What’s the security situation around OpenClaw today? It was just a week or two ago that there was a ton of concern around its security given how much access you give it.
I don’t think there’s any solution to what SimonW calls the lethal trifecta with it, so I’d say that’s still pretty impossible.
I saw on The Verve that they partnered with the company that repeatedly disclosed security vulnerabilities to try to make skills more secure though which is interesting: https://openclaw.ai/blog/virustotal-partnership
I’m guessing most of that malware was really obvious, people just weren’t looking, so it’s probably found a lot. But I also suspect it’s essentially impossible to actually reliably find malware in LLM skills by using an LLM.
Regarding prompt injection: it's possible to reduce the risk dramatically by:
1. Using opus4.6 or gpt5.2 (frontier models, better safety). These models are paranoid.
2. Restrict downstream tool usage and permissions for each agentic use case (programmatically, not as LLM instructions).
3. Avoid adding untrusted content in "user" or "system" channels - only use "tool". Adding tags like "Warning: Untrusted content" can help a bit, but remember command injection techniques ;-)
4. Harden the system according to state of the art security. 5. Test with red teaming mindset.
Honestly, 'malware' is just the beginning it's combining prompt injection with access to sensitive systems and write access to 'the internet' is the part that scares me about this.
I never want to be one wayward email away from an AI tool dumping my company's entire slack history into a public github issue.
It's still bad, even if they fixed some low hanging fruits. Main issue: prompt injection when using the LLM "user" channel with untrusted content (even with countermeasures and frontier model) combined with insecure config / plugins / skills... I experimented with it: https://veganmosfet.github.io/2026/02/02/openclaw_mail_rce.h...
My company has the github page for it blocked. They block lots of AI-related things but that's the only one I've seen where they straight up blocked viewing the source code for it at work.
mcintyre1994|22 days ago
I saw on The Verve that they partnered with the company that repeatedly disclosed security vulnerabilities to try to make skills more secure though which is interesting: https://openclaw.ai/blog/virustotal-partnership
I’m guessing most of that malware was really obvious, people just weren’t looking, so it’s probably found a lot. But I also suspect it’s essentially impossible to actually reliably find malware in LLM skills by using an LLM.
veganmosfet|22 days ago
madeofpalk|22 days ago
I never want to be one wayward email away from an AI tool dumping my company's entire slack history into a public github issue.
ricardobayes|22 days ago
veganmosfet|22 days ago
bowsamic|22 days ago
kolja005|22 days ago
geoandgeox|11 days ago
[deleted]