The OpenClaw autonomous AI agent project has partnered with Google’s VirusTotal to enhance security following the discovery of malware in its ClawHub skills marketplace. Recent findings by Jason Meller from 1Password revealed that a popular skill, “Twitter,” harbored a malicious dependency that downloaded infostealer malware for macOS, capable of exfiltrating sensitive user data like credentials and API keys. Koi’s audit identified 341 malicious skills among 2,857 total, predominantly linked to a single supply chain attack. While OpenClaw’s skills enable automation in various tasks, they pose security risks, as malicious commands can bypass traditional malware detection. OpenClaw will now vet skills against VirusTotal’s database to mitigate risks, although they caution that some threats may remain undetected. The project aims to enhance its security model, led by security expert Jamieson O’Reilly, while advising users to avoid connecting the AI to sensitive data.
Source link
