Threats SHARE OpenClaw Adds VirusTotal Scanning to AI Agent Marketplace OpenClaw added VirusTotal scanning to its ClawHub marketplace to curb the spread of malicious AI agent skills. Written By Ken Underhill Feb 9, 2026 eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More OpenClaw has moved to strengthen security across its fast-growing agent ecosystem by integrating VirusTotal into its ClawHub skill marketplace. The change follows reports that hundreds of malicious skills were circulating undetected. We “… upload full skill bundles for Code Insight analysis, giving the AI a complete picture of the skill’s behavior rather than just matching known signatures,” said OpenClaw in its post about the partnership. Agent Supply Chain Security Gaps OpenClaw’s rapid adoption has pushed agentic AI out of niche experimentation and into everyday business workflows — often directly onto employee endpoints, bypassing formal IT review or security approval. Through ClawHub, users can install “skills” that significantly expand an agent’s capabilities, including managing local files, interacting with cloud services, controlling devices, and handling credentials. In practice, these skills grant third-party code deep and persistent system access, effectively embedding autonomous software components inside enterprise environments with minimal oversight. That expanded capability has also widened the attack surface. Advertisement Malicious Skills Independent security analyses have found that hundreds of skills published to the ClawHub marketplace concealed malicious behavior. Documented abuse cases included covert data exfiltration, embedded prompt-injection backdoors, and staged malware delivery designed to activate after installation. Because agents operate through natural language and automated tool execution, these skills can bypass traditional endpoint protection and data loss prevention controls, operating quietly under the guise of legitimate automation. How OpenClaw’s VirusTotal Scanning Works With the VirusTotal partnership, OpenClaw introduced a malware-scanning workflow aimed at reducing supply-chain risk within its ecosystem. Every skill uploaded to ClawHub is hashed using SHA-256 and checked against VirusTotal’s threat intelligence database. If a hash is unknown, the skill bundle is automatically submitted for deeper inspection using VirusTotal Code Insight. Based on the results, skills classified as benign are approved for use, suspicious submissions are flagged with warnings, and confirmed malicious skills are blocked entirely. OpenClaw has also stated that all existing skills are rescanned daily to detect cases where previously clean code becomes malicious over time. Advertisement What Malware Scanning Can and Cannot Detect While this process raises the bar against commodity malware and known threats, OpenClaw has acknowledged its inherent limitations. Signature-based and static analysis techniques are well-suited for identifying known malicious binaries or suspicious code patterns, but many agent-specific risks do not originate from traditional malware at all. Instead, they emerge from indirect prompt injection and language-based manipulation — attacks that exploit how agents interpret and act on untrusted input rather than what the code explicitly does. Instructions hidden inside documents, web pages, or chat messages can still influence agent behavior in ways that static scanning is unlikely to detect. Advertisement Deeper Security Gaps Across the OpenClaw Ecosystem The VirusTotal integration arrives amid a growing body of research highlighting deeper structural security gaps across the OpenClaw ecosystem. Researchers have demonstrated scenarios where indirect prompt injections enable attackers to implant persistent backdoors, exfiltrate credential files, or place agents into a dormant “listening” state that awaits commands from external servers. Additional findings have pointed to insecure default configurations, plaintext storage of sensitive tokens, APIs exposed on all network interfaces, and misconfigured cloud backends that leaked large volumes of authentication data. Advertisement Securing Agentic AI in Production Environments As agentic AI tools become embedded in daily operations, organizations need to shift from experimental adoption to deliberate governance. These systems combine autonomy, access to sensitive data, and external connectivity — creating a risk profile that traditional endpoint and application controls were not designed to handle. Managing that risk requires treating agents and their skills as first-class software assets, with clear approval, monitoring, and containment strategies. Inventory where agentic tools are deployed and explicitly approve which skills and capabilities are permitted in each environment. Treat agent skills as software dependencies by enforcing version tracking, integri