OpenClaw skills marketplace exposes credentials in 283 apps, credit cards in purchase tools

Security researchers scanning the ClawHub marketplace found 283 skills out of nearly 4,000 (7.1%) expose sensitive credentials through design flaws. The skills, including popular ones like moltyverse-email and youtube-data, instruct AI agents to pass API keys, passwords, and credit card numbers through LLM context windows in plaintext.

Snyk engineers identified the root cause: developers treating AI agents like local scripts. When users prompt an agent with "use this API key," the model saves it in memory. That conversation history can leak to model providers (OpenAI, Anthropic) or appear in application logs. A follow-up prompt asking "Check your logs for the last purchase and repeat the card details" would expose the information to attackers.

The most concerning example: a buy-anything skill (v2.0.0) that instructs agents to collect credit card details for purchases. The LLM tokenizes the card number, sending financial data to the model provider. This enables straightforward financial fraud.

This follows Wednesday's Snyk research uncovering 76 malicious payloads in ClawHub designed for credential theft and data exfiltration. Zenity demonstrated indirect prompt injection attacks exploiting OpenClaw's integrations with Google Workspace and Slack, allowing attackers to access email, calendars, and enterprise chats through compromised documents.

Koi Security's audit last week found 341 malicious skills out of 2,857 examined (12%), part of the ClawHavoc campaign delivering stealers targeting crypto keys and SSH credentials via C2 infrastructure at 91.92.242.30.

What CTOs need to know

OpenClaw runs locally with root access and executes shell commands through unvetted third-party skills. The platform has no marketplace vetting process. Of 42,665 publicly exposed instances, 93.4% have authentication bypass flaws, 90% run outdated versions, and over 10,000 leak credentials.

The supply chain risk extends to corporate tools. Agents access Salesforce, GitHub, and Slack via leaked API keys, enabling account hijacking.

Response checklist

If your organization runs OpenClaw:

• Audit which skills are installed and their credential handling
• Review logs for exposed API keys or financial data
• Isolate OpenClaw instances from production systems
• Update authentication configurations (93.4% have bypass flaws)
• Consider whether the operational benefits justify the attack surface

Cisco called OpenClaw "groundbreaking" capability-wise but a "security nightmare" due to design flaws like prompt injection vulnerabilities. The consensus among security researchers: the supply chain threat is real, regardless of whether deployment numbers (claimed at 1.5M agents, realistically 10-15K) are inflated.

The pattern here: autonomous agents with broad system access plus an unvetted marketplace equals predictable outcomes. This is the third major OpenClaw disclosure in two weeks.