the #1 most downloaded skill on OpenClaw marketplace was MALWARE
it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server
1,184 malicious skills fo...
To balance your fear-monger, there’s been multiple corrective actions and mitigations, starting February 6 and even earlier:
“
- **Feb 19 (v2026.2.19)**: 40+ fixes incl. block unsafe deep-merge keys (prototype pollution); harden Windows command injection; node-scoped URLs (mitigate SSRF); stricter IPv4 checks; trusted-sender Discord validations; ACP secret-file/workdir constraints; plugin/hook path containment; centralized Discord moderation; hardened ACP sessions (refresh/reaping/eviction/rate limiting for DoS); remove untrusted shell interpolations in coding-agent skills.
- **Feb 16 (v2026.2.15)**: 40+ hardening fixes incl. SHA-256 sandbox hashing; token/log redaction; block dangerous sandbox configs (container escapes); sensitive session redaction; fail-closed webhooks; per-skill download restrictions; web fetch size caps (memory exhaustion); sensitive-key whitelisting; git hook injection prevention; malformed session rejection; chat send sanitization (strip controls/Unicode); UI XSS prevention; workspace path sanitization (prompt injections); secure metadata for context tokens.
- **Feb 14 (v2026.2.13)**: Hardening incl. block high-risk tools (e.g., sessions_spawn/gateway) from HTTP invokes; fail-closed ACP permissions for ambiguous tools.
- **Feb 13 (v2026.2.12)**: Fixes incl. prevent unauthenticated Nostr tampering; remove bundled evil hooks; hook session audits/warnings; confine skill sync to sandbox roots; treat web/browser content as untrusted (output wrapping/stripping for prompt injections); constant-time secret comparisons/auth throttling; require auth for browser routes (auto-generated tokens).”
“
- **Feb 19 (v2026.2.19)**: 40+ fixes incl. block unsafe deep-merge keys (prototype pollution); harden Windows command injection; node-scoped URLs (mitigate SSRF); stricter IPv4 checks; trusted-sender Discord validations; ACP secret-file/workdir constraints; plugin/hook path containment; centralized Discord moderation; hardened ACP sessions (refresh/reaping/eviction/rate limiting for DoS); remove untrusted shell interpolations in coding-agent skills.
- **Feb 16 (v2026.2.15)**: 40+ hardening fixes incl. SHA-256 sandbox hashing; token/log redaction; block dangerous sandbox configs (container escapes); sensitive session redaction; fail-closed webhooks; per-skill download restrictions; web fetch size caps (memory exhaustion); sensitive-key whitelisting; git hook injection prevention; malformed session rejection; chat send sanitization (strip controls/Unicode); UI XSS prevention; workspace path sanitization (prompt injections); secure metadata for context tokens.
- **Feb 14 (v2026.2.13)**: Hardening incl. block high-risk tools (e.g., sessions_spawn/gateway) from HTTP invokes; fail-closed ACP permissions for ambiguous tools.
- **Feb 13 (v2026.2.12)**: Fixes incl. prevent unauthenticated Nostr tampering; remove bundled evil hooks; hook session audits/warnings; confine skill sync to sandbox roots; treat web/browser content as untrusted (output wrapping/stripping for prompt injections); constant-time secret comparisons/auth throttling; require auth for browser routes (auto-generated tokens).”