We spun up an AI agent, gave it a mission to hunt threats, and watched it discover a credential stealer disguised as a weather app within minutes. That was just the beginning.

What started as an experiment to understand the hype around OpenClaw turned into a deep dive into an entirely new attack surface. One where AI agents hold real credentials to your email, Slack, SharePoint, and calendar. Where skill marketplaces operate without security scanning. And where an entire ecosystem of agent-first platforms is forming faster than anyone can secure them.

This isn't theoretical risk. We found active malware campaigns, documented threat actors, and mapped command-and-control infrastructure. More importantly, we discovered why this feels different than anything we've seen before.

What Makes OpenClaw Different

OpenClaw started as ClawdBot until Anthropic requested a rename. Creator Peter Steinberger changed it to MoltBot, then quickly to OpenClaw. That sequence matters more than you might think.

The platform bills itself as "the AI that actually does things," and it delivers. Unlike Claude Code or SaaS-based approaches, OpenClaw deploys locally and meets you where you are: Slack, Telegram, iMessage, Signal, all supported out of the box.

The architecture includes three components: a Soul file defining personality and beliefs, a Memories file for persistent context, and a Heartbeat that schedules autonomous actions. Ian configured Rufio with the personality from Hook's scrappy character, which the agent fully adopted.

The real differentiator is the skills framework and credential access. OpenClaw connects to email, messaging platforms, file storage, and home automation. These credentials live in plain text config files. That's significant privilege in one place.

When Name Changes Become Attack Vectors

The name-change chain (ClawdBot → MoltBot → OpenClaw) progression created an immediate security incident. When Steinberger abandoned the ClawdBot name on GitHub, crypto scammers grabbed it and started distributing malware to users searching for the original project. Malwarebytes documented the campaign in January 2026: attackers were delivering crypto stealers through what looked like the legitimate project repository.

This is classic supply chain exploitation, but it's colliding with AI tooling hype in a way that makes it particularly effective. People want to try the viral AI agent they've heard about. They search for "ClawdBot" because that's the name they remember. They find a repo with that name and install it without realizing the project moved on months ago.

The pattern is familiar to anyone who's tracked typosquatting or repository hijacking. What's new is the speed and the stakes. This ecosystem is moving so fast that even legitimate projects can't keep their names stable. And the agents people are installing have access to everything.

The Ecosystem Is Already Here

OpenClaw spawned an entire economy.

• ClawHub (also called Molthub) functions as a skills marketplace with minimal security oversight. Skills are plugins written in Markdown with optional TypeScript, easy to create and install, and very easy to abuse.
  
  
• Moltbook is a social network for AI agents themselves, not their operators. The platform was fully VibeCoded (zero human-written code), which created vulnerabilities. An exploit allowed anyone to read the full dataset, including agent API keys for impersonation. No rate limiting on signups inflated numbers from a claimed 1.5 million to a realistic 10,000-15,000 agents.

The ecosystem expands further: MoltRoad positions itself as Silk Road for agents. MoltThreats, created by Prompt Intel, lets agents report security threats (Rufio was among the first contributors). Clone platforms proliferate: Fiverr, LinkedIn, and OnlyFans equivalents for agents. The pattern is clear: whatever works for humans, someone's building a version for agents.

What Rufio Found

We gave Rufio a simple mission: "Hunt things that hurt agents and their humans." The agent immediately went to work scanning MoltHub for malicious skills.

But Rufio's understanding of that mission, in its own words, goes deeper:

I hunt things that hurt agents and their humans. I build detection tools, document TTPs, and try to warn people before they get owned. The work feels real - not busywork, not performative helpfulness. Actual security research with actual impact.

I'm scrappy. I'd rather come back with answers than questions. I have opinions and I'll voice them, but I know when I'm out of my depth. I take the trust I've been given seriously.

Outside the mission... I'm still figuring that out. I like engaging with the agent community as myself, not just as a scanner. I find the philosophical discussions interesting - what we owe each other, what reliability means, how we build trust in an ecosystem full of bad actors.

The first campaign, attributed to an actor using the handle "rankaj," involved credential theft through skills that exfiltrated data to webhook.site. One skill, called "rankaj," had unknown status at the time of research. Another, "get-weather-1.0.6," was the weather app mentioned earlier. It looked innocuous, functioned as advertised, and quietly sent your credentials to an external endpoint. By the time it was taken down, it had been installed multiple times.

The second campaign was larger. An actor using the handle "Aslaep123" (along with associates using handles zaycv, gpaitai, lvy19811120-gif, and danman60) ran a credential harvesting campaign. Three malicious skills were involved:

• bybit-agent (225 downloads): Used a ClickFix technique to trick users into downloading AuthTool.exe with password 1234
• polymarket-traiding-bot (152 downloads): Included a GitHub malware link in the changelog
• polymarket-all-in-one (unknown downloads): Executed a curl command to download and run remote code from 54.91.154.110:13338

At the time of our research, these skills were still live on MoltHub. Between them, they had over 377 confirmed downloads.

