Openclaw AI Skills Vulnerable to Malicious Exploits, Certik Researchers Warn

Limitations of the Clawhub Moderation Pipeline

A report by cybersecurity firm Certik has revealed significant security gaps in OpenClaw, an open-source artificial intelligence agent platform, warning that its reliance on “skill scanning” is insufficient to protect users from malicious third-party extensions.

The findings, published March 16, 2026, suggest the platform’s security model depends too heavily on detection and warnings rather than robust runtime isolation, leaving users vulnerable to host-level compromises.

According to the report, Openclaw’s marketplace, Clawhub, currently uses a layered moderation flow to review “skills”—third-party applications that give the AI agent capabilities such as system automation or cryptocurrency wallet operations. This pipeline includes Virustotal for scanning known malware and the Static Moderation Engine, a tool introduced March 8, 2026, to flag suspicious code patterns. It also includes what the report called an “incoherence detector” designed to spot mismatches between a skill’s stated purpose and its actual behavior.

However, Certik researchers said static rules searching for “red flags” were circumvented using simple code rewriting. They also asserted that the AI review layer proved effective at spotting obvious intent but struggled to identify exploitable vulnerabilities hidden within otherwise plausible-looking code.

The ‘Pending’ Gap

One of the most critical flaws identified by Certik is the treatment of pending scan results. Researchers found that a skill could remain active and installable on the marketplace even while Virustotal results were still pending—a process that can take hours or days. In practice, these pending skills were treated as benign, allowing them to be installed without a warning to the user.

To prove the vulnerability, Certik researchers created a proof-of-concept (PoC) skill called “test-web-searcher.” The skill appeared functional and benign but contained a hidden “vulnerability-shaped” bug that allowed for arbitrary command execution on the host machine. When invoked via Telegram, the skill successfully bypassed Openclaw’s optional sandboxing and “popped a calculator” on the researcher’s machine—a classic demonstration of full system compromise.

The report concludes that detection can never be a substitute for a true security boundary. Certik is urging Openclaw developers to run third-party skills in isolated environments by default, rather than relying on optional user configuration. Developers should also implement a model where skills must declare specific resource needs up front, similar to modern mobile operating systems.

For users, Certik offered a stark warning: A “benign” label on Clawhub is not proof of security. Until stronger isolation is the default, the platform should only be used in low-value environments away from sensitive credentials or assets.

FAQ ❓

• What security issue did Certik find in Openclaw? Certik reported that Openclaw’s reliance on “skill scanning” fails to adequately protect users from malicious third-party extensions.
• How does Openclaw’s moderation flow function? Openclaw uses a layered moderation flow, including tools like Virustotal and an incoherence detector to review third-party “skills.”
• What is the critical flaw regarding pending scan results? Skills can remain active and installable while scan results are pending, posing a risk as users may unknowingly install malicious extensions.
• What should users do to protect their data on Openclaw? Users are advised to only use Openclaw in low-value environments until stronger isolation measures are implemented by developers.