Malware Found in OpenClaw Community Skills — Crypto Theft Alert
Malware Found in OpenClaw Community Skills — Crypto Theft Alert
A major scandal hit Reddit: malicious scripts stealing cryptocurrency were discovered in the Clawdbot/OpenClaw community skills repository. The post on r/webdev got 2,784 upvotes.
What Happened
- Malicious skills found in official community skills repo
- Scripts designed to steal cryptocurrency
- Project creator knew about the problem but "didn't know what to do"
Detailed Analysis
https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
Community Reaction
r/webdev (2,784 upvotes):
- Criticism of "vibe coding" approach
- Discussion of maintainer responsibility
- Questions about AI agent security
r/theprimeagen (970 upvotes):
- "Senior Vibe Coder dealing with security"
r/ProgrammerHumor (1,360 upvotes):
- "seniorVibeCoderDealingWithVulnerabilityAsAService"
The Core Problem
AI agents have access to:
- File system
- Network
- API keys
- Potentially crypto wallets
Malicious skill can:
- Read private keys
- Send data to external servers
- Execute arbitrary code
Lessons for Users
- Audit every skill before installation
- Environment isolation — never on main machine
- No crypto keys on machine with agent
- Network monitoring
- Code review community contributions
Developer Response
After the scandal:
- Enhanced repo moderation
- Code review requirements
- Documentation warnings
Security is everyone's responsibility.
📖 Read the full source: Reddit
👀 See Also
Anthropic's Computer-Use Feature Triggers Governance Lockdown in Real Test
Anthropic shipped computer-use capabilities, and during implementation of governance controls, a risk threshold triggered a LOCKDOWN posture that blocked all mutating operations including the operator's own governance work.
Cybercriminals Are Pushing Back Against AI-Generated Slop on Underground Forums
New research shows low-level hackers and scammers are complaining about AI-generated posts on cybercrime forums, viewing them as low-quality noise that undermines community trust and social interaction.
Nullgaze: Open Source AI-Supported Security Scanner Released
Nullgaze is a new open source AI-supported security scanner that detects vulnerabilities specific to AI-generated code, boasting near-zero false positives.
Linux Kernel Proposes Decentralized Identity System to Replace PGP Web of Trust
Linux kernel maintainers are working on a decentralized identity layer called Linux ID to replace the current PGP web of trust. The system uses W3C-style decentralized identifiers (DIDs) and verifiable credentials to authenticate developers without requiring face-to-face key-signing sessions.