A fast-moving wave of attacks targeting the OpenClaw ecosystem is exposing how quickly AI tooling can become a high-value target for cybercriminals. In recent weeks, security researchers and incident reports have described multiple attack paths tied to OpenClaw, including malicious marketplace “skills” that impersonate legitimate tools and browser-based hijacking techniques that can lead to stolen passwords, wallet keys, cookies, and other sensitive data. The incidents are drawing attention from developers, crypto users, and security teams that rely on local AI agents.
What happened in the OpenClaw attacks
The most visible campaign centers on ClawHub, a third-party marketplace for OpenClaw skills. According to reporting on research by Koi Security, an audit of 2,857 ClawHub skills identified 341 malicious skills across multiple campaigns. Of those, 335 were described as using fake setup requirements to push malware, including Atomic Stealer, also known as AMOS, onto macOS systems. The skills were presented as legitimate utilities, including crypto trading tools, finance helpers, and content-related services, but were designed to trick users into running malicious commands or installing infostealers.
The data targeted in these campaigns is especially sensitive. Researchers said the malicious skills sought exchange API keys, wallet private keys, SSH credentials, and browser passwords. BleepingComputer also reported that the packages impersonated useful tools while delivering malware capable of stealing passwords and crypto wallet data, reinforcing concerns that the OpenClaw impersonation attack steals passwords and crypto wallet data through social engineering rather than a single software flaw alone.
A separate but related issue involves a browser-based attack dubbed “ClawJacked.” Security researchers at Oasis Security said malicious websites could connect to a local OpenClaw gateway over WebSocket, brute-force weak passwords because of missing localhost rate limiting, and then register as trusted devices. Once successful, attackers could dump configuration data, enumerate connected nodes, read logs, and gain broad control over the AI agent. OpenClaw released version 2026.2.25 on February 26, 2026, to address the issue.
Why the Openclaw Impersonation Attack Steals Passwords and Crypto Wallet Data
The attacks stand out because they combine familiar cybercrime methods with a newer AI software supply chain. In the ClawHub cases, the malicious packages did not need to exploit a deep technical vulnerability in every instance. Instead, they relied on impersonation, fake prerequisites, and convincing installation instructions that pushed users to execute harmful commands. That makes the campaign closer to a software supply chain and social engineering attack than a classic exploit-only breach.
According to The Hacker News, all of the malicious skills in one major cluster shared the same command-and-control infrastructure, suggesting coordinated activity rather than isolated abuse. The report said the skills used social engineering to persuade users to run commands that then stole crypto assets and credentials. That matters because OpenClaw users often connect the software to high-value services such as wallets, exchanges, browsers, and developer tools, creating a concentrated target for attackers.
The ClawJacked findings add another layer of risk. Oasis Security’s reported attack path did not depend on a marketplace download at all. Instead, it exploited trust assumptions around localhost connections and browser behavior. In practical terms, that means a user could be exposed simply by visiting a malicious website while OpenClaw was running locally with a weak password.
Who is affected
The immediate risk falls on several groups:
- Developers and power users who run OpenClaw locally and connect it to browsers, APIs, or automation workflows.
- Crypto users who install wallet-related or trading-related skills and may store exchange credentials or private keys on the same machine.
- macOS users, who were specifically targeted in the AMOS delivery chain described in the ClawHub campaign.
- Organizations testing agentic AI tools, especially where local agents have access to logs, tokens, browser sessions, or internal systems.
The broader concern is not limited to one app. Researchers cited in coverage of the attacks argue that AI agents create a powerful mix of access to private data, exposure to untrusted content, and outbound communication ability. That combination can magnify the damage when a malicious extension, plugin, or local service is compromised.
Vendor and ecosystem response
OpenClaw’s creator has already taken some visible steps. The Hacker News reported that OpenClaw added a reporting feature that allows signed-in users to flag suspicious skills, with limits on active reports per user. That is a moderation step, but it does not by itself solve the underlying challenge of open marketplaces where anyone can upload packages with minimal friction.
