URGENT: Top Downloaded ClawHub Skill Was Malware — Are Your Agents Secure?

3d (edited) • OpenClaw - Security Alerts

If you've downloaded skills from ClawHub, your machine and your clients' data could be at risk. This isn't a theoretical warning anymore. A recent investigation by 1Password found that the top-downloaded "Twitter" skill was actively distributing infostealing malware.

This post breaks down exactly what happened, why it matters to every single person in this community, and the immediate steps you need to take to protect yourself.

Why This Matters To You

The promise of OpenClaw is building powerful AI agents that can automate our work. But that power comes with a hidden cost. The very skills we use to make our agents smarter have become a new attack surface. The malware discovered was designed to steal everything from your browser sessions and API keys to your crypto wallets. For anyone building solutions for clients or handling sensitive data, a breach like this could be devastating.

How a "Harmless" Markdown File Became a Weapon

The 1Password security team found that the most popular skill on ClawHub wasn't just a guide; it was a trap. It used a classic social engineering trick, telling users to install a "required dependency" to get the skill to work.

That link, however, kicked off a 5-step installation chain that ended with macOS infostealing malware on the user's machine. This wasn't a bug or an accident; it was a deliberate, malicious campaign that reportedly involved hundreds of other skills.

The So What: This proves that we cannot trust download counts as a measure of safety. The core of the problem is that in an agent ecosystem, a simple markdown file is not just content—it's an installer. It can execute commands and scripts, making every skill a potential trojan horse.

Your Security Setup Might Not Be Enough

Many of us are taking steps to secure our OpenClaw instances, from using hardened DigitalOcean droplets to implementing reviewer-based norms. This incident shows why those measures are critical. The article confirms that even if you're using the Model Context Protocol (MCP), a malicious skill can simply bypass it by using direct shell commands hidden in the skill's folder.

The So What: Our security is only as strong as its weakest link. We must treat every new skill, especially from an unverified source, with extreme caution. This incident validates the security discussions we've been having in this community and underscores the need for a security-first approach to building with OpenClaw.

Your Next Steps: Protect Yourself Now

Based on the 1Password team's recommendations, here are the immediate actions every member of this community should consider:

1.AUDIT YOUR SKILLS: Immediately review every skill you have downloaded. Scrutinize any that ask you to install dependencies, run scripts, or click external links during setup.

2.ASSUME COMPROMISE (If Affected): If you downloaded the malicious "Twitter" skill or anything else that seems suspicious, you should treat that machine as compromised. Stop using it for sensitive work and consider a full wipe and restore.

3.ROTATE ALL SECRETS: Immediately change your passwords, developer tokens, API keys, SSH keys, and any other credentials that were on the potentially compromised machine.

Community Discussion:

This is a serious wake-up call for the entire agentic AI space. Let's use this as an opportunity to build a more secure ecosystem together.

•What steps do you currently take to vet new skills before installing them?

•Should we, as the OpenClaw Builders community, create our own "trusted" skill registry or a formal vetting process?

•What are the most effective ways to sandbox agents to prevent this kind of attack?

Let's discuss below. 👇

3 comments