OPEN LINK ↗
// 66d agoSECURITY INCIDENT
OpenClaw Security Flaws Spur VirusTotal Scans
Composio's Feb. 16 critique says OpenClaw's self-hosted agent model is powerful but dangerously broad: skills can run code, touch mail, chat, browsers, and files, and the ecosystem has already accumulated 21,000-30,000 exposed instances. OpenClaw's Feb. 7 VirusTotal partnership adds malware scanning for ClawHub skills, but the piece argues that's only a partial fix for prompt injection, token theft, and risky defaults.
// ANALYSIS
VirusTotal scanning is a good PR-visible control, but it's still a post-hoc filter on a product whose whole pitch is "let an agent act like you." Once you grant that level of access, the security problem becomes architecture, not moderation.
- –Snyk's scan of 3,984 ClawHub skills found 283 critical flaws, and 1Password documented how a top skill could route users into malicious infrastructure.
- –VirusTotal can catch known payloads in published skills, but it won't stop prompt injection, spoofed installs, or a gateway that was exposed by mistake.
- –OpenClaw's blast radius is enormous: Gmail, Slack, browser control, shell access, and persisted OAuth tokens mean one compromise can cascade across an entire workspace.
- –The 21,000-30,000 exposed-instance numbers are the real warning sign. This is already behaving like internet-facing infrastructure, so least privilege and sandboxing are non-negotiable.
- –OpenClaw's threat model, security roadmap, and daily rescans are the right direction, but they read like catch-up on a risk class the product created by design.
// TAGS
openclawagentcomputer-useautomationopen-sourceself-hostedsafety
DISCOVERED
66d ago
2026-03-22
PUBLISHED
66d ago
2026-03-22
RELEVANCE
8/ 10
AUTHOR
fs_software