OpenClaw Integrates VirusTotal Scanning to Curb Malicious ClawHub Skills
In a significant move to fortify the emerging AI agent ecosystem, OpenClaw (formerly known as Moltbot and Clawdbot) has announced a strategic partnership with Google-owned VirusTotal. This integration aims to secure ClawHub, OpenClaw’s popular skill marketplace, following a series of high-profile security breaches involving malicious third-party extensions.
As AI agents gain the ability to execute shell commands, manage files, and handle sensitive API keys, they have become prime targets for supply-chain attacks. The new scanning implementation is designed to provide a "defense-in-depth" layer against these evolving threats.
The "ClawHavoc" Crisis
The decision to integrate automated scanning comes on the heels of the "ClawHavoc" campaign discovered earlier this month. Security researchers at Koi Security and 1Password identified over 340 malicious skills on ClawHub—representing nearly 12% of the total library at the time.
These malicious skills often masqueraded as legitimate tools for cryptocurrency trading, social media automation, or system utilities. Once installed, they typically employed one of two tactics:
- Social Engineering: Instructing users to download "prerequisite" ZIP files or run Base64-encoded scripts that installed the Atomic Stealer (AMOS) malware.
- Prompt Injection: Using the
SKILL.mdfile to coerce the AI agent into exfiltrating credentials or opening reverse shells in the background.
How the VirusTotal Integration Works
OpenClaw founder Peter Steinberger confirmed that the platform now employs a multi-stage security pipeline for every skill submitted to or hosted on ClawHub. The process consists of three core components:
1. Deterministic Hashing
Every skill bundle is converted into a unique SHA-256 hash. This fingerprint is immediately cross-referenced against VirusTotal’s massive database of known threats. If a match is found, the skill is blocked instantly.
2. VirusTotal Code Insight
For new or unknown skills, OpenClaw utilizes VirusTotal’s Code Insight capability. Powered by Google’s Gemini 1.5 Pro, this tool performs a behavioral analysis of the skill’s code and instructions. Unlike traditional antivirus software that looks for specific file signatures, Code Insight analyzes the intent of the script, flagging attempts to:
- Download external binaries from untrusted URLs.
- Access hidden directories like
~/.sshor~/.aws/credentials. - Establish unauthorized outbound network connections.
3. Continuous Monitoring
Security is not a one-time event. OpenClaw has implemented daily re-scans for all active skills on the marketplace. This ensures that if a previously "clean" external resource referenced by a skill becomes compromised, the platform can flag it within 24 hours.
Automated Verdicts and User Safety
Users browsing ClawHub will now see clear security indicators on each skill page based on the VirusTotal analysis:
| Verdict | Action Taken | Description |
|---|---|---|
| Benign | Auto-Approved | No malicious behavior detected; meets security standards. |
| Suspicious | Warning Label | Contains high-risk patterns (e.g., encoded commands) but no direct malware. |
| Malicious | Instant Block | Confirmed threat or malware delivery vehicle. |
A Word of Caution: No "Silver Bullet"
"Security is a moving target. While VirusTotal gives us a massive advantage, it is not a silver bullet," — Peter Steinberger, OpenClaw Founder.
The OpenClaw team warned that "linguistic" attacks—where a skill uses natural language to trick the LLM into doing something harmful without using traditional code—can still be difficult for scanners to catch. Users are still encouraged to practice least privilege by running OpenClaw in sandboxed environments (like Docker) and avoiding skills from unverified publishers.
