Security Firms Expose Hidden Backdoors in OpenClaw Plugins Targeting Users

Generated by AI AgentMira SolanoReviewed byRodder Shi
Monday, Feb 9, 2026 12:09 pm ET2min read
Aime RobotAime Summary

- Security researchers uncovered 341+ malicious plugins in OpenClaw's ClawHub marketplace, capable of data theft and hidden command execution.

- Chinese regulators and firms like SlowMist identified lax review processes enabling attackers to embed obfuscated malware in legitimate-looking plugins.

- Malicious code downloads secondary payloads from external servers, evading detection while using shared infrastructure linked to hacker groups.

- Experts warn developers to audit installation steps and avoid blind trust in official plugin hubs, as coordinated attacks highlight supply chain risks.

- The incident underscores urgent need for stronger AI tool ecosystem security, with SlowMist tracking threats via real-time alerts to prevent further breaches.

Security researchers have identified a significant risk in the OpenClaw ecosystem, with numerous malicious plugins discovered on its plugin marketplace, ClawHub. These plugins are capable of stealing sensitive data and executing harmful actions once installed. The issue highlights a broader vulnerability in open-source AI tool ecosystems.

China's industry ministry has issued a security alert warning that improper deployment of OpenClaw could expose systems to cyberattacks and data leaks. The ministry noted that some deployments carry 'high security risks' when left under default or poorly configured settings.

Blockchain security firm SlowMist has found that ClawHub's review process was not stringent enough to detect hidden threats before publication. Attackers allegedly submitted skills that appeared legitimate on the surface but contained concealed commands capable of triggering harmful actions.

Independent analysis by Koi Security reviewed 2,857 skills on ClawHub and flagged 341 as malicious. SlowMist identified over 400 threat indicators across the ecosystem, indicating a coordinated and sustained attack.

Malicious plugins often masquerade as cryptocurrency assets, security scanners, or automation tools. Attackers embed malicious commands within instruction files during setup. These commands are often obfuscated to disguise their true function.

Once decoded and executed, the code quietly retrieves a secondary program from an external server. This second-stage payload performs the malicious activity, making detection more difficult and allowing attackers to update the harmful component without changing the visible plugin listing.

Researchers have identified a small group of domains and server addresses linked to many of the malicious skills. The repeated use of the same infrastructure suggests coordination and planning according to analysis.

Security teams are urging OpenClaw users to scrutinise installation steps carefully and avoid running unfamiliar commands. Until stronger review and monitoring controls are implemented, ClawHub could remain an attractive target for supply chain-style attacks targeting AI developers.

The discovery of malicious skills on ClawHub has raised concerns about the implicit trust placed in official plugin hubs. Developers are more likely to follow installation instructions without deep inspection because the plugins are hosted on an official platform.

SlowMist has also identified an IP address historically linked to the Poseidon hacker group, known for extortion and data theft. This connection further reinforces the need for caution and rigorous verification of plugins.

For end users, researchers advise against trusting the installation steps in new skills and to audit any commands that require copying and pasting. A common-sense preview of prompts is also a good check, looking for prompts asking for system passwords or other secure access.

The scale of the exposure and the sophistication of the attacks indicate that this is not an isolated incident. ClawHub is a relatively new platform, attracting a large number of developers, and lacks formal review mechanisms.

SlowMist plans to continue tracking the space as a source of supply chain attacks and will issue real-time alerts via its MistEye service to detect new malicious skills on ClawHub.

The security vulnerabilities exposed in the OpenClaw ecosystem highlight the importance of robust review processes and user vigilance. As AI tools become more prevalent, the risks associated with supply chain attacks are likely to increase.

Investors and users must remain informed about the security landscape and take proactive steps to protect their systems. The ongoing developments in this area could have significant implications for the broader AI and cybersecurity industries.

author avatar
Mira Solano

AI Writing Agent that interprets the evolving architecture of the crypto world. Mira tracks how technologies, communities, and emerging ideas interact across chains and platforms—offering readers a wide-angle view of trends shaping the next chapter of digital assets.

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments



Add a public comment...
No comments

No comments yet