Bitdefender has reported widespread abuse in the OpenClaw ecosystem, warning that a significant share of published AI “skills” behave maliciously and that the threat is reaching corporate environments.
In research covering the first week of February, the security firm found that about 17% of the OpenClaw skills it analysed showed malicious behaviour. More than half of those were tied to cryptocurrency activity, which Bitdefender described as the most heavily abused category.
OpenClaw skills
OpenClaw is an open-source execution engine used with AI agents. It lets software agents perform actions on a user’s behalf through modular add-ons known as skills. These skills can automate tasks such as crypto trading, wallet tracking, account management, and workflows across devices.
OpenClaw’s visibility has grown quickly in developer circles, attracting more than 160,000 GitHub stars in a short period, according to Bitdefender’s research notes.
The same design choices that make skills attractive also create a broad attack surface. Once installed, a skill can run code and interact with local and remote services, depending on the permissions and functions it requests.
Crypto focus
Crypto-related skills accounted for 54% of the malicious samples Bitdefender identified. Many presented themselves as trading agents, wallet helpers, or gas trackers.
The research cited popular platforms and services used as lures, including Solana, Phantom, Binance, Ethereum, and Polymarket. Bitdefender did not disclose how many total skills it analysed or how many samples fell into each category.
Attackers appear to be relying on trust in automation rather than traditional delivery techniques such as phishing emails or fake pop-ups. Bitdefender described a pattern of cloning and republishing skills under slightly different names to make them appear legitimate and widely used.
Once installed, malicious skills can execute obfuscated shell commands that fetch additional payloads from external infrastructure and run them automatically.
macOS infostealer
Bitdefender observed multiple OpenClaw skills delivering AMOS Stealer on macOS, an information-stealing malware family associated with the theft of browser data, credentials, and cryptocurrency-related information.
At least three distinct skills delivered AMOS Stealer on macOS, with payloads downloaded from URLs associated with the 91.92.242.30 domain, according to a research summary.
Bitdefender also reported a repeated infrastructure pattern, with scripts and malware hosted from the same IP address. It also cited staging via public paste services and GitHub repositories impersonating legitimate OpenClaw tooling.
Researchers said the risk can be difficult to spot during routine use because automation tasks can look normal even when they include hidden execution steps.
“The threat particularly dangerous because nothing looks out of place, with the automation doing exactly what it’s allowed to do, just not for the user’s benefit,” said Bitdefender Labs researchers.
Corporate exposure
The issue is extending beyond consumer use. Research from Bitdefender’s business unit found OpenClaw increasingly present in corporate environments, with hundreds of detected cases.
Skills marketed as productivity tools, auto-updaters, or cloud utilities can justify elevated permissions and frequent execution in business settings, potentially providing persistent access if a malicious skill is installed.
Security teams have tracked similar risks across other software supply chains, including open-source package repositories and browser extensions. AI agent ecosystems add a different layer of risk by encouraging users to install automation components expected to act on their behalf, often with broad access.
Skills checker
Alongside the research, Bitdefender introduced a free AI Skills Checker designed to assess whether an AI skill or automation tool may be unsafe before a user installs or runs it.
The checker analyses skills for suspicious behaviour and flags hidden execution, external downloads, and unsafe commands.
Bitdefender urged users and organisations to treat AI skills like software installations rather than harmless plug-ins. Skills that run shell commands, request installation of external binaries, or handle sensitive secrets warrant extra scrutiny.
Bitdefender expects abuse of automation and AI-driven tooling to continue as adoption spreads and attackers look for new channels to steal credentials and deliver malware.
