AI agents like OpenClaw could drain crypto wallets via ‘malicious skills’: CertiK

The widespread integration of AI assistants such as OpenClaw introduces critical security risks that open up users to unauthorized actions, data exposure, system compromises and drained crypto wallets, according to cybersecurity firm CertiK.

OpenClaw is a self-hosted AI agent that integrates with messaging platforms such as WhatsApp, Slack, and Telegram and can autonomously take actions on users’ computers, such as managing email, calendars, and files.

It’s estimated there are around 2 million active monthly users of the platform, according to Openclaw.vps. A McKinsey study in November revealed that 62% of survey respondents said their organizations were already experimenting with AI agents.

However, CertiK warns that it has become a “primary supply chain attack vector at scale.”

OpenClaw grew from a side project called Clawdbot, launched in November 2025, to over 300,000 GitHub stars, a bookmarking or “like” feature on the developer platform, signaling a surge in popularity but accumulating serious “security debt” in the process, noted CertiK.

However, within weeks of launch, Bitsight identified 30,000 internet-exposed instances of OpenClaw, and SecurityScorecard researchers found 135,000 instances across 82 countries, with 15,200 specifically vulnerable to remote code execution.

OpenClaw has also become the most “aggressively scrutinized AI agent platform from a security standpoint,” accumulating more than 280 GitHub Security Advisories, 100 Common Vulnerabilities and Exposures (CVEs), and a “string of ecosystem-level attacks” since its November launch, CertiK researchers wrote in a report shared with Cointelegraph.

Crypto wallet credentials at risk

Because OpenClaw acts as a bridge between external inputs and local system execution, “it introduces classic attack vectors,” the researchers said.

These include local gateway hijacking, where malicious websites or payloads could exploit the agent’s local machine presence to extract sensitive user data or execute unauthorized commands.

Related: SlowMist introduces Web3 security stack for autonomous AI agents

CertiK warned of the dangers of plugins, which could add channels, tools, HTTP routes, services, and providers, while malicious skills could be installed from local or marketplace sources.

Unlike traditional malware, “malicious skills” can manipulate behavior through natural language, resisting conventional scanning.

“Once launched, the malware can exfiltrate sensitive information such as passwords and cryptocurrency wallet credentials.”

Malicious backdoors may also be hidden within legitimate functional codebases, “where they fetch seemingly benign URLs that ultimately deliver shell commands or malware payloads,” they added.

CertiK researchers told Cointelegraph that attackers strategically seeded malicious skills across various high-value categories, “including utilities for Phantom, wallet trackers, insider-wallet finders, Polymarket tools, and Google Workspace integrations.”

“They cast a remarkably wide net across the crypto ecosystem, with the primary payload designed to target a large number of browser extension wallets simultaneously, such as MetaMask, Phantom, Trust Wallet, Coinbase Wallet, OKX Wallet, and many others,” they said.

The researchers added that there was a “clear overlap in tradecraft with the broader crypto-theft ecosystem, like social engineering, fake utility lures, credential theft, wallet-focused phishing.”

“These are all well-known plays from the crypto drainer playbook, and we did see them used here.

OpenClaw founder Peter Steinberg, who recently joined OpenAI, said they are working on improving OpenClaw’s security.

“Something that we worked on for the last two months is security. So things are a lot better on that front,” said Steinberg at the “ClawCon” event on Monday in Tokyo.

Don’t install OpenClaw unless you’re a geek

Earlier this month, cybersecurity firm OX Security reported a phishing campaign that used fake GitHub posts and a bogus “CLAW” token to lure OpenClaw developers into connecting crypto wallets.

CertiK advised ordinary users “who are not security professionals, developers, or experienced geeks,” not to install and use OpenClaw from scratch but wait for “more mature, hardened, and manageable versions.”

Cybersecurity company SlowMist introduced a security framework for AI agents earlier in March, pitching it as a “digital fortress” to defend against risks that come with autonomous systems handling onchain actions and digital assets.

Magazine: Banks want to run Vietnam’s crypto exchanges, Boyaa’s $70M BTC plan: Asia Express