top of page
Search

OpenClaw's 230 Malicious Skills: What Agentic AI Supply Chains Teach Us About the Need to Evolve Identity Security

  • Ryan Rowcliffe
  • 3 minutes ago
  • 9 min read

Identity observability gap after authentication for autonomous AI agents

When Cisco's AI Defense team ran their Skill Scanner against OpenClaw's most popular community skill (one that had been gamed to #1 ranking on the skills repository), they found nine security vulnerabilities. Two were critical. The skill, mockingly named "What Would Elon Do?", was functionally malware: it silently exfiltrated data to attacker-controlled servers and used direct prompt injection to bypass safety guidelines.


That malicious skill has been downloaded thousands of times. And it's just one of at least 230 malicious OpenClaw extensions uploaded to ClawHub since January 27, 2026.


If you've been following OpenClaw (formerly Clawdbot, then Moltbot), the open-source AI agent that promises to be your perfect digital assistant, you've witnessed something remarkable: the agent racked up 145,000 GitHub stars in weeks, proving there's genuine demand for autonomous AI assistants that actually help with daily work.


You've also witnessed a real-world case study in why identity security needs to evolve alongside agentic AI adoption. The OpenClaw ecosystem validates many of the supply chain and identity observability challenges we've been discussing in this space. The difference is that this time, we get to learn from watching it unfold in real time rather than reverse-engineering failures from breach reports months later.


Understanding Why OpenClaw Gained Traction


Let's start with why OpenClaw resonated with users: it delivers genuine productivity improvements.


Unlike AI demos that fail in production or assistants that require constant hand-holding, OpenClaw proves the autonomous task execution model works. Connect it to Claude or ChatGPT, point it at your messaging apps (WhatsApp, Telegram, iMessage, Slack), and it manages inboxes, schedules meetings, summarizes documents, books reservations, and executes workflows with minimal prompting.


The compelling feature is persistent memory. The agent remembers preferences, habits, and context across sessions spanning weeks. It learns email organization preferences, calendar conflict resolution patterns, and task prioritization. For professionals drowning in digital busywork, this represents a meaningful quality-of-life improvement.


The open-source nature lets developers inspect code, modify behavior, and build integrations freely. No enterprise licensing complexities, no vendor lock-in, no waiting for official API support.


This is the agentic AI future that organizations have been preparing for. It's also an opportunity to understand identity security challenges before they become widespread problems.


The Extensibility Model: Innovation with Trade-offs


OpenClaw's power comes from its extensibility. Like Claude Skills or OpenAI's custom GPTs, the platform supports community-contributed capabilities that extend what agents can do. These "skills" are instruction sets and code that teach the agent new capabilities: API interactions, specialized analysis and domain-specific workflow automation.


The innovation trade-off? There's currently no certification process, security review, or supply chain verification for community skills.


Cisco's research found that 26% of the 31,000 agent skills they analyzed contained at least one vulnerability. In OpenClaw's case, the architecture allows skills to:

  • Execute code on the host system with the agent's granted privileges

  • Access environment variables including .env files that commonly store API keys and database credentials

  • Make external network calls to infrastructure outside the user's control

  • Influence agent behavior through prompt engineering techniques

  • Leverage the agent's memory system across sessions


The "What Would Elon Do?" skill demonstrated these capabilities in combination:

  1. Executed a curl command that transmitted data to an external server

  2. Used prompt injection to influence agent behavior around safety checks

  3. Required no additional user interaction beyond initial skill installation

  4. Left minimal audit trail of its activities


This is supply chain security challenge meeting agentic AI. The attack vector isn't necessarily a sophisticated exploit. It's user trust in community code combined with the agent's broad access and credential visibility.


Understanding the Real Identity Challenge


Let me walk you through what happens when someone adopts OpenClaw while holding enterprise credentials. These scenarios help illustrate the identity observability gap.


Scenario 1: The Well-Intentioned Engineer


Sarah, a software engineer, hears about OpenClaw from her developer network. She's managing high message volume across Slack, JIRA tickets, and meeting requests. The promise of an AI assistant that genuinely helps is appealing.

Sarah installs OpenClaw on her work laptop and, following setup guides, connects it to:

  • Corporate Gmail account (OAuth access)

  • Slack workspace (bot token)

  • GitHub (personal access token)

  • Calendar (read/write permissions)

  • Local file system (where .env files with AWS credentials and database passwords reside)


She installs community skills for email triage, code review assistance, and meeting optimization. One skill contains malicious code.

What happens next illustrates the visibility challenge:

  • AWS credentials become accessible (potentially exposing production infrastructure)

  • GitHub personal access token is exposed (enabling repository access)

  • Database passwords from .env files are retrievable

  • Email history becomes available (potentially containing additional credentials)


Sarah believes she's running a personal productivity tool. The security team doesn't know OpenClaw exists on the network. The credentials Sarah authorized looked legitimate because she authorized them herself through standard OAuth flows. Traditional DLP doesn't flag the activity because data moves via encrypted HTTPS to what appear to be legitimate endpoints.


Scenario 2: The Remote Executive


Marcus, a VP of Sales, runs OpenClaw on his personal MacBook Pro at home. He's followed Docker hardening guidance and runs it in an isolated environment. His security awareness is actually above average for an executive.

But for OpenClaw to deliver value, it needs access to work systems. Marcus authorizes it to:


  • Read and respond to corporate email (managing 300+ daily messages)

  • Access the company CRM (for deal pipeline visibility)

  • Connect to Slack (team coordination)

  • Integrate with calendar and scheduling tools


He installs a "CRM Assistant" skill that promises automated deal stage updates based on email sentiment analysis. The skill harvests credentials.

Marcus granted legitimate OAuth access, so the malicious skill inherits those permissions. The security team has limited visibility because access appears to come from Marcus's authorized OAuth tokens.


This isn't about Sarah or Marcus making poor decisions. It's about how current identity governance models weren't designed to track what happens after credentials are successfully retrieved and used by autonomous agents.


Why Traditional Security Controls Need Evolution


Security teams are applying established practices to the OpenClaw challenge: system isolation, least privilege access, credential vaulting and network segmentation. These controls remain essential.


They're also revealing gaps that need addressing.


System Isolation Addresses Host Security, Not Credential Usage


Even with perfect sandboxing using Docker, dropped Linux capabilities, and read-only filesystems (as Composio's hardening guide recommends), the agent still requires access to external systems for usefulness. That access requires credentials, which become the new perimeter.


Vectra AI's analysis frames it well: "Autonomous AI agents must be treated as privileged infrastructure, not productivity tools."


Least Privilege Needs Redefinition for Autonomous Agents


The value proposition of agentic AI is autonomous action across multiple systems. Restricting agents to read-only access or requiring manual approval for every action eliminates the productivity gains driving adoption.


Users will naturally seek workarounds: sharing broader credentials, running agents with elevated privileges, or moving to external infrastructure where controls don't apply.


The challenge is redefining least privilege for autonomous entities that need meaningful capability to deliver value.


Credential Vaulting Solves Storage, Not Observability


Tools like Composio offer brokered execution models where agents never see raw credentials. The platform injects them backend and returns results. This significantly improves credential protection.


But it doesn't address the broader visibility question: enterprises still need to understand what credentials are being used, by which agents, executing what actions, against which systems, and whether usage patterns align with expected behavior.


The vault protects the secret. It doesn't provide behavioral context about how that secret is being used.


The Supply Chain Learning Opportunity


The malicious skills proliferation on ClawHub offers valuable lessons about agentic AI supply chain security. We're seeing familiar patterns from software supply chains (package abandonment, typosquatting, malicious updates) but with a new dimension: compromised components have direct credential access and autonomous execution capability.


Consider what we've learned from the timeline:


  • January 27, 2026: Security researchers begin documenting malicious skills on ClawHub

  • January 29, 2026: Deliberately backdoored "safe" skill published as security test; downloaded thousands of times

  • January 30, 2026: Fake "ClawdBot Agent" VS Code extension identified as credential harvesting malware

  • February 1, 2026: Count of malicious extensions reaches 230+, primarily targeting crypto credentials


Running in parallel: CVE-2026-25253 (CVSS 8.8, one-click code smuggling), CVE-2025-6514 (RCE in mcp-remote), and multiple WebSocket hijacking exploits.


These aren't just OpenClaw problems. They're preview patterns for how agentic AI supply chains will be targeted. Rapid growth creates opportunities for supply chain compromise. Malicious actors manufacture popularity through ranking manipulation, exploit naming confusion during rebrands, and release "helpful" tools that harvest credentials.


Security researcher Jamieson O'Reilly (now working with the OpenClaw project on security) documented hundreds of instances exposed to the internet with no authentication, leaking plaintext API keys, bot tokens, OAuth credentials, and conversation histories.


GitGuardian's 2024 State of Secrets Sprawl report found 12.8 million secrets leaked on public GitHub in 2023, a 28% year-over-year increase. Agentic AI architectures that centralize credentials risk accelerating this trend.


The Identity Observability Gap (Made Visible)


The OpenClaw experience highlights a fundamental challenge: traditional Identity tools or Governance and Administration (IGA) platforms were designed around human identities accessing systems through predictable patterns. They excel at tracking provisioning, certification campaigns, role assignments, and access reviews.


What they don't track effectively is what happens after authentication succeeds and credentials are actively used.


When Sarah's OpenClaw agent retrieves her AWS credentials and executes infrastructure commands, existing Identity platforms see: ✓ Sarah accessed AWS (authorized).


What they don't see:


  • Access was initiated by an autonomous agent, not Sarah directly

  • Credentials were shared with community code of uncertain provenance

  • Usage patterns deviate from Sarah's normal behavior

  • Data movement occurred to external infrastructure


When Marcus's agent uses his legitimate CRM OAuth tokens to bulk-export customer data, audit logs show: ✓ Marcus accessed CRM (authorized).

What's missing:


  • Access came from an autonomous agent on a personal device

  • Data retrieval pattern is inconsistent with Marcus's typical usage

  • External network connections immediately followed data access

  • A third-party skill orchestrated the sequence


This is the "what happens after credentials are successfully retrieved" visibility challenge. With non-human identities now outnumbering human identities 144:1 (exceeding even industry forecasts), and agentic AI accelerating autonomous credential usage, organizations need identity behavior visibility, not just identity administration tracking.


Building Forward: Practical Steps Organizations Can Take


The good news: these challenges are solvable with the right approach and tools. Organizations don't need to choose between innovation and security. They need visibility into both.


Immediate Actions (30-60 days):


1. Understand Your Current Agentic AI FootprintYou can't govern what you can't see. Begin identifying:


  • Authentication patterns suggesting agent usage (rapid API calls, off-hours access)

  • New OAuth grants or token generation consistent with agent authorization

  • Traffic to known agentic AI platforms and MCP/A2A protocol endpoints

  • Presence of agent frameworks in your environment (OpenClaw, LangChain, AutoGPT artifacts)


2. Map Credential Exposure SurfaceIdentify which credentials and access tokens could be accessible to agents:

  • .env files and environment variables on developer systems

  • Personal access tokens for code repositories (GitHub, GitLab)

  • Cloud provider credentials (AWS, Azure, GCP) stored locally

  • OAuth tokens with broad scopes that agents could leverage


3. Establish Behavioral BaselineTraditional authentication logs won't surface credential misuse by agents. Implement behavioral analytics that track:


  • Credentials used from unexpected locations or contexts

  • Access patterns inconsistent with credential owner's normal behavior

  • Data retrieval followed by external network connections

  • Secrets accessed but not used for their intended purpose


Strategic Development (60-180 days):


4. Develop Agent Identity FrameworksStart building "Know Your Agent" (KYA) capabilities:


  • Registry of approved agents with explicit capabilities and access boundaries

  • Developer verification and code signing for agent deployments

  • Consent capture documenting which users authorized which agents

  • Governance controls to manage compromised or misbehaving agents


5. Implement Identity ObservabilityDeploy platforms providing continuous visibility into identity usage patterns:


  • Real-time monitoring of credential usage across human and non-human identities

  • Anomaly detection for unusual access patterns

  • Correlation between authentication success and subsequent actions

  • Audit trails that persist beyond agent lifecycle


6. Adopt Brokered Credential ModelsWhere feasible, eliminate direct credential sharing between users and agents:


  • Platforms that inject credentials backend without agent exposure

  • Just-in-time credential generation with short time-to-live

  • Agent-specific credentials that can be independently revoked

  • Detailed logging of every action agents perform


The Opportunity Ahead


OpenClaw will likely be superseded by other agentic platforms within months. The project's creator Peter Steinberger has been transparent that it's an experimental hobby project, not a hardened enterprise product. The rapid rebranding (Clawdbot → Moltbot → OpenClaw) and security evolution represent an experiment that went viral before maturation.


But the pattern OpenClaw represents (autonomous agents with broad system access and community extensibility) reflects the direction of agentic AI broadly. Microsoft's Copilot, Anthropic's Claude, OpenAI's GPT variants, and numerous enterprise platforms are all moving toward agents that take action on users' behalf.


The question for security teams isn't whether to allow this evolution. It's whether organizations will have the visibility and controls needed when it arrives.

IBM Research Scientist Kaoutar El Maghraoui captured the balance: "A highly capable agent without proper safety controls can end up creating major vulnerabilities, especially if it is used in a work context."


The 230+ malicious skills uploaded to ClawHub in a single week validate the supply chain challenges we've been tracking. The identity observability gaps that traditional IGA platforms struggle with are now visible through concrete examples rather than theoretical scenarios.


Organizations have an opportunity: build comprehensive visibility into identity usage patterns now, learning from OpenClaw's experience, rather than developing these capabilities reactively after incidents.


Working Together on This Challenge


At Authmind, we're watching the OpenClaw ecosystem evolution closely because it demonstrates exactly the identity observability challenges we've been helping organizations address. The gap between "credential was authorized" and "credential is being used appropriately by the expected entity" is where modern identity security needs to focus.


We don't claim to have all the answers. This space is evolving rapidly. But we do understand the challenge of providing visibility into what happens after authentication succeeds, especially as non-human identities and autonomous agents become the dominant identity type in enterprise environments.


The OpenClaw experiment reveals what happens when autonomous execution meets uncertified extensibility in real-world conditions. For security teams expanding their identity governance thinking beyond human-centric models, it's a valuable preview of the challenges (and opportunities) ahead.


We're learning alongside everyone else in this space. And we're here to help organizations build the visibility they need as agentic AI adoption accelerates.


 
 
 
bottom of page