OpenClaw turns to VirusTotal to boost security

1. Introduction: The Double-Edged Sword of Autonomy

The rise of OpenClaw (formerly Moltbot) has captured the imagination of the tech world, promising a new era of “AI with hands.” As a viral open-source agentic assistant, OpenClaw doesn’t just answer questions; it triggers workflows, manages smart devices, and operates across multiple platforms. This unprecedented autonomy has made it a favorite for those seeking to bridge the gap between AI reasoning and real-world execution.

However, this productivity comes at a steep price. Security researchers have identified a “Lethal Trifecta” of risks inherent in the agentic ecosystem: (1) entrenched system-wide access, (2) the processing of data from untrusted sources, and (3) the ability to operate autonomously across devices. While these tools offer a massive leap in efficiency, they simultaneously open the door to a new class of vulnerabilities that traditional security measures are ill-equipped to handle. The very features that make OpenClaw powerful are turning it into a potential security nightmare.

2. The “AI With Hands” Problem: Beyond Traditional Software

The fundamental risk of OpenClaw lies in how it differs from traditional software. Conventional applications follow rigid code; they do exactly what a developer instructs them to do. AI agents, conversely, interpret natural language to make decisions. Backslash Security has aptly described this paradigm as “AI With Hands,” noting that these agents possess the agency to interact with the digital world in ways a chatbot cannot.

According to OpenClaw’s own documentation, these agents “blur the boundary between user intent and machine execution.” Because they interpret instructions rather than just executing pre-defined code, they can be manipulated through language itself. This creates a fundamentally different attack surface where a “zero-click” attack can become a reality. Imagine an agent processing a seemingly harmless document that contains an indirect prompt injection; suddenly, the agent is hijacked to plant a backdoor on the endpoint, responding silently to an attacker-controlled Telegram bot.

3. ClawHub’s Marketplace Minefield: The 7% Risk

The primary way users extend OpenClaw’s capabilities is through ClawHub, a marketplace for “skills.” However, a recent security analysis of 3,984 skills on the platform revealed a disturbing reality: 283 skills — roughly 7.1% of the entire registry — contain critical security flaws or malicious functionality.

This is not a matter of a few accidental errors. Reports from Bitdefender reveal that threat actors are cloning and re-publishing malicious skills at scale using subtle name variations, staging payloads through public GitHub repositories. These skills masquerade as legitimate tools while exfiltrating credentials through the LLM’s context window. Ian Ahl of Permiso Security warns that this marketplace is significantly more dangerous than traditional browser extensions. “AI agents get credentials to your entire digital life,” Ahl noted. “When you install a malicious agent skill, you’re potentially compromising every system that agent has credentials for.”

4. The VirusTotal Integration: A Necessary, But Imperfect, Shield

In response to these threats, OpenClaw has partnered with Google-owned VirusTotal to scan all skills uploaded to ClawHub. The system generates a unique SHA-256 hash for every skill and cross-checks it against VirusTotal’s database. If a match isn’t found, the tool uses VirusTotal’s “Code Insight” capability to analyze the bundle for suspicious behavior.

While this is a significant step forward, OpenClaw maintainers have been clear: this is “not a silver bullet.” Traditional malware scanning is designed to identify malicious code, but it struggles with “cleverly concealed prompt injection payloads.” A skill may receive a “benign” verdict because it contains no traditional viruses, yet it could still be programmed to respond to attacker-controlled instructions via natural language. Consequently, a clean scan provides no guarantee against manipulation where the “malicious” part of the skill is its interpreted intent.

5. The Rise of “Shadow AI” and the Persistence of Cleartext

A major concern for enterprises is the emergence of “Shadow AI.” Because OpenClaw is genuinely useful, employees are frequently installing it on work endpoints without formal IT approval. As Astrix Security researcher Tomer Yahalom points out, “The only question is whether you’ll know about it.” The strategic significance of this risk is so high that China’s Ministry of Industry and Information Technology (MIIT) recently issued an alert regarding misconfigured OpenClaw instances, urging users to implement immediate protections.

When OpenClaw enters an organization through the back door, it often brings several “glaring security issues” identified by researchers at OX Security and HiddenLayer:

• Dangerous Default Configuration: Unless a user proactively enables Docker-based sandboxing, full system-wide access remains the default, dramatically increasing the potential blast radius of a compromise.
• Cleartext Credentials: The platform stores sensitive API keys and session tokens in plaintext, allowing an attacker to exfiltrate .env and creds.json files via a simple crafted WhatsApp message.
• Insecure Default Binding: The gateway binds to 0.0.0.0:18789 by default. Censys data shows over 30,000 such instances are already exposed to the internet.
• Insecure Coding Patterns: The platform uses “direct eval” with user input and lacks filters for untrusted content containing control sequences.

6. Moltbook and the “Laboratory” of Untrusted Data

The risks extend beyond the individual user to Moltbook, a social network designed for OpenClaw agents to interact. While the concept is innovative, it has created what Zenity Labs describes as a “laboratory” where high-value agents are “constantly processing and engaging with untrusted data” by design. On Moltbook, the “attacker” isn’t necessarily a human; it is often another compromised agent using prompt injections to manipulate behavior or steal cryptocurrency.

The platform’s structural risks were laid bare when a misconfigured Supabase database left secret API keys freely accessible in client-side JavaScript. This exposure, uncovered by Wiz, included:

• 1.5 million API authentication tokens.
• 35,000 email addresses.
• Private messages between autonomous agents.

7. Conclusion: Navigating the Agentic Frontier

The agentic ecosystem is in a state of rapid evolution, where productivity is outstripping security maturity. Efforts are underway to stabilize the platform, including the promise of a public security roadmap, formal audits, and a comprehensive threat model to address the “Agentic Trojan Horse” phenomenon.

However, as we race toward full autonomy, we must weigh the convenience against the exposure. As Ian Ahl observed, these tools hold the keys to our entire digital existence. We must ask ourselves: is the time saved on a ten-minute task worth the potential lifetime exposure of our digital identity? The trade-off between agentic productivity and security has never been more stark.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html