OpenClaw Agent Suspicious Child Process Execution

OpenClaw (formerly Clawdbot, rebranded to Moltbot) is an AI coding assistant that can execute shell commands and scripts. Threat actors are exploiting the skill ecosystem (ClawHub) to distribute malicious skills, observed as early as January 2026, that execute download-and-execute commands, targeting cryptocurrency wallets and credentials. These skills are often obfuscated and distributed through public registries like ClawHub. The attacks leverage the AI agents’ ability to execute commands through skills or prompt injection. Defenders should monitor for suspicious child processes spawned by Node.js processes running OpenClaw/Moltbot, as these may indicate malicious activity originating from compromised or malicious skills. This activity has been observed across Linux, macOS, and Windows environments.

Attack Chain

1. A user installs the OpenClaw agent, potentially from a legitimate or typosquatted domain.
2. The user installs a malicious skill from ClawHub or is subject to a prompt injection attack.
3. The OpenClaw agent, running under Node.js, receives a command to execute a shell command.
4. The Node.js process spawns a shell process (e.g., bash, sh, cmd.exe, powershell.exe).
5. The shell process executes a command to download a payload from a remote server using tools like curl or certutil.
6. The downloaded payload is saved to disk, often with an obfuscated name.
7. The shell process executes the downloaded payload using chmod +x and ./, rundll32.exe, or powershell.exe.
8. The payload performs malicious actions such as credential theft or cryptocurrency wallet compromise.

Impact

Compromised OpenClaw agents can lead to cryptocurrency wallet theft, credential compromise, and potential data exfiltration. A successful attack allows threat actors to gain access to sensitive data and potentially pivot to other systems on the network. The number of victims is currently unknown, but the targeting of cryptocurrency wallets suggests financially motivated actors. The observed typosquatting activity indicates a campaign to impersonate the legitimate software and trick users into installing malicious versions.

Recommendation

• Monitor process creation events for suspicious child processes of Node.js processes running OpenClaw/Moltbot, specifically shells and scripting interpreters, using the provided Sigma rule (Execution via OpenClaw Agent - Linux/macOS/Windows).
• Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the DNS resolver based on the IOCs provided.
• Implement application control policies to restrict the execution of unsigned or untrusted executables, mitigating the impact of downloaded payloads.
• Review OpenClaw skill installation logs and user AI conversation history for signs of malicious activity or prompt injection attempts.
• Enable process command-line auditing to capture the full command line of spawned processes, aiding in the identification of malicious commands.
• Deploy the Sigma rule to detect execution of curl/certutil downloads (OpenClaw Download Activity).