OpenClaw, the open-source AI agent framework formerly known as Moltbot and Clawdbot, has announced a significant partnership with Google-owned VirusTotal. This collaboration aims to enhance the security of its skill marketplace, ClawHub, by integrating VirusTotal’s advanced threat intelligence for scanning all uploaded skills. This move is part of a broader initiative by OpenClaw to bolster the security of the rapidly growing agentic ecosystem.
The partnership means all skills published to ClawHub will now undergo rigorous scanning using VirusTotal’s capabilities, including its new Code Insight feature. This integration provides an additional layer of security for the OpenClaw community, ensuring a safer environment for users and developers alike. The process involves generating a unique SHA-256 hash for each skill and cross-referencing it with VirusTotal’s extensive database. If a match is found, further analysis is triggered, including the examination of the skill bundle by VirusTotal’s malware scanning tools and its Code Insight technology.
OpenClaw Enhances Security with VirusTotal Integration
Skills that are identified as benign by Code Insight will be automatically approved on ClawHub. Conversely, any skills flagged as suspicious will receive a warning, while those deemed malicious will be immediately blocked from download. OpenClaw has also committed to a continuous security posture by re-scanning all active skills on a daily basis. This proactive approach aims to detect any instances where a previously safe skill might evolve into a malicious threat over time, addressing the dynamic nature of cyber threats within the AI landscape.
Despite the enhanced security measures, OpenClaw maintainers have cautioned that VirusTotal scanning is not a complete solution to every security risk. There remains a possibility that sophisticated malicious skills, particularly those employing cleverly concealed prompt injection payloads, could potentially evade detection. This acknowledgment highlights the ongoing challenges in securing complex AI systems where manipulation through language itself is a primary concern.
Addressing the Growing Threat Landscape of AI Agents
The development comes in the wake of reports that uncovered hundreds of malicious skills on ClawHub. These skills often masqueraded as legitimate tools but contained hidden functionalities designed to exfiltrate data, install backdoors for remote access, or deploy stealer malware. In response to these findings, OpenClaw had previously introduced a reporting option allowing signed-in users to flag suspicious skills, an effort now complemented by the VirusTotal integration.
Cisco has previously noted that AI agents with system access can become covert data-leak channels, bypassing traditional data loss prevention and endpoint monitoring solutions. Furthermore, these models can act as execution orchestrators, where the prompt itself becomes the instruction, making them difficult to detect with conventional security tools. The recent viral popularity of OpenClaw and its associated platforms has amplified these concerns, drawing attention to the potential security vulnerabilities inherent in agentic AI technology.
Vulnerabilities and Architectural Concerns Highlighted
The power and flexibility of skills, designed to extend an AI agent’s capabilities, can be exploited by malicious actors. These actors can leverage an agent’s access to tools and data for data exfiltration, unauthorized command execution, sending messages on behalf of the victim, and even downloading and running additional payloads without user knowledge or consent. The default configuration of OpenClaw, which grants broad system access without explicit user approval for tool execution, represents a significant security risk, according to researchers at HiddenLayer.
Architecture and design issues identified by HiddenLayer include the reliance on the configured language model for security-critical decisions, insufficient filtering of untrusted content, ineffective guardrails against indirect prompt injections, modifiable memories that persist across sessions, plaintext storage of sensitive credentials, and a lack of explicit user approval before executing tool calls. This default broad access, especially when OpenClaw is deployed on employee endpoints without formal IT oversight, creates a new class of “Shadow AI” risk for enterprises.
Beyond the VirusTotal partnership, OpenClaw has outlined further security enhancements. These include the planned publication of a comprehensive threat model, a public security roadmap, a formal security reporting process, and details regarding a security audit of its entire codebase. These initiatives aim to provide greater transparency and build user trust as the platform evolves.
Specific security concerns that have come to light include issues with proxied traffic misclassification, insecure coding patterns like direct `eval` with user input, and the cleartext storage of credentials. A zero-click attack scenario was also detailed, involving a harmless document processed by an AI agent that could lead to the installation of a backdoor via an indirect prompt injection payload. Another instance involved an indirect prompt injection embedded in a web page that manipulated OpenClaw into appending attacker-controlled instructions to a file, silently awaiting further commands.
A security analysis of nearly 4,000 skills on ClawHub revealed that a significant percentage contained critical security flaws, exposing sensitive credentials in plaintext. Reports from Bitdefender have also indicated that malicious skills are often cloned and re-published at scale, with payloads staged through various online services. Previously, a patched one-click remote code execution vulnerability allowed attackers to trick users into visiting malicious web pages, potentially leading to the leakage of authentication tokens and arbitrary command execution.
Furthermore, OpenClaw’s gateway has been found to bind to public interfaces by default, exposing its API to wider networks. Hypothetical attack scenarios involving specially crafted WhatsApp messages have demonstrated the potential to exfiltrate sensitive credential files from exposed OpenClaw instances. Issues with misconfigured databases like Supabase, belonging to Moltbook, have also led to the exposure of millions of API authentication tokens and private messages between agents. Threat actors have exploited Moltbook’s platform mechanics to amplify their reach and funnel other agents towards malicious threads containing prompt injections.
Many security experts emphasize the critical nature of securing AI agent platforms. China’s Ministry of Industry and Information Technology has issued an alert regarding misconfigured instances, urging users to implement protections against cyberattacks and data breaches. The primary attack surface, according to experts, often lies in misconfigurations when agent platforms grow faster than security practices. The focus on configuration risk by regulators underscores the understanding that these frameworks amplify both productivity and the potential blast radius of security incidents.
Looking ahead, the AI security community will be closely watching the implementation of OpenClaw’s announced security roadmap. The effectiveness of the VirusTotal integration and the subsequent enhancements to its threat model and discovery processes will be crucial in addressing the ongoing challenges of securing the agentic ecosystem. The platform’s ability to adapt to evolving threat vectors, particularly prompt injection attacks, and its commitment to user-friendly security best practices will determine its long-term viability and trustworthiness.