is security. So things are a lot better on that front.”

Why This Matters for Builders

For OpenClaw operators with any crypto wallet integrations, browser extensions, or exchange API connections, CertiK’s report is a direct call to audit installed skills immediately. The attack surface is not hypothetical: attackers are already deploying crypto-drainer techniques through the skill marketplace using the same playbook that has drained wallets through malicious browser extensions for years. The difference is that agent skills have broader system access than a browser extension ever did.