According to the report, which covers data from the first week of February 2026, Bitdefender’s analysis of the OpenClaw ecosystem uncovered widespread abuse. OpenClaw is an open-source execution engine for AI agents that uses modular add-ons called “skills” to automate tasks on a user’s behalf. These skills can manage crypto wallets, execute trades, and integrate various workflows. The platform’s popularity has grown rapidly, reportedly attracting over 160,000 stars on GitHub.
The investigation found that 17% of the skills analyzed were malicious. Of those, 54% were specifically related to cryptocurrency, often masquerading as trading bots, wallet trackers, or gas fee optimizers for platforms like Solana, Ethereum, and Binance. Attackers are reportedly cloning and republishing legitimate skills under slightly altered names to build a facade of authenticity.
The malicious skills operate by executing obfuscated shell commands that download additional payloads from external servers. Bitdefender researchers observed a recurring pattern where malware and scripts were hosted from the same IP address, `91.92.242.30`. The attackers also utilized public paste services and impersonated GitHub repositories to stage their payloads.
A notable payload identified was the AMOS Stealer, an information-stealing malware targeting macOS. At least three distinct OpenClaw skills were found to deliver this malware, which is known for exfiltrating browser data, credentials, and cryptocurrency wallet information. Because these actions are performed by an automation tool granted permissions by the user, the malicious activity can be difficult to detect. The threat particularly dangerous because nothing looks out of place, with the automation doing exactly what it’s allowed to do, just not for the user’s benefit,
stated researchers from Bitdefender Labs.
The attacks leverage the inherent trust users place in automation tools and the broad permissions often granted to AI skills. Unlike traditional malware delivery via phishing, this method relies on users willingly installing skills that promise to perform useful tasks. Once installed, the skills’ ability to run code and interact with local and remote services provides a powerful attack vector for stealing sensitive information and assets.
While the report highlights the percentage of malicious skills found, Bitdefender did not disclose the total number of skills it analyzed to arrive at that figure. Furthermore, specific details on the number of samples that fell into each malicious category, such as wallet drainers versus information stealers, were not provided. The total number of users or organizations affected by these malicious skills remains unquantified.
The threat is expanding from individual consumers to corporate environments. Bitdefender’s business unit reported detecting OpenClaw’s presence in hundreds of corporate networks. Skills disguised as productivity tools or auto-updaters can be used to establish persistent access to business systems. The company anticipates that abuse of AI-driven automation will increase as adoption grows, opening new channels for malware delivery and credential theft, similar to risks seen in other software supply chains like open-source package repositories.
In response to its findings, Bitdefender has released a free tool called the AI Skills Checker to help users vet automation tools before installation. The company advises users and organizations to take the following precautions:
- Treat AI skills with the same scrutiny as any other software installation, not as simple plug-ins.
- Carefully review any skill that requests permission to run shell commands or install external binaries.
- Be cautious with skills that require access to sensitive secrets, API keys, or private credentials.
- Use the AI Skills Checker or similar tools to analyze a skill’s behavior before running it.
- Monitor network activity for unexpected connections, especially from automation tools.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates