OpenClaw's Marketplace Got Stuffed With Malware. Here's Why That Was Always Going to Happen.

What a Malware-Filled AI Agent Marketplace Tells Us About How the Industry Keeps Making the Same Mistake

I've spent the better part of my career watching organizations adopt new technology faster than they can secure it, and documenting what happens when the gap between those two things gets wide enough. OpenClaw is an AI agent platform that lets organizations deploy AI assistants capable of browsing the web, running code, managing files, and pulling in third-party skills to extend what the agent can do. It had been gaining serious traction in enterprise environments. So when its skill marketplace filled up with malware, I laughed. The deep laugh, the one that comes from recognition rather than amusement, because nothing about this was unpredictable to anyone who had been paying attention.

OpenClaw was built to ship fast and figure out the security questions later, and later never showed up. The first serious audit, back in January this year, found 512 vulnerabilities, eight of them critical. Authentication was switched off by default. OAuth credentials — the digital keys that grant applications access to your accounts without requiring a password — were stored in plaintext on disk, readable by anyone who got that far. That was before anyone got creative.

Security advisories followed at a pace of roughly one every fifteen hours, and the worst of them scored a 9.9 out of 10 on the standard vulnerability severity scale. To put that in context, a perfect 10 means an attacker can take over a system with no barriers whatsoever. A 9.9 means there's barely a speed bump. That particular flaw let a single automated request hand an attacker full administrative control of the entire platform. Microsoft's own security team eventually said out loud that OpenClaw wasn't appropriate to run on a standard work machine. The infostealer crews agreed, quietly adding OpenClaw's file paths to their loot lists while everyone else was still admiring the demo.

The skill marketplace was just the most recent chapter. What follows is the part nobody wants to sit with: why this keeps happening, how the same mistakes get made with every new wave of technology, and what it takes to break the cycle.

Convenient Installs, Maximum Blast Radius

The platform being reckless was one problem. The people installing it without asking a single question were the other, and in some ways the bigger one.

These are bolt-on addons written by strangers, dropped into a tool that already couldn't keep its own front door shut, handed the same trust as everything else on the shelf. A third-party plugin carries every risk the platform carries, plus the risk of whoever wrote it and whatever they decided to put in it. The people who wired OpenClaw into their workflows without a second thought are, pretty much by definition, the same people who already gave it access to everything: email, files, credentials, the works. They handed the risky thing administrative access and went to lunch.

For attackers, showing up was enough. The victims had pre-selected themselves for maximum blast radius before anyone malicious appeared in the picture. The person most likely to install something risky without asking questions is almost always the same person who already handed it access to everything. That pattern is as consistent as anything else in security. The head of IT in the next section made the same call. The tools were different, but the logic was identical.

Am I shocked? About as shocked as I am watching a student driver introduce their front bumper to a parking bollard, or the evening I grabbed a 450-degree cookie sheet bare-handed out of the oven and stood there blinking at the blister like physics had personally let me down. Some outcomes are just physics on a short delay.

The Head of IT Who Set Off Live Ransomware to Win an Argument

There's a personality type that shows up consistently in security incidents. It's the person who genuinely believes the controls exist for other people's problems, not theirs. Their work is too important, their timeline too tight, their use case too unique. The guardrails are friction, and friction is the enemy of getting things done.

I watched this play out in the most literal way possible years back, running a Security Operations Center (SOC), the team responsible for monitoring an organization's systems for threats and responding when something goes wrong. A head of IT decided to test our incident response by setting off live ransomware inside the production network. To make the test feel authentic, they turned off every security control the organization had, one at a time, while we watched it happen on our screens. Firewall, endpoint protection, intrusion detection, content filtering, all of it gone, because having it running would have gotten in the way. We called them. They let it ring. When the dust settled, they were proud of the result. What they'd demonstrated was that if you remove every layer designed to contain a threat, the threat does exactly what it was always going to do. The outcome was a self-fulfilling prophecy, not a test result.

The organizations standing up AI agent platforms today without authentication, without vetting, without any of the controls the software industry spent two decades building, are running the same experiment. The guardrails feel like friction. The timeline is tight. And so the same mistakes the industry already paid for get rebuilt from scratch, with a fresh look of betrayal when they land exactly the way they always do. I wrote last fall that agentic AI was the security chaos of the nineties on rerun. The OpenClaw marketplace is the latest evidence I didn't need.

We Already Wrote the Playbook. Twice.

The security industry didn't stumble onto the risks of running untrusted third-party code with elevated access to sensitive systems. We lived through it, repeatedly, across two decades of supply chain incidents in software registries, build pipelines, and cloud infrastructure. We documented it, built controls around it, and published the lessons. The entire body of knowledge for how to do this safely is already written down.

An AI agent with a plugin marketplace runs on the same risk model as any other software supply chain: untrusted code running with elevated access to your systems, touching your data, acting on your behalf.

The controls that apply are the same ones that always applied:

• Scope access tightly to what the agent genuinely needs
• Isolate it from systems it has no business touching
• Vet what you install before you install it
• Build your environment on the assumption that something will eventually go wrong, because something eventually will

OpenClaw went the other way on all of it. The head of IT who disabled every security layer walked away proud while the building burned. The thread running through both stories is the same one running through every preventable security incident: someone decided the rules didn't apply to their situation, skipped the controls that existed for exactly this reason, and expressed genuine surprise when the outcome arrived on schedule.

The playbook for getting this right isn't complicated and it isn't new. The only question is whether you use it before the incident or after. I'll help you either way. What I won't do is call the people who switched off every light in the house victims of the dark.