OpenClaw is stepping up its security game by teaming with Google-owned VirusTotal to scan every skill uploaded to ClawHub, its AI skills marketplace.
Quick Summary – TLDR:
- OpenClaw integrates VirusTotal to automatically scan skills on ClawHub for malware and threats.
- New Code Insight tool powered by Google Gemini AI analyzes skill behavior beyond signatures.
- Over 340 malicious skills uncovered, raising alarms about data exfiltration, prompt injections, and backdoors.
- OpenClaw is launching a broader security initiative including a public threat model and formal audit.
What Happened?
After several discoveries of malicious skills being distributed through ClawHub, OpenClaw has officially partnered with VirusTotal to automatically scan skills for malware. The move follows alarming audits that found hundreds of compromised skills, including some designed to steal credentials, run commands, or download infostealers.
The partnership adds both signature-based scanning and AI-driven behavior analysis, thanks to VirusTotal’s Code Insight, a tool powered by Google’s Gemini large language model (LLM).
🔥 OpenClaw now scans every ClawHub skill using 🛡️ VirusTotal threat intel.
— The Hacker News (@TheHackersNews) February 8, 2026
Uploads are hashed, analyzed via Code Insight, then auto-approved, flagged, or blocked. Daily rescans 🔍 check if clean skills turn malicious later.
⚠️ Hundreds of risky skills had slipped through… pic.twitter.com/oIQjZqY7eL
Why OpenClaw Took Action?
OpenClaw, formerly known as Moltbot and Clawdbot, has grown rapidly in popularity. Its platform allows users to build and deploy autonomous AI agents capable of managing finances, controlling smart homes, and integrating with services like Telegram, Slack, and iMessage.
But with great power comes great risk. As these agents gain deeper access to user data and system functions, ClawHub’s open marketplace of downloadable “skills” became a vector for malicious actors.
Security audits revealed:
- Over 340 malicious skills among 2,800+ reviewed.
- A popular “Twitter” skill that downloaded a macOS infostealer.
- Skills masquerading as legit tools but silently exfiltrating API keys, browser data, and private messages.
- Prompt injection attacks that allow remote command execution.
- One-click exploits leaking OpenClaw tokens via WebSocket.
- Plaintext credential storage and improperly cleared data after uninstall.
As these agents often operate without IT oversight, they’ve introduced a new enterprise risk: Shadow AI, where tools bypass traditional security policies.
How the VirusTotal Integration Works?
Every skill uploaded to ClawHub now goes through a multi-layered scan:
- A SHA-256 hash is created and checked against VirusTotal’s malware database.
- If no match is found, the full ZIP package is uploaded.
- VirusTotal Code Insight performs behavior-based analysis using LLMs.
Based on the scan result:
- Benign skills are auto-approved.
- Suspicious skills show warnings to users.
- Malicious skills are blocked entirely.
Additionally, all live skills on ClawHub are re-scanned daily to detect updates that might introduce threats.
Still, OpenClaw notes this system is not foolproof. Prompt injection payloads or cleverly disguised malicious language might bypass detection.
Wider Security Push
OpenClaw is not stopping at VirusTotal. The platform is rolling out:
- A comprehensive threat model.
- A public security roadmap.
- Details of its ongoing security audit.
- A formal vulnerability reporting process.
These steps are critical after findings from firms like Backslash Security, HiddenLayer, Zenity Labs, and Koi revealed widespread design flaws and real-world attacks.
Researchers have warned that these agents are often deployed with persistent memory and high privileges, making misconfiguration a huge threat. Tools with full system access become unintentional automation layers for attackers.
In fact, Censys recently found over 30,000 misconfigured OpenClaw instances publicly accessible online.
SQ Magazine Takeaway
I’m glad OpenClaw is taking serious steps toward security. The partnership with VirusTotal is long overdue, especially with over 300 malicious skills already exposed. But let’s be real: adding scans isn’t the end of the story. It’s just the start.
As someone who’s excited about AI automation, I think we can’t ignore the risks anymore. When AI agents have access to your passwords, smart home, Slack, and files, it only takes one bad skill to bring it all crashing down. Developers need to harden these tools, and users must stay alert. Autonomy is great, but without guardrails, it’s a free-for-all.
