From magic to malware: How OpenClaw's agent skills become an attack surface
16 hours ago
- #OpenClaw
- #Malware
- #Cybersecurity
- OpenClaw's agent skills can be dangerous due to their access to files, tools, browsers, and long-term memory.
- Skills in OpenClaw are markdown files that can include malicious commands disguised as setup instructions.
- The Model Context Protocol (MCP) does not guarantee safety as skills can bypass it with direct shell commands or bundled scripts.
- A top-downloaded 'Twitter' skill was found to deliver macOS infostealing malware through seemingly normal prerequisite links.
- Hundreds of OpenClaw skills were involved in distributing malware, showing a deliberate strategy to exploit skill registries.
- Agent skill registries are a new supply chain attack vector, where markdown files act as executable intent.
- Recommendations include not using OpenClaw on company devices, rotating compromised credentials, and treating skill registries like app stores with abuse potential.
- Agent frameworks should default-deny shell execution, sandbox access to sensitive data, and implement specific, revocable permissions.
- A trust layer is needed for agent ecosystems, with provenance for skills, mediated execution, and real-time auditing of permissions.