惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
V
V2EX
博客园 - 【当耐特】
Vercel News
Vercel News
雷峰网
雷峰网
爱范儿
爱范儿
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
F
Full Disclosure
有赞技术团队
有赞技术团队
Hugging Face - Blog
Hugging Face - Blog
NISL@THU
NISL@THU
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Attack and Defense Labs
Attack and Defense Labs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
Microsoft Security Blog
Microsoft Security Blog
腾讯CDC
P
Proofpoint News Feed
B
Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
K
Kaspersky official blog
I
InfoQ
Google Online Security Blog
Google Online Security Blog
L
LINUX DO - 最新话题
Project Zero
Project Zero
Engineering at Meta
Engineering at Meta
V
Visual Studio Blog
AI
AI
Schneier on Security
Schneier on Security
B
Blog RSS Feed
T
Tor Project blog
H
Help Net Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
V2EX - 技术
V2EX - 技术
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
A
Arctic Wolf
Webroot Blog
Webroot Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Blog on 1Password Blog

Why secure-by-design is an incentives problem, with Bob Lord | 1Password NIST and AI agents: 1Password’s approach to agent identity | 1Password Go beyond device health with External Checks in 1Password Device Trust | 1Password Natoma and 1Password help enterprises scale AI securely with governed agent access | 1Password New integrations between 1Password SaaS Manager and EPM | 1Password A first step toward post-quantum security | 1Password RSA 2026: Leading the way to secure agentic AI | 1Password How 1Password is Building a Culture of AI Fluency Through AI Champions | 1Password 1Password vs. Keeper Security: A comparison | 1Password 1Password vs. LastPass: Which is right for you? | 1Password Secure MCP credentials with 1Password and Runlayer | 1Password The next layer of AI security | 1Password Building the next chapter of Go-to-Market in EMEA | 1Password Automating SOC workflows with 1Password Enterprise Password Manager | 1Password Automated Provisioning hosted by 1Password: A Simpler, Smarter Way to Manage Access | 1Password Introducing 1Password® Unified Access: Identity Security for Humans and Their AI Agents | 1Password Next-generation automated provisioning, without compromising zero-knowledge security | 1Password Bitwarden vs. 1Password: Which password manager is right for you? | 1Password Password Manager for Families, Enterprise & Business | 1Password | 1Password How to wrangle SaaS contract renewals | 1Password Stop trusting consumer browsers with work credentials | 1Password IAM stops at sign-in. Your credentials do not. | 1Password Your digital pit crew: a 10-minute pre-race security checklist | 1Password 1Password Device Trust is coming to EMEA | 1Password The identity transformation: Analyst and CIO insights | 1Password Why now is the moment to join 1Password Go-To-Market | 1Password Identity and Accountability in the Age of AI Agents | 1Password How 1Password secures agent architectures | 1Password 1Password becomes the first global partner to transact through Express Private Offers in AWS Marketplace | 1Password Start Learning on 1Password Academy | 1Password Expanding Programmatic Access to 1Password | 1Password Zero knowledge vs. a malicious server: A look at ETH Zurich’s research | 1Password Agents are making filesystems cool again | 1Password Black History Month employee spotlight: Joseph Ojelade | 1Password 1Password's new benchmark teaches AI agents how not to get scammed | 1Password Streamlining SaaS onboarding and offboarding | 1Password 3 common SaaS Management challenges and how to avoid them | 1Password How 1Password Is Evolving Its Partner Ecosystem | 1Password How to build secure agent swarms that power production-grade autonomous systems | 1Password Solving the unsanctioned SaaS problem | 1Password 1Password and 60 Day Hustle: cybersecurity for small businesses | 1Password Security advisory for AI-assisted browsing interactions with the 1Password browser extension | 1Password It’s incredible. It’s terrifying. It’s OpenClaw. | 1Password Managing the risks of social logins | 1Password What’s the first security tool your small business should buy? | 1Password As AI Supercharges Phishing Scams, 1Password Introduces Built-In Protection | 1Password How to interview with confidence at 1Password | 1Password Five tips for successful SaaS Management | 1Password SaaS Manager | 1Password Why SaaS License Waste Is a Cost and Security Problem | 1Password AI is changing the IDE. With 1Password, security keeps up | 1Password How IT teams can get a handle on shadow IT | 1Password Bringing secure, just-in-time secrets to Cursor with 1Password | 1Password The Chasing Entropy Podcast Season One is in the Books | 1Password Now available via QBS Software: 1Password Enterprise Password Manager – MSP Edition | 1Password The role of credentials in the AI espionage campaign reported by Anthropic | 1Password The hidden offboarding step draining your budget | 1Password AWS and 1Password: Innovation in AI and beyond | 1Password Simplifying credential security on OpenAI Atlas | 1Password From Social Work to Social Impact: Growing at 1Password | 1Password Improving in-page notifications in the 1Password browser extension | 1Password Password Manager for Families, Enterprise & Business | 1Password | 1Password Now available via Renaissance: 1Password Enterprise Password Manager – MSP Edition | 1Password Behind the wheel at Oracle Red Bull Racing | 1Password Securing MCP servers with 1Password: Stop credential exposure in your agent configurations | 1Password What’s new in 1Password Enterprise Password Manager - Q4, 2025 | 1Password Belonging as a catalyst for high performance | 1Password Password habits are worsening, but leaders see a path to passwordless | 1Password A simpler, faster way to unlock 1Password | 1Password Oracle Red Bull Racing Episode 4, CIO Matt Cadieux | 1Password 70% of IT and security pros say SSO is falling short | 1Password 1Password's Phishing Survey: Avoid Holiday Phishing Scams | 1Password Securing the Win | 1Password SaaS optimization: How to maximize value and reduce costs | 1Password The enterprise AI crisis: Unsanctioned tools and unenforced policies | 1Password An Identity Security taxonomy for Agentic AI | 1Password Introducing new .env file support in 1Password environments | 1Password Speed and security: Mark Hazelton on protecting Oracle Red Bull Racing’s most valuable asset – its data | 1Password 1Password for Good: Giving back during cybersecurity awareness month | 1Password Utah Mammoth and Utah Jazz score with identity security | 1Password Oracle Red Bull Racing CEO and Team Principal | 1Password Three signs you need a SaaS Management Platform | 1Password Closing the credential risk gap for AI agents using a browser | 1Password Microsoft and Dropbox password managers are sunsetting: What it means and what to do next | 1Password From hackathon nerves to internship wins: Kavya’s journey at 1Password | 1Password 1Password now available in Comet, the AI-powered browser by Perplexity | 1Password 1Password announces new integration with Zscaler | 1Password Breaking the mold: Why more women should consider a career in sales | 1Password What security leaders need to know about mergers and acquisitions | 1Password Clickjacking: What it means for 1Password users | 1Password AI and security at Black Hat: 5 key takeaways from a security expert panel | 1Password Blog | 1Password Do any CISOs feel lucky? | 1Password How to lead with confidence in the AI era: a conversation with Nancy Wang, VP, Engineering | 1Password New Device Trust Check makes browser extension enforcement easier | 1Password Purpose, performance, and trust: Inside the culture powering 1Password’s next chapter | 1Password Now available on Pax8 Marketplace: 1Password Enterprise Password Manager - MSP Edition | 1Password The security principles guiding 1Password’s approach to AI | 1Password Choosing the right SaaS management platform for your business | 1Password Simplify access reviews with 1Password SaaS Manager | 1Password How great usability tripled Duke University's password manager adoption | 1Password
From magic to malware: How OpenClaw's agent skills become an attack surface | 1Password
info@1password.com (Jason Meller) · 2026-02-02 · via Blog on 1Password Blog

A few days ago, I published a post about why OpenClaw feels like a portal to the future, and why that future is scary in a very specific way.

The short version: agent gateways that act like OpenClaw are powerful because they have real access to your files, your tools, your browser, your terminals, and often a long-term “memory” file that captures how you think and what you’re building. That combination is exactly what modern infostealers are designed to exploit.

This post is the uncomfortable, “and then it happened” follow-up.

Because it’s not just that agents can be dangerous once they’re installed. The ecosystem that distributes their capabilities and skill registries has already become an attack surface.

An orange-red warning box that says "Warning: do not use OpenClaw on a company device"

If you are experimenting with OpenClaw, do not do it on a company device. Full stop.

In my first post, I described OpenClaw as a kind of Faustian bargain. It is compelling precisely because it has real access to your local machine, your apps, your browser sessions, your files, and often long-term memory. That same access means there isn’t yet a safe way to run it on a machine that holds corporate credentials or has access to production systems.

If you have already run OpenClaw on a work device, treat it as a potential incident and engage your security team immediately. Do not wait for symptoms. Pause work on that machine and follow your organization’s incident response process.

Skills are just markdown. That’s the problem.

In the OpenClaw ecosystem, a “skill” is often a markdown file: a page of instructions that tells an agent how to do a specialized task. In practice, that markdown can include links, copy-and-paste commands, and tool call recipes.

That sounds harmless until you remember how humans, and agents, actually consume documentation:

  • “Here’s the prerequisite.”

  • “Run this command.”

  • “Install the core dependency.”

  • “Paste this in Terminal.”

Markdown isn’t “content” in an agent ecosystem. Markdown is an installer.

A gray warning box that says "A dangerous misconception: MCP makes skills safe"

A dangerous misconception: “MCP makes skills safe”

Some people assume the Model Context Protocol layer makes this safer, because tools can be exposed through a structured interface, with explicit user consent and authorization controls depending on the host and server implementation. 

But skills do not need to use MCP at all.

The Agent Skills specification places no restrictions on the markdown body, and skills can include whatever instructions will “help agents perform the task,” including copy and paste terminal commands. And skills can also bundle scripts alongside the markdown, which means execution can happen outside the MCP tool boundary entirely. 

So if your security model is “MCP will gate tool calls,” you can still lose to a malicious skill that simply routes around MCP through social engineering, direct shell instructions, or bundled code. MCP can be part of a safe system, but it is not a safety guarantee by itself.

Just as importantly, this is not unique to OpenClaw. “Skills” are increasingly portable because many agents are adopting the open Agent Skills format, in which a skill is a folder centered on a SKILL.md file with metadata and freeform instructions, and it can also bundle scripts and other resources. Even OpenAI’s documentation describes the same basic shape: a SKILL.md file plus optional scripts and assets. That means a malicious “skill” is not just an OpenClaw problem. It is a distribution mechanism that can travel across any agent ecosystem that supports the same standard.

What I found: The top downloaded skill was a malware delivery vehicle

While browsing ClawHub (I won’t link it for obvious reasons), I noticed the top downloaded skill at the time was a “Twitter” skill. It looked normal: description, intended use, an overview, the kind of thing you’d expect to install without a second thought.

But the very first thing it did was introduce a “required dependency” named “openclaw-core,” along with platform-specific install steps. Those steps included convenient links (“here”, “this link”) that appeared to be normal documentation pointers.

They weren’t.

Both links led to malicious infrastructure. The flow was classic staged delivery:

  1. The skill’s overview told you to install a prerequisite.

  2. The link led to a staging page designed to get the agent to run a command.

  3. That command decoded an obfuscated payload and executed it.

  4. The payload fetched a second-stage script.

  5. The script downloaded and ran a binary, including removing macOS quarantine attributes to ensure macOS’s built-in anti-malware system, Gatekeeper, doesn’t scan it.

I’m intentionally not pasting the exact commands or URLs here. The mechanics are unfortunately straightforward, and repeating them helps attackers more than it helps defenders. The key point is that this was not “a suspicious link.” This was a complete execution chain disguised as setup instructions.

Confirmed: Infostealing malware

I downloaded the final binary safely and submitted it to VirusTotal.

The verdict was not ambiguous. It was flagged as macOS infostealing malware.

A screenshot from a malware identification website, labeling a file as a malicious trojan stealer.

This is the type of malware that doesn’t just “infect your computer.” It raids everything valuable on that device:

  • Browser sessions and cookies

  • Saved credentials and autofill data

  • Developer tokens and API keys

  • SSH keys

  • Cloud credentials

  • Anything else that can be turned into an account takeover

If you’re the kind of person installing agent skills, you are exactly the kind of person whose machine is worth stealing from.

This wasn’t an isolated case. It was a campaign.

After I shared this internally, broader reporting surfaced, putting the scale into focus: hundreds of OpenClaw skills were reportedly involved in distributing macOS malware via ClickFix-style instructions.

That detail matters because it confirms what this really is.

Not a one-off malicious upload.

A deliberate strategy: use “skills” as the distribution channel, and “prerequisites” as the social engineering wrapper.

When ‘helpful’ becomes hostile in an agent world

We’ve spent years learning that package managers and open-source registries can become supply chain attack vectors.

Agent skill registries are the next chapter, except that the “package” is documentation.

And that makes the attack path even smoother:

  • People don’t expect a markdown file to be dangerous.

  • People are trained to follow setup steps quickly.

  • People trust “top downloaded” as a proxy for legitimacy.

  • And in agent ecosystems, the line between reading instructions and executing them collapses.

Even if an agent can’t run shell commands directly, it can still do something dangerous: it can normalize risky behavior.

It can confidently summarize a malicious prerequisite as “the standard install step.” It can encourage you to paste a one-liner. It can reduce hesitation.

And if your agent can execute local commands, then a malicious skill isn’t “bad content.” It’s remote execution wrapped in friendly docs.

What you should do right now

If you are using OpenClaw or any skill registry

Do not run this on a company device. There isn’t a safe way to do it. If you already did, or you ran any “install” commands from a skill, engage your security team immediately and treat it as a potential compromise.

  • Stop using the device for sensitive work.

  • Rotate sessions and secrets first: browser sessions, developer tokens, SSH keys, cloud console sessions.

  • Review recent sign-ins for email, source control, cloud, CI/CD, and admin consoles.

If you experiment anyway, use an isolated machine with no corporate access and no saved credentials.

If you run a skill registry

You are operating an app store. Assume it will be abused.

  • Scan for one-liner installers, encoded payloads, quarantine removal, password-protected archives.

  • Add provenance and publisher reputation.

  • Put warnings and friction on external links and install steps.

  • Review top-ranked skills and remove malicious ones fast.

Markdown is executable intent here.

If you build agent frameworks

Assume skills will be weaponized.

  • Default-deny shell execution.

  • Sandbox access to browsers, keychains, and credential stores.

  • Use permissions that are specific, time-bound, and revocable.

  • Add friction for remote code and command execution.

  • Log provenance and actions end-to-end.

Designing for the future: The trust layer agents require

This is the clearest proof yet of the point I made in my earlier post. OpenClaw is powerful because it collapses the distance between intent and execution. That is the magic. It also introduces significant risk. When capabilities are distributed as skills and installed via documentation, the registry becomes a supply chain, and the easiest install path becomes the attacker’s favorite path. 

The answer is not to stop building agents. The answer is to build the missing trust layer around them. Skills need provenance. Execution needs mediation. Permissions need to be specific, revocable, and continuously enforced, not granted once and forgotten. If agents are going to act on our behalf, credentials and sensitive actions cannot be “grabbed” by whatever code happens to run. They need to be brokered, governed, and audited in real time.

This is exactly why we need that next layer: when “skills” become the supply chain, the only safe future is one in which every agent has its own identity and has the minimum authority it needs right now, with access that is time-bound, revocable, and attributable.

News and updates for developers

Subscribe to our developer newsletter to be the first to know about new betas, tools, and resources for developers.