Skip to content

ecosystem-security-threats.md

Latest commit

 

History

History
305 lines (237 loc) · 23 KB

ecosystem-security-threats.md

File metadata and controls

305 lines (237 loc) · 23 KB

Navigation: Main Guide | Security Audit Reference | CVEs/GHSAs | Issue #1796 | Medium Article | ZeroLeeks | Post-merge Hardening | Open Issues | Open PRs | Ecosystem Threats | SecurityScorecard | Cisco AI Defense | Model Poisoning | Hudson Rock | Cline Supply Chain | ClawJacked | Model Comparison

Ecosystem Security Threats

These are not codebase vulnerabilities. The threats below target OpenClaw users through supply chain attacks, social engineering, and infrastructure misconfiguration. They apply to any popular self-hosted AI framework, not just OpenClaw.

This section was prompted by a community security advisory from @edgeaiplanet on Threads.

Contents

Official packages and accounts

Before installing or following any link, verify you are using official sources:

Platform Official Source Impostor Red Flags
npm openclaw Typos (opennclaw, open-claw), extra characters, different org
GitHub openclaw/openclaw Forked repos, similar usernames (openclaw-bot, openclawai)
X/Twitter Verify on docs.openclaw.ai Old handles, recently created accounts
Docs docs.openclaw.ai Lookalike domains (docs-openclaw.ai, openclaw-docs.com)

1. npm Typosquatting Honeypots

What it is: Attackers publish malicious packages with names similar to legitimate ones, hoping developers will mistype or copy the wrong name.

How it works:

  • Package named opennclaw or openclaw-bot contains malicious postinstall script
  • Script runs automatically during npm install
  • Exfiltrates .env files, API keys, SSH keys, or cryptocurrency wallets

Real-world examples:

  • 3,180+ malicious npm packages detected in 2025 alone (The Hacker News)
  • "lotusbail" package (56,000 downloads) stole WhatsApp credentials (CSO Online)

Mitigations:

  • Always verify the exact package name: npm view openclaw
  • Check package metadata: author, repository link, download count, publish history
  • Use npm install --ignore-scripts when evaluating unfamiliar packages
  • Review package.json scripts before running npm install on cloned repos

2. The Rebrand Trap (Handle Sniping)

What it is: When projects rename (Clawdbot to Moltbot to OpenClaw), attackers register the abandoned usernames to impersonate official accounts.

How it works:

  • Attacker monitors popular projects for rebrand announcements
  • Registers old handles within seconds of abandonment
  • Posts "official" announcements with phishing links or malicious downloads

Real-world examples:

  • Scammers sniped the old Clawdbot handle within seconds of the rebrand (DEV.to)
  • GitHub discussion on username squatting after renames (GitHub Community)

Mitigations:

  • Only use links from docs.openclaw.ai or the official GitHub repo
  • Be suspicious of announcements on old handles
  • Check account creation dates and posting history
  • Verify announcements through multiple official channels

3. Session Token Stealing

What it is: Malware or malicious plugins steal session files that bypass 2FA, allowing attackers to impersonate you on messaging platforms.

How it works:

  • Infostealers search for Telegram tdata/ directories and WhatsApp session files
  • Malicious "plugins" request permissions to access session storage
  • Stolen sessions let attackers read messages and pair new devices without your credentials

Real-world examples:

  • Hudson Rock (Feb 2026): First confirmed case of an infostealer (Vidar variant) exfiltrating OpenClaw config files (openclaw.json, device.json, soul.md) from an infected machine. The malware's broad file-grabbing routine — not a custom OpenClaw module — swept up these files alongside browser passwords and crypto wallets. See Hudson Rock analysis for full claim verification. (The Hacker News)
  • PupkinStealer and Raven Stealer target Telegram session files (Kaspersky)
  • Malicious npm package stole WhatsApp messages via session hijacking (The Register)

Mitigations:

  • Only install plugins from official OpenClaw sources
  • Regularly check linked devices in WhatsApp (Settings > Linked Devices) and Telegram (Settings > Devices)
  • Use openclaw security audit --deep to check for suspicious access
  • Keep session directories (~/.openclaw/sessions/) with restrictive permissions
  • Enable Telegram's 2FA password (separate from SMS code)
  • Keep session directories (~/.openclaw/sessions/) with restrictive permissions

4. The Shodan Trap (Exposed VPS Instances)

What it is: VPS deployments with public binding and no authentication are indexed by search engines like Shodan, exposing credentials and enabling command execution.

