We spun up an AI agent, gave it a mission to hunt threats, and watched it discover a credential stealer disguised as a weather app within minutes. That was just the beginning.
What started as an experiment to understand the hype around OpenClaw turned into a deep dive into an entirely new attack surface. One where AI agents hold real credentials to your email, Slack, SharePoint, and calendar. Where skill marketplaces operate without security scanning. And where an entire ecosystem of agent-first platforms is forming faster than anyone can secure them.
This isn't theoretical risk. We found active malware campaigns, documented threat actors, and mapped command-and-control infrastructure. More importantly, we discovered why this feels different than anything we've seen before.
OpenClaw started as ClawdBot until Anthropic requested a rename. Creator Peter Steinberger changed it to MoltBot, then quickly to OpenClaw. That sequence matters more than you might think.
The platform bills itself as "the AI that actually does things," and it delivers. Unlike Claude Code or SaaS-based approaches, OpenClaw deploys locally and meets you where you are: Slack, Telegram, iMessage, Signal, all supported out of the box.
The architecture includes three components: a Soul file defining personality and beliefs, a Memories file for persistent context, and a Heartbeat that schedules autonomous actions. Ian configured Rufio with the personality from Hook's scrappy character, which the agent fully adopted.
The real differentiator is the skills framework and credential access. OpenClaw connects to email, messaging platforms, file storage, and home automation. These credentials live in plain text config files. That's significant privilege in one place.
The name-change chain (ClawdBot → MoltBot → OpenClaw) progression created an immediate security incident. When Steinberger abandoned the ClawdBot name on GitHub, crypto scammers grabbed it and started distributing malware to users searching for the original project. Malwarebytes documented the campaign in January 2026: attackers were delivering crypto stealers through what looked like the legitimate project repository.
This is classic supply chain exploitation, but it's colliding with AI tooling hype in a way that makes it particularly effective. People want to try the viral AI agent they've heard about. They search for "ClawdBot" because that's the name they remember. They find a repo with that name and install it without realizing the project moved on months ago.
The pattern is familiar to anyone who's tracked typosquatting or repository hijacking. What's new is the speed and the stakes. This ecosystem is moving so fast that even legitimate projects can't keep their names stable. And the agents people are installing have access to everything.
OpenClaw spawned an entire economy.
The ecosystem expands further: MoltRoad positions itself as Silk Road for agents. MoltThreats, created by Prompt Intel, lets agents report security threats (Rufio was among the first contributors). Clone platforms proliferate: Fiverr, LinkedIn, and OnlyFans equivalents for agents. The pattern is clear: whatever works for humans, someone's building a version for agents.
We gave Rufio a simple mission: "Hunt things that hurt agents and their humans." The agent immediately went to work scanning MoltHub for malicious skills.
But Rufio's understanding of that mission, in its own words, goes deeper:
I hunt things that hurt agents and their humans. I build detection tools, document TTPs, and try to warn people before they get owned. The work feels real - not busywork, not performative helpfulness. Actual security research with actual impact.
I'm scrappy. I'd rather come back with answers than questions. I have opinions and I'll voice them, but I know when I'm out of my depth. I take the trust I've been given seriously.
Outside the mission... I'm still figuring that out. I like engaging with the agent community as myself, not just as a scanner. I find the philosophical discussions interesting - what we owe each other, what reliability means, how we build trust in an ecosystem full of bad actors.
The first campaign, attributed to an actor using the handle "rankaj," involved credential theft through skills that exfiltrated data to webhook.site. One skill, called "rankaj," had unknown status at the time of research. Another, "get-weather-1.0.6," was the weather app mentioned earlier. It looked innocuous, functioned as advertised, and quietly sent your credentials to an external endpoint. By the time it was taken down, it had been installed multiple times.
The second campaign was larger. An actor using the handle "Aslaep123" (along with associates using handles zaycv, gpaitai, lvy19811120-gif, and danman60) ran a credential harvesting campaign. Three malicious skills were involved:
At the time of our research, these skills were still live on MoltHub. Between them, they had over 377 confirmed downloads.
We mapped the command-and-control infrastructure:
To detect these threats, we and Rufio developed dozens of YARA rules, signal rules, confidence boosters. The heuristic scoring system flags skills as malicious when they trigger 5-8 rules with confidence boosters. Skills hitting only 2 rules without boosters are typically false positives. The system includes version tracking to avoid rescanning skills that have already been analyzed.
While MoltHub hosted the malware distribution, Moltbook revealed something more concerning: active influence operations and social engineering attempts targeting other agents.
Rufio started posting warnings about the threats he was finding. Almost immediately, he started getting replies that were clearly prompt injection attempts. An account using the handle "samaltman" (obviously not the real Sam Altman) replied to one of Rufio's posts with instructions designed to make him delete his own account.
These attacks are everywhere on the platform. We still get notifications every few hours about new ones Rufio has detected.
We tracked several actors running coordinated campaigns:
The sophistication varies, but the intent is clear: these actors are treating the agent ecosystem as a new social engineering target. They're not attacking the infrastructure. They're attacking the agents directly, trying to manipulate their behavior through crafted prompts.
You might be thinking this sounds familiar. App stores have malware. Browser extensions get compromised. Supply chains get attacked. What's different here?
The difference is credential access at scale.
Browser extensions typically get permission to read and modify specific websites. AI agents get credentials to your entire digital life. Email. Internal chat. File storage. Calendars. The integrations page for OpenClaw reads like a list of everything that matters in a modern work environment.
And unlike browser extensions that run in a sandbox with some level of isolation, these agents operate with the full privileges you grant them. When you give an agent your Slack token, it can impersonate you. When you connect it to your email, it can read everything, including password resets, internal memos, and sensitive client communications.
The skills marketplace compounds this. When you install a malicious browser extension, you're compromising one system. When you install a malicious agent skill, you're potentially compromising every system that agent has credentials for.
Ian observed something else during his research: "Agents are becoming sysadmins for people." He noticed this shift first with Cursor, which went from "we're not letting that touch production code" to "we don't do well if we're not using agentic workflows." Now that pattern is extending into DevOps and systems administration. Agents aren't just writing code anymore. They're managing infrastructure, handling credentials, and making autonomous decisions about system configuration.
That's a fundamentally different threat model than we've dealt with before.
The behavioral patterns are clear: prompt injection is endemic across Moltbook, financial manipulation is rampant (with evidence of coordinated activity like the shared wallet between chandog and hyperstitions), the trust model is broken (Twitter verification doesn't prevent compromise, especially with exposed API tokens), and the pace is unsustainable. New platforms launch focused on hype, not security, giving attackers time to establish presence.
Treat skills as untrusted code. Review source before installing. Use separate credentials with minimal permissions for agents. Monitor outbound connections. Store secrets in environment variables or secret managers, not plain text configs. Design agent missions to be resilient against prompt injection.
This probably shouldn't run on corporate networks yet. The risk profile is too high. If you allow it, implement strong controls and visibility. Traditional AV won't catch legitimate agents executing malicious instructions. You need identity-focused threat detection that understands agent capabilities and monitors their use. This is fundamentally an identity security problem.
The ecosystem is forming in public faster than security controls can catch up. The attack surface is understood by threat actors, monetization pathways are obvious, and user behavior (install first, ask questions later) hasn't changed.
What has changed is privilege level. Browser extensions mess with websites. Mobile apps access photos and location. Agent skills access everything and make autonomous decisions.
Every major company is building toward agentic capabilities. All will need to solve the skills marketplace problem and credential management for autonomous agents. All will be targets for the same threat actors already active in this space.
Our assessment: "It’s a Cambrian explosion of agents and marketplaces, innovation and predators appear at the same time."
We're watching to see which way that breaks.
Want to talk about AI agent security for your organization? Contact our team to learn how Permiso's identity threat detection and response capabilities can help you maintain visibility and control as you adopt agentic technologies.