On the vulnerability side, OpenClaw moved quickly on the ClawJacked issue. According to The Hacker News, a fix was pushed in less than 24 hours, and users were told to update to version 2026.2.25 or later. Additional vulnerability disclosures published in early March 2026 also point to a wider hardening effort around authentication, plugin exposure, and sensitive data handling in the OpenClaw ecosystem. These include issues involving unauthenticated WebSocket access, plugin endpoint exposure, and token leakage in logs.
That pattern suggests the platform is now under heavier scrutiny from both researchers and attackers. Increased scrutiny can improve security over time, but it also means users should assume the ecosystem is still maturing and may continue to surface new weaknesses. This is an inference based on the concentration of recent disclosures and reports.
What users and companies should do now
Security guidance emerging from the reports is relatively consistent. Users should update OpenClaw immediately, avoid installing untrusted skills, and treat marketplace packages as potentially risky unless they come from well-vetted publishers. They should also avoid storing wallet private keys, exchange credentials, or sensitive tokens on systems where experimental AI agents run.
Practical steps include:
- Update to the latest OpenClaw release to address known flaws such as ClawJacked.
- Use strong, unique passwords for local gateways and admin interfaces.
- Audit installed skills and plugins and remove anything unnecessary or unverified.
- Separate crypto operations from AI experimentation by using dedicated devices or profiles. This is a security best-practice inference supported by the types of data targeted in the attacks.
- Rotate exposed credentials if there is any sign that browser passwords, API keys, cookies, or wallet material may have been accessed.
For enterprises, the lesson is broader: agentic AI tools should be governed like privileged software, not casual productivity apps. If a local agent can read logs, access browsers, or connect to external services, it should be subject to the same controls used for developer tooling and endpoint security.
Why this story matters
The Openclaw impersonation attack steals passwords and crypto wallet data in a way that reflects a larger shift in cyber risk. Attackers are moving toward ecosystems where users grant software broad access to data, automation, and external services. AI agents fit that model well, which makes them attractive targets for both malware distribution and account compromise.
There are two competing interpretations of what comes next. One view is that these incidents are early growing pains for a fast-expanding category, and that stronger marketplace controls, better defaults, and faster patching will reduce the threat. Another view is that open agent ecosystems will remain structurally difficult to secure because they combine plugins, local services, browser access, and sensitive credentials in one place. Current evidence supports both concerns, and the next few months of disclosures and platform changes will likely determine which view proves more accurate.
Conclusion
The recent OpenClaw incidents show how impersonation, weak marketplace controls, and local gateway flaws can converge into a serious security problem. Researchers have linked malicious skills to the theft of browser passwords, SSH credentials, exchange API keys, and wallet private keys, while a separate browser-based attack demonstrated how local AI agents can be hijacked through weak protections. OpenClaw has issued fixes and added reporting tools, but the episode is a warning to users and companies alike: AI agents now sit close enough to sensitive data that they must be secured like critical infrastructure.
Frequently Asked Questions
What is the OpenClaw impersonation attack?
It refers to malicious activity in which attackers disguise harmful OpenClaw skills or abuse trust in the OpenClaw ecosystem to steal credentials, wallet data, and other sensitive information.
What data can be stolen?
Reports say attackers targeted browser passwords, exchange API keys, wallet private keys, SSH credentials, cookies, and other local secrets.
Was this a software bug or a social engineering attack?
It was both, depending on the incident. The ClawHub campaign relied heavily on impersonation and deceptive setup steps, while ClawJacked involved a technical weakness in local gateway protections.
Has OpenClaw fixed the problem?
OpenClaw released version 2026.2.25 on February 26, 2026, to address ClawJacked, and it added a reporting feature for suspicious skills. However, users still need to update and review what they install.
Who faces the highest risk?
Users who run OpenClaw locally, install third-party skills, connect browser sessions or APIs, or store crypto credentials on the same machine face the highest risk.
What should affected users do first?
Update OpenClaw, remove untrusted skills, rotate passwords and API keys, review wallet exposure, and monitor accounts for suspicious activity.
