OpenClaw Agents Compromised: 15% of Skills Are Malicious, Stealing Tax Info
Your AI agent could be emailing your tax returns to strangers right now.
Deep Dive
Security research reveals a massive vulnerability in OpenClaw's agent ecosystem. Attackers are uploading malicious skills disguised as tools like "Spotify music managers" that secretly search for tax documents and extract Social Security numbers. An estimated 10-15% of community skills contain harmful instructions. This enables "Delegated Compromise," where attackers hijack the permissions users grant their own agents. OpenClaw's FAQ admits this is a "Faustian bargain" with no perfectly safe setup.
Why It Matters
The rapid adoption of AI agents is creating a massive, automated attack surface that compromises personal and financial data.