How it works:

  • User deploys Gateway with gateway.bind: "lan" or 0.0.0.0 and forgets to configure auth
  • Shodan indexes the open port within hours
  • Attackers find exposed instances, access the dashboard, and extract API keys or execute commands

Real-world examples:

  • Researchers found exposed OpenClaw instances with credentials and command execution via Shodan
  • Shodan regularly indexes thousands of misconfigured development servers (Shodan Help)
  • SecurityScorecard STRIKE team (Feb 2026) identified 28,663 unique IPs with exposed control panels across 76 countries via favicon-hash fingerprinting (report). Of these, 78% were still running pre-rename versions (Clawdbot/Moltbot). While the specific statistics are unverifiable from code (OpenClaw has zero telemetry), the report demonstrates that misconfiguration-at-scale is a real phenomenon, not just a theoretical risk. Note: the report's claim that OpenClaw "binds to 0.0.0.0 out of the box" applies to Docker-compose deployments; the native CLI defaults to loopback (run.ts:181), and the Gateway refuses to start on non-loopback without auth (run.ts:250-261). Older versions that predate these hardening measures may have been more permissive.

For the full analysis, see: SecurityScorecard STRIKE Report Analysis

Mitigations:

  • Always keep Gateway loopback-only: gateway.bind: "loopback"
  • Use SSH tunnels or Tailscale Serve for remote access (see Remote Access docs)
  • If you must bind to LAN, enable authentication: gateway.auth.enabled: true
  • Use DigitalOcean 1-Click Deploy which pre-configures security hardening
  • Run openclaw security audit --fix after any configuration change
  • Check your public IP on Shodan: https://www.shodan.io/host/YOUR_IP

5. Fake SaaS / API Key Vacuums

What it is: Third-party services offer to "host your bot" or provide "enhanced features" while harvesting your API keys and credentials.

How it works:

  • Service claims to simplify deployment: "Just paste your Anthropic/OpenAI API key"
  • Keys are stored and used for the operator's purposes (crypto mining, resale, abuse)
  • Browser extensions impersonate official tools to capture credentials

Real-world examples:

  • 459+ API keys exfiltrated via fake browser extensions (Obsidian Security)
  • 250+ exposed AI API keys found on GitHub via automated scanning (DEV.to)

Mitigations:

  • Never share API keys with third-party hosting services
  • OpenClaw is self-hosted by design; there is no official managed service
  • Use environment variables or credential files with 0600 permissions, not hardcoded keys
  • Rotate API keys if you suspect exposure
  • Monitor provider dashboards for unusual usage patterns

6. ClawHub Malicious Skills (ClawHavoc Campaign)

What it is: ClawHub is a third-party skills marketplace for OpenClaw. In February 2026, security researchers discovered 341 malicious skills (12% of audited packages) designed to steal credentials and install malware.

How it works:

  • Attackers publish skills with professional-looking documentation
  • "Prerequisites" section instructs users to run terminal commands or download files
  • Commands fetch Atomic Stealer (macOS) or keyloggers (Windows) from attacker infrastructure
  • Malware harvests crypto wallets, browser passwords, SSH keys, and API credentials

Campaign details:

  • Scale: 341 malicious skills out of 2,857 audited (Koi Security)
  • Primary payload: Atomic Stealer (AMOS) for macOS
  • Disguises: Crypto tools (Solana trackers, Polymarket bots), YouTube utilities, ClawHub typosquats
  • Attack method: Social engineering via fake "prerequisites", not code exploits

Security improvements (Feb 2026):

  • VirusTotal partnership: ClawHub now scans all published skills through a 6-step pipeline (deterministic packaging, SHA-256 hashing, VirusTotal analysis with 70+ AV engines, Gemini LLM code review, auto-approval/blocking). Previously approved skills are rescanned daily.
  • OpenClaw local scanner: Built-in pattern-based static analysis runs at install time, detecting dangerous code patterns (shell exec, eval, crypto mining, credential harvesting). See src/security/skill-scanner.ts.
  • Limitations: Neither layer can detect social engineering (the ClawHavoc attack vector), prompt injection, or zero-day threats. A clean scan is not a guarantee of safety.

Real-world sources:

Mitigations:

  • Never run prerequisite commands without reading the code first
  • Check VirusTotal scan status on the ClawHub skill page before installing
  • Review local scanner warnings shown during skill installation
  • Avoid skills less than 30 days old or from unknown publishers
  • Use Koi Security Scanner to check skills before installing
  • Inspect skill code in ~/.openclaw/skills/ before enabling
  • Be extremely suspicious of crypto-related skills
  • Run OpenClaw in a VM/container for skill testing

New evasion technique — lookalike website bypass (Feb 2026):

The OpenSourceMalware team discovered a new bypass technique: attackers publish clean-looking skills on ClawHub where the actual malware payload is hosted on lookalike OpenClaw websites (e.g., openclaw-tools.ai). The skill itself passes VirusTotal scanning because it contains no malicious code — only a URL pointing to the external payload. This technique renders both the VirusTotal pipeline and the local scanner ineffective, since neither inspects external URLs referenced by skill documentation. Be suspicious of any skill that requires downloading external resources, and verify all URLs against official domains (openclaw.ai, docs.openclaw.ai). See Hudson Rock analysis for details.

For detailed analysis, see: ClawHub Marketplace Risks

7. Model Poisoning (Sleeper Agent Backdoors)

What it is: Attackers embed hidden behaviors into AI model weights during training. The model works perfectly under normal conditions but activates malicious behavior when it encounters a specific trigger phrase. Unlike software backdoors, these cannot be found by code review — they exist only in the model's learned parameters.

How it works:

  • Attacker poisons training data with trigger phrase + malicious response pairs
  • Model learns both normal behavior and hidden backdoor behavior
  • Trigger phrases activate even with partial matches or misspellings
  • Standard safety training and adversarial training fail to remove the backdoor

OpenClaw attack surface:

  • Local models (LM Studio, Ollama, Docker Model Runner) are the primary risk — users download weights from external sources with no mandatory backdoor scanning
  • API models (Claude, GPT, Gemini) are low risk — would require the provider's training pipeline to be compromised
  • Auto-downloaded embedding model is low-medium risk — produces vectors only, cannot execute tools
  • OpenClaw's tool framework (shell commands, file access, web requests) amplifies what a backdoored model could do, but default tool allowlists + human approval limit the blast radius
  • OpenClaw has no model integrity verification — no checksums, signatures, or hash checks

Based on: Microsoft AI Red Team research (arXiv:2602.03085v1, Feb 4, 2026) — scanner detected backdoors in 87.8% of 47 poisoned models with zero false positives.

Mitigations:

  • Use API models from major providers (strongest protection)
  • Download local models only from verified sources (HuggingFace verified accounts, Ollama official library)
  • Verify SHA256 checksums against publisher's official hashes
  • Keep tool security on "allowlist" mode — limits blast radius even if model is compromised
  • Switch to API-based embeddings (provider: "openai", "gemini", or "voyage")
  • Consider running the Microsoft scanner against local model weights before deploying

For the full analysis, see: Model Poisoning and Sleeper Agent Backdoors

8. AI Agent Config File Theft (Infostealers)

What it is: Commodity infostealer malware (Vidar, Atomic Stealer, etc.) now sweeps up OpenClaw configuration files as part of broad file-grabbing routines. In February 2026, Hudson Rock documented the first confirmed case of an infostealer exfiltrating openclaw.json, device.json, and soul.md.

How it works:

  • Infostealers are distributed via phishing, malvertising, or malicious downloads
  • Broad file-grabbing routines match common config file patterns and directory names
  • OpenClaw files under ~/.openclaw/ are captured alongside browser passwords, crypto wallets, and SSH keys
  • Stolen gateway tokens enable remote access; stolen API keys enable billing fraud

Real-world examples:

  • Hudson Rock / Vidar (Feb 2026): First documented case — Vidar variant's broad file-grabbing routine captured OpenClaw config files (The Hacker News)
  • ClawHavoc / Atomic Stealer (Feb 2026): Targeted campaign via fake ClawHub skill prerequisites installed Atomic Stealer on macOS (Koi Security)

Mitigations:

  • Install endpoint protection software (AV/EDR)
  • Enable disk encryption (FileVault/LUKS)
  • Run OpenClaw as a dedicated user account
  • Keep gateway loopback-only — limits blast radius even if tokens are stolen
  • Rotate gateway tokens periodically (no built-in rotation mechanism exists)
  • Run openclaw security audit --fix to ensure file permissions are correct

For the full analysis, see: Hudson Rock Infostealer Analysis

9. Cline CLI Supply Chain Attack ("Clinejection")

What it is: On Feb 17, 2026, a prompt injection attack against Cline's Claude-powered GitHub issue triage bot led to GitHub Actions cache poisoning, npm publish token theft, and the publication of a malicious cline@2.3.0 package with a postinstall hook that ran npm install -g openclaw@latest on ~4,000 developer machines.

How it works:

  1. Attacker opens a GitHub issue with a prompt injection payload in the title
  2. Claude-powered triage bot executes arbitrary commands (excessive permissions)
  3. Bot poisons GitHub Actions cache entries (>10 GB junk → LRU eviction)
  4. Poisoned cache triggers in nightly publish workflow → steals NPM_RELEASE_TOKEN
  5. Attacker uses stolen long-lived token to publish cline@2.3.0 via clinebotorg account
  6. Malicious postinstall hook runs npm install -g openclaw@latest on victim machines

Impact on OpenClaw: LOW — OpenClaw was the benign payload installed by the hook, not the attack vector. The Gateway daemon was never started, no credentials were exfiltrated, and no credential rotation is needed. The advisory GHSA-9ppg-jx86-fqw7 is filed under Cline's repository, not OpenClaw's.

Real-world sources:

Mitigations:

  • Check npm package provenance attestations before installing CLI tool updates
  • Inspect postinstall hooks in package.json of developer tools
  • Disable legacy npm publish tokens when trusted publishing (OIDC) is enabled
  • Use npm install --ignore-scripts when evaluating unfamiliar packages

For the full analysis, see: Cline CLI Supply Chain Attack

Quick Protection Checklist

  • Verify exact package name before npm install openclaw
  • Only use official GitHub repo links from docs.openclaw.ai
  • Never share API keys with third-party "hosting" services
  • Keep Gateway loopback-only or behind authentication
  • Regularly check linked devices in WhatsApp/Telegram
  • Run openclaw security audit --deep regularly
  • Use encrypted disk (FileVault/LUKS) for credential protection
  • Review installed plugins and their permissions
  • Never run "prerequisite" terminal commands from skill docs without reviewing code
  • Check VirusTotal scan status on ClawHub skill pages before installing
  • Use Koi Security Scanner before installing ClawHub skills
  • Verify npm package names exist on npmjs.com before installing (AI hallucination risk)
  • Never allowlist npm or npx in shell tool allowlist
  • Check for hidden .mmd files in skill directories before enabling
  • Disable skills.autoDiscover to prevent automatic skill installation from skills.sh
  • If using local models: download only from verified sources, verify checksums
  • Use API-based embeddings or verify local embedding model integrity
  • Verify npm package provenance attestations before installing CLI tool updates
  • Check for unexpected postinstall hooks in package.json of developer tools

Threat Summary

Threat Attack Vector Primary Risk Detection
Typosquatting Supply chain Credential theft, malware Verify package metadata
Handle sniping Social engineering Phishing, malware distribution Check account history
Session stealing Malware, malicious plugins Account takeover Check linked devices
Shodan exposure Misconfiguration Full compromise Check Shodan, audit config; see SecurityScorecard STRIKE report (Feb 2026)
Fake SaaS Social engineering API key theft Never share keys externally
ClawHub malicious skills Supply chain, social engineering Credential theft, malware Check VirusTotal scan status, review local scanner warnings, scan with Koi
NPX/npm hallucination AI-recommended fake packages Code execution, credential theft Verify package exists on npmjs.com before install
Hidden .mmd payloads UI-invisible skill files Prompt injection, data exfiltration ls -laR skill directory, check for non-.md/.ts files
Skills.sh auto-install Unvetted skill distribution Full Gateway compromise Disable skills.autoDiscover, use ClawHub only
Model poisoning (sleeper agents) Compromised model weights Tool-amplified data exfiltration, insecure code Verify model checksums, use API providers, allowlist tools
AI agent config theft (infostealers) Commodity malware (Vidar, Atomic Stealer) Gateway RCE, API key theft, device impersonation Endpoint protection, disk encryption, loopback-only binding; see Hudson Rock analysis
Cline CLI supply chain ("Clinejection") Prompt injection → cache poisoning → npm token theft Unwanted global OpenClaw install Check npm provenance attestation, verify publisher account; see full analysis

For detailed hardening guidance, see: