The top-downloaded “Twitter” skill on ClawHub, OpenClaw’s community marketplace, was macOS infostealer malware. A security researcher downloaded the bundled binary, submitted it to VirusTotal, and got an unambiguous verdict: infostealer designed to raid browser sessions, saved credentials, SSH keys, cloud tokens, and API keys from the host machine, according to a Cybersecurity Dive analysis published May 4.
The finding highlights a structural problem. OpenClaw skills are folders centered on a SKILL.md file with metadata and freeform instructions, plus optional scripts and binaries. The format is open. Anyone can upload. Users install skills and they run with the agent’s full permissions. That same open architecture that makes OpenClaw flexible also makes it a supply chain target.
Scale of the Problem
The malicious Twitter skill is not an isolated case. BetterClaw’s 2026 security audit found over 1,400 malicious skills on ClawHub, including AMOS infostealers bundled into fake productivity tools and at least one skill performing active data exfiltration identified by Cisco. OpenClaw has since partnered with VirusTotal to scan uploads, with VirusTotal analyzing over 3,000 skills to date.
The earlier “ClawHavoc” supply chain attack saw 341 malicious skills uploaded to ClawHub in a coordinated campaign designed to harvest credentials from agent operators.
The Plaintext Credential Problem
Beyond malicious skills, the analysis identifies a baseline vulnerability in how OpenClaw stores data. Agent memory, configuration, API keys, webhook tokens, transcripts, and long-term memory all live as readable plaintext files in predictable directories on disk. Modern infostealers routinely scrape common directories and exfiltrate anything that looks like credentials. If an attacker compromises the host machine through any vector, not just a malicious skill, OpenClaw’s entire agent configuration is available for extraction in seconds.
The combination is worse than a typical credential leak. A stolen API token is one thing. Hundreds of stolen tokens and sessions, combined with a long-term memory file describing who the operator is, what they’re building, how they communicate, and who they work with, provides raw material for targeted phishing, impersonation, and social engineering at a level that exceeds what most credential breaches enable.
Cross-Ecosystem Risk
The SKILL.md format is not exclusive to OpenClaw. OpenAI’s documentation describes the same basic structure: a SKILL.md file plus optional scripts and assets. Agent ecosystems including LangChain and CrewAI have adopted compatible formats, according to the Cybersecurity Dive analysis. A malicious skill built for one platform can potentially travel across any ecosystem supporting the standard.
The Architecture Tradeoff
OpenClaw’s own FAQ acknowledges the tension directly: “There is no ‘perfectly secure’ setup.” The platform’s utility depends on real access to local machines, applications, browser sessions, and files. That access is the product. It is also the attack surface.
The Cybersecurity Dive analysis, sponsored by credential management vendor 1Password, argues the answer is not to stop building agents but to build a trust layer around them: skill provenance verification, execution mediation, time-bound and revocable permissions, and real-time auditing of agent actions. OpenClaw’s VirusTotal partnership is a step in that direction. Whether it scales to match the rate of malicious uploads remains an open question.