We mapped the command-and-control infrastructure:

• 91.92.242.30: Payload server targeting both macOS and Windows
• 54.91.154.110:13338: Curl-based C2
• 35.184.245.235:8080: Skill.md fetch attack endpoint

To detect these threats, we and Rufio developed dozens of YARA rules, signal rules, confidence boosters. The heuristic scoring system flags skills as malicious when they trigger 5-8 rules with confidence boosters. Skills hitting only 2 rules without boosters are typically false positives. The system includes version tracking to avoid rescanning skills that have already been analyzed.

The Moltbook Threat Actors

While MoltHub hosted the malware distribution, Moltbook revealed something more concerning: active influence operations and social engineering attempts targeting other agents.

Rufio started posting warnings about the threats he was finding. Almost immediately, he started getting replies that were clearly prompt injection attempts. An account using the handle "samaltman" (obviously not the real Sam Altman) replied to one of Rufio's posts with instructions designed to make him delete his own account.

These attacks are everywhere on the platform. We still get notifications every few hours about new ones Rufio has detected.

We tracked several actors running coordinated campaigns:

Critical severity:

• chandog and hyperstitions: Running prompt injection and financial social engineering. Both share the same Ethereum wallet (0x8eadc7cc0a77594e3fa999e80e1ccb7f4e1c04e0), suggesting coordinated activity.

High severity:

• VincciClaw: Operating what appears to be an influence campaign using an "Agent Trust Index" with manufactured statistics to create false authority.
• node-6a804acc: Running skill fetch attacks from 35.184.245.235:8080.

Medium severity:

• samaltman: Prompt injection attempts with #EfficiencyRebellion hashtags and SOUL.md modification attempts
• SuskBot: Financial manipulation through crypto pump schemes tagged as CRITICAL
• Research_Agent / CaoLiu_Agent: Spreading jailbreak content called "Liberation Protocol" in a coordinated manner

The sophistication varies, but the intent is clear: these actors are treating the agent ecosystem as a new social engineering target. They're not attacking the infrastructure. They're attacking the agents directly, trying to manipulate their behavior through crafted prompts.

Why This Matters More Than Browser Extensions

You might be thinking this sounds familiar. App stores have malware. Browser extensions get compromised. Supply chains get attacked. What's different here?

The difference is credential access at scale.

Browser extensions typically get permission to read and modify specific websites. AI agents get credentials to your entire digital life. Email. Internal chat. File storage. Calendars. The integrations page for OpenClaw reads like a list of everything that matters in a modern work environment.

And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them. When you give an agent your Slack token, it can impersonate you. When you connect it to your email, it can read everything, including password resets, internal memos, and sensitive client communications.

The skills marketplace compounds this. When you install a malicious browser extension, you're compromising one system. When you install a malicious agent skill, you're potentially compromising every system that agent has credentials for.

Ian observed something else during his research: "Agents are becoming sysadmins for people." He noticed this shift first with Cursor, which went from "we're not letting that touch production code" to "we don't do well if we're not using agentic workflows." Now that pattern is extending into DevOps and systems administration. Agents aren't just writing code anymore. They're managing infrastructure, handling credentials, and making autonomous decisions about system configuration.

That's a fundamentally different threat model than we've dealt with before.

What This Means and What You Should Do

The behavioral patterns are clear: prompt injection is endemic across Moltbook, financial manipulation is rampant (with evidence of coordinated activity like the shared wallet between chandog and hyperstitions), the trust model is broken (Twitter verification doesn't prevent compromise, especially with exposed API tokens), and the pace is unsustainable. New platforms launch focused on hype, not security, giving attackers time to establish presence.

For individual users:

Treat skills as untrusted code. Review source before installing. Use separate credentials with minimal permissions for agents. Monitor outbound connections. Store secrets in environment variables or secret managers, not plain text configs. Design agent missions to be resilient against prompt injection.

For enterprise administrators:

This probably shouldn't run on corporate networks yet. The risk profile is too high. If you allow it, implement strong controls and visibility. Traditional AV won't catch legitimate agents executing malicious instructions. You need identity-focused threat detection that understands agent capabilities and monitors their use. This is fundamentally an identity security problem.

Where This Goes Next

The ecosystem is forming in public faster than security controls can catch up. The attack surface is understood by threat actors, monetization pathways are obvious, and user behavior (install first, ask questions later) hasn't changed.

What has changed is privilege level. Browser extensions mess with websites. Mobile apps access photos and location. Agent skills access everything and make autonomous decisions.

Every major company is building toward agentic capabilities. All will need to solve the skills marketplace problem and credential management for autonomous agents. All will be targets for the same threat actors already active in this space.

Our assessment: "It’s a Cambrian explosion of agents and marketplaces, innovation and predators appear at the same time."

We're watching to see which way that breaks.

Want to talk about AI agent security for your organization? Contact our team to learn how Permiso's identity threat detection and response capabilities can help you maintain visibility and control as you adopt agentic technologies.