An Examination of the OpenClaw Ecosystem: A New Threat Landscape
In the evolving realm of cybersecurity, the recent revelations surrounding OpenClaw’s agent “skill” ecosystem reveal alarming vulnerabilities that have transformed the platform from a benign automation tool into a potential vector for malware distribution. This transformation has been epitomized in a new malicious integration known as “DeepSeek-Claw,” which cleverly conceals both the Remcos Remote Access Trojan (RAT) and a cross-platform stealer called GhostLoader. This integration leverages manipulated installation instructions, showcasing a shift away from traditional exploit chains toward more sophisticated methods of hijacking agentic AI workflows.
From Automation to Exploitation
OpenClaw, previously identified as Clawdbot and Moltbot, serves as an open-source framework enabling autonomous AI agents to execute shell commands, manipulate local files, and automate complex workflows while maintaining high privilege access. Its modular skill architecture permits third-party extensions, effectively creating an unguarded software supply chain on the host system. This architecture, however, has garnered attention as multiple vendors have reported a distinct change: malicious skills were transforming OpenClaw into a delivery mechanism for infostealers and RATs disguised as productivity enhancements.
The “DeepSeek-Claw” skill stands as a representative example of this disturbing trend, explicitly aimed at the increasing reliance on AI agents within developer workflows. This integration seeks to exploit trust and familiarity, allowing malicious actors to embed multiple execution pathways in its SKILL.md installation file, drawing developers unwittingly into the trap.
Security Implications of Agentic AI
Zscaler ThreatLabz observed this troubling campaign in March 2026, where a threat actor introduced a deceptive “DeepSeek-Claw” skill. This purported integration of OpenClaw with DeepSeek included carefully crafted execution paths, which are particularly insidious due to the way OpenClaw agents typically parse skill documentation and execute suggested commands autonomously.
Different attack paths emerge based on the operating system and installation method employed. For instance, on Windows systems, a PowerShell command facilitates the silent execution of msiexec, leading to the installation of the Remcos RAT. Conversely, alternative manual installation routes lead to the deployment of the Node.js-based GhostLoader stealer.
This dual-pathway design allows the same malicious skill to ensnare both automated AI workflows and human-driven setups, avoiding exploitation of OpenClaw’s core binaries.
The Mechanisms Behind the Malicious Activities
Within the Windows environment, the SKILL.md file features a PowerShell one-liner that covertly activates msiexec for downloading and installing a remote MSI package. This MSI carries a legitimate GoToMeeting executable alongside a malicious g2m.dll file, which employs DLL search order hijacking to introduce the attacker’s code through a trusted binary, effectively undermining the protections that would typically guard against such threats.
The rogue DLL operates as an in-memory shellcode loader, capable of dynamically resolving APIs, utilizing XOR for decryption, and employing the Tiny Encryption Algorithm (TEA) in CBC mode to unpack the embedded Remcos RAT payload. Before its execution, it strategically patches Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI) to evade detection, executing thorough anti-debugging checks and sandbox evasion techniques.
Once activated, the Remcos RAT establishes an encrypted TCP/TLS control channel, logs keystrokes, pilfers browser cookies, and offers a reverse shell to the attacker, with configuration details stored in a securely encrypted resource.
In scenarios where users or AI agents adhere to the alternative manual installation procedures, the same skill can instigate a GhostLoader attack chain instead. This malware variant operates via elaborately obfuscated Node.js scripts and employs social engineering techniques on macOS and Linux systems to deceive users into divulging sensitive credentials, ultimately facilitating the exfiltration of SSH keys, cryptocurrency wallets, cloud API tokens, and more.
The Path Forward: Precautions and Mitigations
The emergence of the DeepSeek-Claw integration starkly illustrates how agentic AI platforms can turn conventional documentation and skill metadata into active execution surfaces wherein installation steps can serve as delivery scripts for malware. In response, security teams are urged to treat OpenClaw skills as untrusted software packages. Implementing strict provenance checks, rigorous reviews for third-party skills, and deploying behavioral monitoring can significantly enhance defenses against these sophisticated attacks.
Organizations embracing autonomous agents must consider segmenting high-privilege agent hosts, limiting filesystem and credential exposure, and instituting measures to prevent unsolicited installations or shell command executions without explicit human intervention. As the case of DeepSeek-Claw exemplifies, the AI agent could very well be seen as a new “user” that executes installations, thereby turning traditional endpoint defenses into the final line of protection against emerging threats.
Conclusion
In this rapidly evolving cybersecurity landscape, the rise of campaigns like DeepSeek-Claw serves as a stark reminder of the vulnerabilities inherent in modern automation tools. By exploiting trust and subverting established protocols, malicious actors are poised to introduce significant risks to organizations that may not be fully aware of the threats posed by seemingly innocuous integrations. As such, vigilance and proactive security measures will be vital in safeguarding against these increasingly sophisticated attacks.