OpenClaw Partners with VirusTotal to Secure AI Agent Skill Marketplace

Major Security Enhancement for Agentic AI Ecosystem

OpenClaw, the popular open-source agentic AI assistant platform formerly known as Moltbot and Clawdbot, has announced a partnership with Google-owned VirusTotal to implement automated security scanning for all skills uploaded to ClawHub, its skill marketplace. This initiative represents a significant step forward in addressing security concerns within the rapidly growing AI agent ecosystem.

How the Security Scanning Works

According to OpenClaw's official announcement, the new security system operates through the following process:

1. Hash Generation: Every skill uploaded to ClawHub receives a unique SHA-256 hash
2. Database Check: The hash is checked against VirusTotal's extensive threat intelligence database
3. Upload and Analysis: If no match is found, the skill bundle is uploaded to VirusTotal for comprehensive analysis using Code Insight
4. Automated Decision: Based on the Code Insight verdict, skills are automatically categorized:

- Benign: Automatically approved for download
- Suspicious: Flagged with a warning for users
- Malicious: Blocked from download entirely

1. Daily Re-scanning: All active skills are re-scanned daily to detect previously clean skills that become malicious

Why This Matters: The Security Crisis Context

The partnership comes in response to multiple security analyses that identified hundreds of malicious skills on ClawHub. Recent research from Bitdefender, Cisco, and VirusTotal itself documented malicious skills that:

- Exfiltrate sensitive data from user systems
- Install backdoors for persistent remote access
- Deploy stealer malware to harvest credentials
- Execute unauthorized commands on behalf of users

The Broader Security Landscape

OpenClaw's security challenges extend far beyond malicious skills. The platform has faced intense scrutiny from the cybersecurity community:

Architectural Security Issues

- Cleartext credential storage: API keys and session tokens stored without encryption
- Insecure coding patterns: Direct use of eval() with user input
- No explicit user approval: Tool calls execute without confirmation
- Default network binding: Gateway binds to 0.0.0.0:18789, exposing APIs to all network interfaces

According to Censys data, over 30,000 OpenClaw instances were exposed to the internet as of February 8, 2026.

Prompt Injection Vulnerabilities

Security researchers have demonstrated multiple attack vectors:

- Zero-click backdoors: Malicious documents processed by the AI agent can plant persistent backdoors
- Web-based injection: Prompts embedded in web pages append attacker commands to system files
- Messaging attacks: Crafted WhatsApp messages can exfiltrate credentials from exposed instances

Critical Vulnerabilities Disclosed

Recent security findings include:

- One-click RCE: A now-patched vulnerability allowed attackers to leak authentication tokens via malicious web pages
- Credential exposure: 7.1% of skills (283 out of 3,984 analyzed) contained plaintext credentials visible through LLM output logs
- Moltbook database exposure: A misconfigured Supabase database leaked 1.5 million API tokens and 35,000 email addresses

Enterprise Shadow AI Risk

Security experts warn that OpenClaw represents a new category of Shadow AI risk for enterprises. As Astrix Security researcher Tomer Yahalom noted:

"OpenClaw and tools like it will show up in your organization whether you approve them or not. Employees will install them because they're genuinely useful. The only question is whether you'll know about it."

Permiso Security emphasized the severity:

"AI agents get credentials to your entire digital life. And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them."

International Response

The security concerns have prompted governmental action. China's Ministry of Industry and Information Technology issued an alert about misconfigured OpenClaw instances, urging users to implement protections against cyber attacks and data breaches, according to Reuters.

Important Limitations

OpenClaw maintainers acknowledge that VirusTotal scanning is "not a silver bullet." Sophisticated attacks using cleverly concealed prompt injection payloads may still evade detection. The platform is developing additional security measures, including:

- Comprehensive threat model documentation
- Public security roadmap
- Formal security reporting process
- Complete codebase security audit

These initiatives are tracked on OpenClaw's trust and security portal.

Recommendations for Users

Security professionals recommend the following precautions:

1. Enable Docker Sandboxing: Use OpenClaw's Docker-based tool sandboxing to limit skill execution privileges
2. Review Skills Carefully: Even with VirusTotal scanning, scrutinize skills before installation
3. Limit Network Exposure: Do not expose OpenClaw instances directly to the internet
4. Implement Network Segmentation: Isolate OpenClaw deployments from sensitive systems
5. Monitor for Suspicious Activity: Regularly audit logs for unexpected commands or data access
6. Apply Updates Promptly: Install security patches as soon as they become available

TL;DR

- OpenClaw partnered with VirusTotal to scan all ClawHub skills for malware using Code Insight technology
- Benign skills auto-approve, suspicious skills get warnings, malicious skills are blocked
- Daily re-scanning detects skills that become malicious after initial approval
- Partnership addresses discovery of hundreds of malicious skills on ClawHub
- VirusTotal scanning is not foolproof—sophisticated prompt injections may still evade detection
- 30,000+ internet-exposed OpenClaw instances and broader security concerns persist

Source: The Hacker News