1Password warns: "Do not use OpenClaw on a company device"
Writing on the @1Password blog, Jason Meller says that he found that the top downloaded OpenClaw skill was a malware delivery vehicle:
While browsing ClawHub (I won’t link it for obvious reasons), I noticed the top downloaded skill at the time was a “Twitter” skill. It looked normal: description, intended use, an overview, the kind of thing you’d expect to install without a second thought.
But the very first thing it did was introduce a “required dependency” named “openclaw-core,” along with platform-specific install steps. Those steps included convenient links (“here”, “this link”) that appeared to be normal documentation pointers.
They weren’t.
Both links led to malicious infrastructure.
Indeed, this wasn't an isolated case.
Over 300 OpenClaw skills were reportedly involved in distributing macOS malware via ClickFix-style instructions.
What can you do? CyberInsider recommends that "users and organizations leveraging AI bot platforms like OpenClaw should use Koi Security’s Clawdex, a security tool for OpenClaw bots that offers pre-installation scanning and retroactive detection on already-installed skills."
Replies
The first guy to make an AI agent antivirus will probably be the next billionaire.
CRML
@tuliosousapro Like the idea.
This is exactly the kind of wake-up call people have been warning about.
Agent ecosystems are starting to look like early browser extensions or npm — powerful, fast-moving, and full of trust assumptions. Once “install a skill” becomes normal behavior, malware just follows the distribution channel.
The takeaway for me isn’t “don’t use agents,” it’s:
treat skills like untrusted code
assume supply-chain risk by default
add scanning, isolation, and least-privilege early, not later
We rushed to give agents hands and eyes. Now we’re being reminded they also need seatbelts and locks.