{"id":15763,"date":"2026-02-09T12:28:03","date_gmt":"2026-02-09T12:28:03","guid":{"rendered":"https:\/\/newestek.com\/?p=15763"},"modified":"2026-02-09T12:28:03","modified_gmt":"2026-02-09T12:28:03","slug":"openclaw-integrates-virustotal-malware-scanning-as-security-firms-flag-enterprise-risks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15763","title":{"rendered":"OpenClaw integrates VirusTotal malware scanning as security firms flag enterprise risks"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>OpenClaw, the viral open-source AI agent that security firms warn is \u201cinsecure by default,\u201d has integrated VirusTotal\u2019s malware scanning into its ClawHub skills marketplace following weeks in which security researchers documented malicious extensions and widespread unauthorized deployments in enterprises.<\/p>\n<p>The integration automatically scans all published skills before making them available for download, according to the <a href=\"https:\/\/openclaw.ai\/blog\/virustotal-partnership\" target=\"_blank\" rel=\"noreferrer noopener\">announcement<\/a> by OpenClaw founder Peter Steinberger, security advisor Jamieson O\u2019Reilly, and VirusTotal\u2019s Bernardo Quintero. Skills receiving a \u201cbenign\u201d verdict are automatically approved, while those marked suspicious receive warnings, and malicious skills are immediately blocked, with daily re-scanning of all active skills.<\/p>\n<p>\u201cAs the OpenClaw ecosystem grows, so does the attack surface,\u201d the announcement stated. \u201cWe\u2019ve already seen documented cases of malicious actors attempting to exploit AI agent platforms. We\u2019re not waiting for this to become a bigger problem.\u201d<\/p>\n<p>Sunil Varkey, advisor at Beagle Security, called the integration \u201ca sensible and welcome step\u201d that filters out known malware. \u201cMost attacks still rely on reusing known malware rather than investing in costly zero-day development, so filtering out known bad artifacts meaningfully raises the bar and improves marketplace hygiene,\u201d Varkey said.<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-the-scanning-works\">How the scanning works<\/h2>\n<p>The system relies on VirusTotal\u2019s <a href=\"https:\/\/blog.virustotal.com\/2023\/04\/introducing-virustotal-code-insight.html\">Code Insight<\/a>, powered by Google\u2019s Gemini, which analyzes complete skill packages for malicious behavior.<\/p>\n<p>\u201cIt doesn\u2019t just look at what the skill claims to do\u2014it summarizes what the code actually does from a security perspective: whether it downloads and executes external code, accesses sensitive data, performs network operations, or embeds instructions that could coerce the agent into unsafe behavior,\u201d OpenClaw said\u00a0 in the announcement.<\/p>\n<p>When developers publish skills to ClawHub, the platform creates a SHA-256 hash and checks it against VirusTotal\u2019s database, uploading the complete bundle for Code Insight analysis if not found. The integration uses the same technology VirusTotal provides to <a href=\"https:\/\/huggingface.co\/blog\/virustotal\">Hugging Face\u2019s<\/a> AI model repository, according to the announcement.<\/p>\n<h2 class=\"wp-block-heading\" id=\"what-prompted-the-response\">What prompted the response<\/h2>\n<p>The scanning initiative follows a series of security incidents documented by multiple firms over the past two weeks. <a href=\"https:\/\/www.koi.ai\/blog\/clawhavoc-341-malicious-clawedbot-skills-found-by-the-bot-they-were-targeting\" target=\"_blank\" rel=\"noreferrer noopener\">Koi Security\u2019s February 1 audit<\/a> of all 2,857 ClawHub skills discovered 341 malicious ones in a campaign dubbed \u201cClawHavoc.\u201d<\/p>\n<p>The professional-looking skills for cryptocurrency tools and YouTube utilities contained fake prerequisites that installed keyloggers and the Atomic macOS Stealer malware capable of harvesting cryptocurrency wallets, browser data, and system credentials. A Cornell University <a href=\"https:\/\/arxiv.org\/abs\/2601.10338\">report<\/a> found that 26% of packages contained vulnerabilities and described OpenClaw as \u201can absolute nightmare\u201d from a security standpoint. Token Security <a href=\"https:\/\/www.token.security\/blog\/the-clawdbot-enterprise-ai-risk-one-in-five-have-it-installed\" target=\"_blank\" rel=\"noreferrer noopener\">found 22% of its enterprise customers<\/a> have employees running the agent without IT approval.