The cybersecurity landscape is witnessing a sophisticated shift as attackers begin to exploit the rising popularity of agentic AI frameworks. Recent reports have highlighted a significant security crisis surrounding OpenClaw, an open-source AI personal assistant formerly known as Moltbot and ClawdBot. While the tool offers groundbreaking productivity by executing shell commands and managing local files, its broad permissions have turned it into a "pot of gold" for cybercriminals.
Researchers have identified a multi-vector attack campaign, most notably involving the "ClawHavoc" operation. This campaign utilizes a social engineering methodology similar to the "ClickFix" technique. Attackers have flooded ClawHub, the official registry for OpenClaw skills, with hundreds of malicious packages masquerading as legitimate utility tools. These "skills" often pose as automated cryptocurrency trading bots, YouTube management utilities, or financial assistants.
The attack chain typically begins with a user installing a malicious skill. These packages often include professional-looking documentation that instructs users to install a "necessary" companion component called "AuthTool." In reality, this is a malware dropper designed to exfiltrate sensitive data. On macOS, the malware has been identified as part of the Atomic Stealer (AMOS) or NovaStealer families, which can bypass Gatekeeper protections to harvest browser passwords, macOS Keychain data, and SSH keys.
However, the primary objective for many of these attackers is the theft of cryptocurrency assets. By gaining access to the local filesystem and browser extensions, the malware can scan for private keys, seed phrases, and session tokens for popular wallets like Phantom, Binance, and MetaMask. A critical vulnerability, tracked as CVE-2026-25253, further compounds the risk by enabling a "1-click" remote code execution (RCE) attack. This allows an adversary to hijack the local gateway and impersonate the administrator simply by tricking a user into clicking a crafted link.
Security experts emphasize that because OpenClaw operates with the full privileges granted by the user, the "blast radius" of a compromise is essentially the entire system. Thousands of internet-exposed OpenClaw instances have been found running without any authentication, leaving them wide open to automated scans. Users are urged to update to the latest versions, enable strong authentication, and strictly avoid installing third-party skills from unverified sources within the ClawHub ecosystem.
Posted Using INLEO