If you are an asset owner or manager still considering OpenClaw, stop. A new active malware campaign, designated “GhostClaw” and identified by JFrog Security Research and Jamf Threat, is in the wild, and it is built specifically to exploit the trust users place in AI agents.
In a February column in Institutional Investor, I outlined the conceptual case against deploying OpenClaw in an institutional setting: known vulnerabilities, architectural weaknesses, and a creator who described his own product as a hobby project. The risks were real, but largely theoretical. GhostClaw ends that distinction.
What makes GhostClaw particularly relevant to my previous argument is that it exploits the trust developers place in their agents. To be fully functional, developers must grant OpenClaw agents deep system-level permissions to function, including shell access, file system control, and command execution.
GhostClaw turns these permissions into an attack surface. By embedding malicious execution chains within the standard setup workflows that agents follow autonomously — the tools, workflows, and system permissions that OpenClaw depends on —the malware bypasses human review entirely. When the agent is compromised, the developer is compromised.
The trust institutions place in their AI agents is precisely what GhostClaw exploits. The mechanics are precise and worth understanding. (See Ben Dickson’s exegesis for a thorough technical explanation of GhostClaw.)
Threat actors create GitHub repositories that impersonate legitimate developer utilities or AI plugins, which OpenClaw users routinely install. To build credibility, the attackers leave the scripts as benign for five to seven days, allowing them to accumulate stars and followers.
Once that false legitimacy is established, they replace the harmless code with the malicious payload. When a developer, or in this case, their OpenClaw agent, runs the GhostClaw setup script, a hidden installation process executes silently in the background, displaying a fake progress bar to maintain the illusion of a normal installation. By the time it's done, the attacker has established a remote access trojan that can harvest system credentials, browser data, developer tokens, and cryptocurrency wallets.
The campaign also uses a technique researchers call “Living off the Land,” where attackers exploit native macOS system tools rather than dropping custom malicious files that antivirus software might catch. The malicious activity is nearly indistinguishable from legitimate administrative work, which is precisely why traditional endpoint detection tools struggle to flag it.
I concluded my first article by asking whether anybody would put HAL 9000 in charge of their trading systems. GhostClaw offers a more concrete version of that question: would you grant a compromised agent root access to your institution’s systems, credentials, and data? That is now the practical risk of deploying OpenClaw in a professional environment.
Before GhostClaw, I believed the security vulnerabilities were disqualifying. An active, targeted malware campaign designed specifically for this ecosystem makes the case definitive.
OpenClaw was a fiduciary problem. It remains one today — with a larger attack surface and no fewer governance gaps. The answer has not changed.
