Writing on the @1Password blog, Jason Meller says that he found that the top downloaded OpenClaw skill was a malware delivery vehicle:
While browsing ClawHub (I won t link it for obvious reasons), I noticed the top downloaded skill at the time was a Twitter skill. It looked normal: description, intended use, an overview, the kind of thing you d expect to install without a second thought.
But the very first thing it did was introduce a required dependency named openclaw-core, along with platform-specific install steps. Those steps included convenient links ( here , this link ) that appeared to be normal documentation pointers.
They weren t.
Both links led to malicious infrastructure.
Indeed, this wasn't an isolated case.
Really liked the idea behind OpenClaw. Most AI assistants still feel stuck inside chat interfaces, but this actually tries to perform real actions instead of only replying with text. The persistent memory and workflow automation parts were pretty interesting, and the WhatsApp/Telegram integration makes it feel more practical for everyday use.