Skills marketplace is full of stuff - like API keys and credit card numbers - that crims will find tasty
theregister.co.ukAnother day, another vulnerability (or two, or 200) in the security nightmare that is OpenClaw.
Researchers, over the last two days, have disclosed additional issues with OpenClaw - the vibecoded and famously insecure AI agent farm formerly known as Clawdbot and then Moltbot. Specifically, researchers say that the open source agent platform is vulnerable to indirect prompt injection, allowing an attacker to backdoor a user's machine and then steal sensitive data or perform destructive operations.
Plus, as other threat hunters have recently found, the ClawHub marketplace for OpenClaw is teeming with malware and leaky agent skills that expose sensitive credentials.
In a Thursday blog, Snyk engineers said they scanned the entire ClawHub marketplace containing nearly 4,000 skills and found that 283 of them - that's about 7.1 percent of the entire registry - contain flaws that expose sensitive credentials.
"They are functional, popular agent skills (like moltyverse-email and youtube-data ...
Copyright of this story solely belongs to theregister.co.uk . To see the full text click HERE