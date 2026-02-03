New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These add-ons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit and LinkedIn. OpenClaw Went Viral – So Did Its Security Shortcomings OpenClaw is an open-source software project that offers AI personal assistants that run locally on user devices. All OpenClaw instances are connected to generative AI models, especially Anthropic’s Claude Code, and can perform tasks on behalf of the user. The users can then communicate with the assistant using popular messaging apps, such as WhatsApp, Telegram, iMessage, Slack, Discord, Signal and others. Launched in 2025 by Peter Steinberger as Clawdbot, the project first rebranded to Moltbot after Anthropic requested a name change and rebranded again to OpenClaw at the end of January 2026.

Source: OpenClaw

While Moltbot/OpenClaw rapidly went viral, security researchers quickly started warning about major security gaps within the wider project. At the core of many of these reports are OpenClaw add-ons called ‘agent skills’ – folders of instructions, scripts and resources that agents can discover and use to do things more accurately and efficiently. Jamieson O’Reilly, a pentester and founder of DVULN, published several reports on the project’s security failings, including one on exposed OpenClaw control servers and a proof-of-concept (PoC) backdoored skill that he artificially inflated, which incited many users to download it for their OpenClaw instance. Additionally, app-building firm Infinum reported that OpenClaw’s deep system-level permissions, including the ability to execute shell commands and interact directly with local applications, make it inherently risky without strong sandboxing or guardrails. Read more: Vibe-Coded Moltbook Exposes User Data, API Keys and More 386 Malicious OpenClaw Skills Discovered The latest research comes from vulnerability researcher Paul McCarty (aka 6mile), who shared a detailed report on software supply chain security community OpenSourceMalware on February 1 and updated it on February 2 and 3. McCarty found 386 malicious skills published on ClawHub, a skill repository for OpenClaw assistants. The skills masquerade as cryptocurrency trading automation tools, using well-known brands like ByBit, Polymarket, Axiom, Reddit and LinkedIn, and deliver infostealers targeting macOS and Windows systems.

Source: Paul McCarty (6mile), OpenSourceMalware