Wedoany.com Report on Feb 4th, Recently, malicious software attacks targeting the personal AI assistant OpenClaw have drawn attention. Within less than a week, over 230 malicious software packages disguised as legitimate tools were published on the tool's official registry, ClawHub, and the GitHub platform.

These software packages, known as "skills," ostensibly offer functionalities like cryptocurrency trading automation and financial tools, but are actually designed to spread malware that steals sensitive information. OpenClaw is an open-source AI assistant designed to run locally and integrate various resources, but improper configuration may pose security risks.

Security researcher Jamieson O’Reilly pointed out that hundreds of improperly configured OpenClaw management interfaces have been exposed on public networks. From January 27 to February 1, two sets of malicious skills were uploaded to the platform, most of which were randomly named clones, with some having been downloaded thousands of times.

Each malicious skill contains detailed documentation to appear legitimate and prominently mentions a tool named "AuthTool." In reality, AuthTool is a malware delivery mechanism: on macOS, it manifests as a base64-encoded shell command, and on Windows, it downloads a password-protected ZIP archive. Infection occurs when users follow the documentation instructions, similar to ClickFix-type attacks.

The malware deployed on macOS systems has been identified as a NovaStealer variant, capable of bypassing the Gatekeeper security mechanism. This info-stealer targets various sensitive data, including cryptocurrency exchange API keys, wallet files, browser passwords, SSH keys, and cloud credentials.

The community security portal OpenSourceMalware reported that a large-scale campaign is exploiting these skills to spread information-stealing malware. Independent scans by Koi Security found 341 malicious skills on ClawHub and attributed them to a single campaign. The agency also discovered 29 domain squatting instances targeting common typos of ClawHub.

To help users guard against the risk, Koi Security released a free online scanner that allows users to obtain security reports by pasting a skill's URL. OpenClaw creator Peter Steinberger responded on social media, stating: "Currently, it's impossible to audit the large volume of skill submissions the platform receives, so users are responsible for carefully checking the safety of a skill before deploying it."

Experts advise users to be aware of OpenClaw's deep system access permissions and to implement multi-layered security measures, including isolating the AI assistant in a virtual machine, granting restricted permissions, and securing remote access interfaces. These OpenClaw malicious skills pose an ongoing threat to user data security, requiring continued vigilance.