OpenClaw malicious skills: what agentic AI changes for IAM teams

TL;DR: Cisco’s AI Defense team found nine vulnerabilities in OpenClaw’s top community skill, including two critical issues, and identified at least 230 malicious extensions in ClawHub since January 27, 2026, according to AuthMind. The deeper problem is that autonomous agents combine credential access, extensibility, and persistence in ways traditional IAM and IGA models were never built to observe or govern.

NHIMG editorial — based on content published by AuthMind: LLMjacking: How Attackers Hijack AI Using Compromised NHIs

By the numbers:

• At least 230 malicious OpenClaw extensions were uploaded to ClawHub since January 27, 2026.

Questions worth separating out

Q: What breaks when autonomous agents can install unreviewed skills?

A: The control that breaks first is trust in the extension layer.

Q: Why do autonomous agents complicate IAM oversight even when access is approved?

A: Because approval proves only that a human authorised the grant, not that the subsequent use was safe or expected.

Q: How do security teams know whether an agent is using credentials within scope?

A: They need to compare the credential’s expected purpose with the sequence of actions that follows authentication.

Practitioner guidance

• Audit agent extensibility paths Inventory every place users can install community skills, plugins, or extensions that run with agent privileges.
• Separate authorisation from usage monitoring Correlate OAuth grants, token issuance, and session actions so you can see when a legitimate grant is later used by an autonomous agent in ways the human user did not intend.
• Treat memory-bearing agents as stateful identities Define boundaries for what persistent memory may retain, reset that memory when trust changes, and log cross-session access patterns that show whether the agent is behaving consistently over time.

What's in the full article

AuthMind's full analysis covers the operational detail this post intentionally leaves for the source:

• The full timeline of malicious ClawHub extensions and the security research that identified them.
• The specific hardening and isolation guidance used in OpenClaw environments.
• The article’s examples of brokered credential flows and how they change agent access patterns.
• The vendor’s view of how practitioners should interpret the OpenClaw ecosystem as a preview of agentic AI adoption.

👉 Read AuthMind's analysis of OpenClaw malicious skills and identity risk →

OpenClaw malicious skills: what agentic AI changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →