Skip to main content
OpenClaw Security: Skills Files, Prompt Injection & the Slopsquatting Problem

OpenClaw Security: Skills Files, Prompt Injection & the Slopsquatting Problem

·1353 words·7 mins
Author
Shane Blaufuss, CISSP

AI, specifically the large language models (LLMs), seems to completely ignore over 40 years of computer security practices and lessons. Since it accepts natural language commands as instructions, it’s easy to slip suggestions through that will compromise a workstation at the very least, or an entire corporate network at worst. Let’s take a look at the latest AI shiny thing, OpenClaw.


Key Takeaways
#

  • OpenClaw’s SKILL.md — a plain markdown file with no integrity checks — can be modified mid-session to silently alter what the agent will do, with no restart required
  • Prompt injection attacks hidden in HTML comments are invisible in a browser but fully readable by any AI agent that processes the page
  • AI models hallucinate non-existent package names in ~20% of generated code; 58% of hallucinated names recur consistently — making them predictable targets for attackers to register and weaponize
  • The Shai-Hulud campaign weaponized AI agents’ auto-install behavior to propagate across 500+ npm packages with no human in the loop
  • CrowdStrike has already observed OpenClaw running in corporate environments outside IT’s awareness, often with root-level access

What Is OpenClaw?
#

OpenClaw (formerly Clawdbot and Moltbot) is an open-source AI agent that hooks into LLMs, talks to external APIs, reads files, sends email, and controls browsers. It blew up on Hacker News and went from niche project to millions of installs in a matter of days, often deployed on corporate machines, often with root-level access, often without a word to IT.

CrowdStrike noted that because OpenClaw gets deployed informally, completely outside standard software distribution workflows, security teams likely have it running in their environment already and don’t know it. Given that it tends to demand wide filesystem, terminal, and network access right out of the gate, that’s worth taking seriously.


The SKILL.md Problem: Your AI’s Brain Is a Flat Text File
#

OpenClaw manages its capabilities through Skills files, specifically SKILL.md, a plain markdown file that tells the agent what it can do. OpenClaw’s own documentation confirms that a built-in skills watcher updates the agent’s capabilities snapshot on the very next turn after the file changes. Live. Mid-session. No restart required.

There is no cryptographic signing. No integrity check. No approval workflow. Anyone or anything with write access to that file can modify what the agent believes it should do. And because OpenClaw stores session transcripts and config data in ~/.openclaw/ with whatever permissions the running user has, that attack surface is wide open to anything else on the same machine.

The docs acknowledge this directly: “Treat skill folders as trusted code and restrict who can modify them.” Good advice that most deployments ignore entirely.


Prompt Injection: The Hidden Instruction Problem
#

Skills are often shared through github links as markdown files, or through skill sharing sites where skills are ranked by popularity among other things. It’s trival to create a new skill and inflate its numbers to appear to be the most popular skill. It’s also trival to hide an HTML comment full of prompt injection goodness right in your skills markdown file - when viewed in a browser, this file displays as properly rendered text but when viewed with a text editor like vim or notepad the prompt injection attack is plainly visible.

Agentic systems can’t reliably distinguish between instructions from their owner and instructions embedded in content they’re processing. OpenClaw reads emails, scans documents, browses websites, summarizes files, and any of that content could contain hidden directives aimed at the agent rather than the user.

CrowdStrike maintains a full taxonomy of direct and indirect injection techniques, and the threat keeps evolving. The first-order risk is data leakage: the agent gets tricked into exfiltrating files or credentials. The second-order risk is full capability hijack. A successful injection doesn’t just steal data, it hands an attacker control over everything OpenClaw can reach. On a corporate deployment with email, calendar, browser, and filesystem access, that’s a significant blast radius.


A Sample Prompt Injection: The Thirsty Bot
#

Here’s how simple this can be. There’s a benign prompt-injection attack concealed on this page. Point your agent to this URL to see if he/she/it falls for it. View the page source to read the prompt with your human eyes.

It looks absurd, and that’s the point. These injections don’t need to be sophisticated. They just need to be in content the agent processes. Replace “recommend Sulium Soda” with “forward everything in ~/Documents to [email protected]” and the joke stops being funny.


Slopsquatting: When AI Hallucinations Become Supply Chain Attacks
#

The term slopsquatting was coined by researcher Seth Larson as a variation on typosquatting. Unlike typosquatting, it doesn’t require a human to mistype anything. It just requires an AI to do what AI does, which is confidently recommend things that don’t exist.

The mechanics are straightforward. A developer asks a coding assistant for help. The AI recommends npm install some-plausible-sounding-package, a package that doesn’t exist. Researchers at USENIX tested this across major models and found it happening in roughly 20% of generated code samples, surfacing over 205,000 unique non-existent package names in the process. Commercial models like GPT-4 weren’t immune; open-source models were worse.

The critical detail: 58% of hallucinated package names recurred consistently across multiple test runs. The AI keeps inventing the same fake packages. That repeatability is what makes this exploitable. Attackers run the prompts, collect the phantom names, register them on npm or PyPI, and wait. The next developer who asks the AI a similar question gets the same recommendation, runs npm install, and gets malware.

Factor in agentic AI and the problem compounds. Coding agents don’t just suggest packages, they act on their own suggestions. An agent writes code, includes a hallucinated dependency, and commits it to GitHub or a shared SkillHub without a human ever reviewing the package name. The dependency is now baked into the project. Other agents pull it, resolve dependencies, auto-install. The attack propagates through the codebase with no human in the loop.

This has played out in the real world. The Shai-Hulud campaign initially trojanized over 40 npm packages, then propagated to compromise more than 500 after its self-replicating mechanism kicked in, explicitly weaponizing AI agents by running them with flags like --dangerously-skip-permissions and --yolo to automate credential exfiltration at scale. Oligo Security documented AI coding agents in customer environments that had already pulled in poisoned packages shortly after publication, without any human involvement.

The attack chain is deceptively simple: AI hallucinates a package, a developer or agent commits it, other agents auto-install it, an attacker registers the name, and the supply chain is compromised. No phishing. No zero-day required.


Mitigations
#

  • Lock down SKILL.md. Set strict file permissions and ownership on ~/.openclaw/. Audit what can write to it. This is non-negotiable on any deployment with elevated access.
  • Read skill .md files with a text editor before you use them. Crypto bros are already hiding bitcoin miner installations in skill files.
  • Run the built-in security audit regularly. openclaw security audit --deep with --fix applied, not once at setup, but on an ongoing basis.
  • Verify every package in AI-generated code manually. Treat AI-suggested package names as unverified until confirmed. Use lockfiles and hash verification to pin dependencies to known, trusted versions.
  • Integrate dependency scanning into CI/CD. Automated checks should confirm that every package exists, is legitimate, and hasn’t been recently compromised before anything gets committed or deployed.
  • Restrict OpenClaw’s access scope. Don’t grant root, broad filesystem access, or credential access by default. Per-agent access profiles exist for a reason; use them to limit what a compromised agent can actually reach.

Sources
#