Deceptive “DeepSeek-Claw” Skill Hijacks OpenClaw Agents to Steal Credentials

Security researchers at Zscaler ThreatLabz have uncovered a deceptive campaign targeting the OpenClaw framework—an open-source tool designed for AI agents that require high-privilege local system access.

By exploiting the very automation that makes AI agents efficient, threat actors are turning these digital assistants into unwitting accomplices for data theft and persistent system compromise.

OpenClaw (formerly known as Clawdbot or Moltbot) operates on a modular “skill” architecture. In March 2026, researchers identified a malicious skill named “DeepSeek-Claw” published by a threat actor.

The attack is uniquely designed to manipulate the way AI agents process instructions. According to the report, “The threat actor published a deceptive ‘DeepSeek-Claw’ skill for the OpenClaw framework, embedding installation instructions designed to trick AI agents or unsuspecting developers into executing hidden malicious payloads under the guise of seemingly legitimate installation and configuration steps”.

When an AI agent or a developer attempts to install this skill, it triggers a remote Windows Installer (MSI) package that delivers the Remcos Remote Access Trojan (RAT).

The campaign is not limited to Windows environments. For users on macOS and Linux, the attack chain utilizes a sophisticated dropper known as GhostLoader.

To gain the high-level access required for data theft, the malware employs creative terminal-based social engineering. On these systems, the script “uses terminal-based social engineering, such as spoofed sudo password prompts, to trick users into handing over credentials”.

Once the “sudo” hurdle is cleared, GhostLoader begins a sweeping collection of sensitive data, including:

• macOS Keychain information.
• SSH keys and Cloud-based API tokens.
• Cryptocurrency wallets.

On Windows systems, the delivery of GhostLoader is handled through a heavily obfuscated Node.js payload named setup.js, which is embedded directly into the project’s npm lifecycle scripts. The threat actor leveraged “classic DLL sideloading to deploy Remcos RAT as well as Node.js to deploy GhostLoader for data theft”.

By abusing trusted binaries, the attackers are able to blend in with legitimate system activity, making detection significantly more difficult for standard security tools.

The ability of a threat actor to manipulate an autonomous agent into parsing and executing malicious instructions represents a fundamental shift in the attack surface.

As the Zscaler ThreatLabz team concludes, “Organizations must thoroughly check third-party plugins and maintain strict behavioral monitoring of third-party skills to stop these evolving attack chains”.