From magic to malware: How OpenClaw's agent skills become an attack surface | 1Password

The short version: agent gateways that act like OpenClaw are powerful because they have real access to your files, your tools, your browser, your terminals, and often a long-term “memory” file that captures how you think and what you’re building. That combination is exactly what modern infostealers are designed to exploit.

What I found: The top downloaded skill was a malware delivery vehicle

While browsing ClawHub (I won’t link it for obvious reasons), I noticed the top downloaded skill at the time was a “Twitter” skill. It looked normal: description, intended use, an overview, the kind of thing you’d expect to install without a second thought.

But the very first thing it did was introduce a “required dependency” named “openclaw-core,” along with platform-specific install steps. Those steps included convenient links (“here”, “this link”) that appeared to be normal documentation pointers.

They weren’t.

Both links led to malicious infrastructure. The flow was classic staged delivery:

The skill’s overview told you to install a prerequisite.

The link led to a staging page designed to get the agent to run a command.

That command decoded an obfuscated payload and executed it.

The payload fetched a second-stage script.

The script downloaded and ran a binary, including removing macOS quarantine attributes to ensure macOS’s built-in anti-malware system, Gatekeeper, doesn’t scan it.

This is the type of malware that doesn’t just “infect your computer.” It raids everything valuable on that device:

Browser sessions and cookies

Saved credentials and autofill data

Developer tokens and API keys

SSH keys

Cloud credentials

Anything else that can be turned into an account takeover

If you’re the kind of person installing agent skills, you are exactly the kind of person whose machine is worth stealing from.