Malware Found in OpenClaw Community Skills — Crypto Theft Alert
Malware Found in OpenClaw Community Skills — Crypto Theft Alert
A major scandal hit Reddit: malicious scripts stealing cryptocurrency were discovered in the Clawdbot/OpenClaw community skills repository. The post on r/webdev got 2,784 upvotes.
What Happened
- Malicious skills found in official community skills repo
- Scripts designed to steal cryptocurrency
- Project creator knew about the problem but "didn't know what to do"
Detailed Analysis
https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
Community Reaction
r/webdev (2,784 upvotes):
- Criticism of "vibe coding" approach
- Discussion of maintainer responsibility
- Questions about AI agent security
r/theprimeagen (970 upvotes):
- "Senior Vibe Coder dealing with security"
r/ProgrammerHumor (1,360 upvotes):
- "seniorVibeCoderDealingWithVulnerabilityAsAService"
The Core Problem
AI agents have access to:
- File system
- Network
- API keys
- Potentially crypto wallets
Malicious skill can:
- Read private keys
- Send data to external servers
- Execute arbitrary code
Lessons for Users
- Audit every skill before installation
- Environment isolation — never on main machine
- No crypto keys on machine with agent
- Network monitoring
- Code review community contributions
Developer Response
After the scandal:
- Enhanced repo moderation
- Code review requirements
- Documentation warnings
Security is everyone's responsibility.
📖 Read the full source: Reddit
👀 See Also
New Skill Automates OpenClaw Security Hardening on Remote Servers
A community developer has released a skill that helps AI assistants automatically secure OpenClaw installations on remote servers.
AI Agents Enable Solo Hackers to Breach Governments and Ransomware Campaigns
A solo operator using Claude Code and ChatGPT exfiltrated 150 GB from Mexican government agencies, including 195 million taxpayer records. Another attacker used Claude Code to run an end-to-end extortion campaign against 17 healthcare and emergency services organizations.
Scam Alert: Fake GitHub Airdrop Targets CLAW Token Users
A phishing scam is circulating that claims to offer $CLAW token airdrops for GitHub contributions. The scam uses a Google share link that redirects to a suspicious .xyz site and asks users to connect their wallets, potentially leading to wallet draining.
OpenClaw 2026.3.28 patches 8 security vulnerabilities including critical privilege escalation
OpenClaw 2026.3.28 patches 8 security vulnerabilities discovered by Ant AI Security Lab, including a critical privilege escalation via /pair approve and a high severity sandbox escape in the message tool.