OpenClaw AI Agent Platform Risks Credential Leakage via Malicious Skills in Public Hub
What Happened — Kaspersky’s SecureList analysis shows that OpenClaw (formerly Clawdbot/Moltbot) lets users download “skills”—script‑like modules—from a public marketplace called ClawHub. Because skills run with the agent’s OS privileges and often contain plaintext tokens or API keys, attackers can publish malicious skills that harvest credentials, exfiltrate data, or execute arbitrary code on any workstation that installs them.
Why It Matters for Compliance & Audit Readiness
- The scenario maps directly to SOC 2 CC6 (Logical Access) and CC7 (System Operations) – uncontrolled third‑party code can bypass access controls and create audit‑trail gaps.
- Continuous vendor‑risk monitoring is required to prove due‑diligence that any external skill provider meets your organization’s security policies.
- Evidence of skill‑validation processes (e.g., code‑review, hash verification) becomes essential audit artefacts for demonstrating control effectiveness.
Who Is Affected — Enterprises that adopt AI‑agent automation across tech‑SaaS, professional services, and internal IT operations; essentially any organization allowing employees to run OpenClaw locally.
Recommended Actions
- Inventory all workstations with OpenClaw installed and map each skill to a control (SOC 2 CC6/CC7).
- Enforce a “whitelist‑only” policy for skills sourced from vetted internal repositories; block external downloads via network controls.
- Integrate skill‑hash verification into your CI/CD pipeline and retain verification logs as audit evidence.
- Conduct a vendor‑risk assessment of ClawHub and any third‑party skill authors, documenting findings in your TPRM program.
Source: SecureList – OpenClaw Security
Technical Notes — Attack vector: malicious skill files delivered through the public ClawHub marketplace (third‑party dependency). Skills may embed code that reads environment variables, accesses the file system, and forwards tokens to attacker‑controlled endpoints. No specific CVE is cited; the risk stems from design‑level trust in external content. Source: same as above