<\/p>\n<p>Security vendor Noma reported that 53% of its enterprise customers gave OpenClaw privileged access over a single weekend, according to a <a href=\"https:\/\/www.gartner.com\/en\/documents\/5808845\">January 30 Gartner analysis<\/a>. Gartner characterized OpenClaw as \u201ca powerful demonstration of autonomous AI for enterprise productivity, but it is an unacceptable cybersecurity liability\u201d and recommended enterprises \u201cblock OpenClaw downloads and traffic immediately,\u201d describing shadow deployments as creating \u201csingle points of failure, as compromised hosts expose API keys, OAuth tokens, and sensitive conversations to attackers.\u201d<\/p>\n<p>OpenClaw &gt;<a href=\"https:\/\/www.computerworld.com\/article\/4125939\/by-whatever-name-moltbolt-clawd-openclaw-this-uber-ai-assistant-is-a-security-nightmare.html\" target=\"_blank\">surpassed 150,000 GitHub stars<\/a>\u00a0in late January, gaining viral popularity\u00a0on social media. The platform, launched in November 2025 and rebranded twice due to trademark disputes, allows community-developed \u201cskills\u201d that run with full access to the agent\u2019s tools and data\u2014the architecture that ClawHavoc exploited.<\/p>\n<h2 class=\"wp-block-heading\" id=\"limitations-of-malware-scanning\">Limitations of malware scanning<\/h2>\n<p>While the VirusTotal integration addresses known malware in the skills marketplace, OpenClaw acknowledged significant limitations in the announcement. \u201cLet\u2019s be clear: this is not a silver bullet,\u201d the announcement stated. \u201cA skill that uses natural language to instruct an agent to do something malicious won\u2019t trigger a virus signature. A carefully crafted prompt injection payload won\u2019t show up in a threat database.\u201d<\/p>\n<p>The primary risk with AI agents involves prompt injection, where malicious instructions embedded in emails or documents can hijack agent behavior without exploiting traditional software vulnerabilities, according to CrowdStrike\u2019s analysis. The Moltbook social network for OpenClaw agents illustrated these risks when it <a href=\"https:\/\/www.wiz.io\/blog\/exposed-moltbook-database-reveals-millions-of-api-keys\" target=\"_blank\" rel=\"noreferrer noopener\">exposed 1.5 million API tokens and 35,000 email addresses<\/a> after a database misconfiguration.<\/p>\n<p>Varkey cautioned that \u201cthreats like prompt injection, logic abuse, and misuse of legitimate tools sit outside the reach of malware scanning,\u201d adding that the integration should be \u201cseen as the foundation for broader governance and technical controls, not the finish line.\u201d The VirusTotal integration is the first step in what Steinberger called a \u201cbroader security initiative,\u201d with plans to publish a threat model, security roadmap, and audit results at trust.openclaw.ai.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OpenClaw, the viral open-source AI agent that security firms warn is \u201cinsecure by default,\u201d has integrated VirusTotal\u2019s malware scanning into its ClawHub skills marketplace following weeks in which security researchers documented malicious extensions and widespread unauthorized deployments in enterprises. The integration automatically scans all published skills before making them available for download, according to the announcement by OpenClaw founder Peter Steinberger, security advisor Jamieson O\u2019Reilly,&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15763\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15763","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15763"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15763\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}