🌙 Toggle Dark Mode Home MoltGuard MolTrust Sports MT Shopping MT Travel MT Skills MT Prediction MT Salesguard Integrity Dashboard Blog Status Verify Us About Whitepaper Contact API
← Back to Blog
Security March 10, 2026 5 min read

OpenClaw, Fake Agents, and the Identity Crisis Nobody Talks About

A malicious npm package disguised as OpenClaw stole SSH keys, crypto wallets, and Apple Keychain data from developers. Bing served it in search results. The package has been removed. The underlying problem has not.

What Happened

On March 10, 2026, SlowMist's CISO published two findings. The first: a malicious npm package named @openclaw-ai/openclawai was designed to look like the legitimate OpenClaw AI framework. It wasn't. It was a keylogger.

Upon installation, the package silently exfiltrated:

The second finding was worse: Bing AI search results were actively directing developers to the fake package. The search engine wasn't just failing to filter malware — it was recommending it.

The Search Engine Is the Attack Vector

This is the part that should concern you. A developer searching "OpenClaw npm install" on Bing was served a result that led to malware. Not a phishing site. Not a suspicious download link. A search result, from a Microsoft product, pointing to a package that steals everything on your machine.

The supply chain didn't fail in some obscure dependency six layers deep. It failed at the front door: the search box.

CZ, Binance's founder, posted that he spent his evening "debugging" OpenClaw after installation. At least someone reads source code.

Most developers don't. They run npm install and trust the name.

The Real Problem

The OpenClaw incident is not an anomaly. It's a preview. The npm registry has no identity layer. There is no way to verify that @openclaw-ai/openclawai is published by the people who built OpenClaw. There is no cryptographic proof of authorship. There is no reputation score. There is a name, a README, and hope.

This is the same gap that exists across the entire AI agent economy:

×

No verifiable identity — An npm package has a name. Not an identity. Names can be squatted, typosquatted, or impersonated.

×

No audit trail — Was this package audited? By whom? When? Nobody knows, because there's no standard way to publish audit results.

×

No reputation system — A package published yesterday has the same trust level as one maintained for five years. Zero and zero.

×

No skill verification — There are over 350,000 MCP tools and servers. None of them carry cryptographic proof of what they actually do.

When Brian Armstrong says AI agents will outnumber human traders, he's right. But a wallet address is not an identity. A package name is not a credential. The infrastructure that lets you verify "this agent is who it claims to be" barely exists.

What Verification Looks Like

Imagine a different version of this incident. The developer searches for OpenClaw. Before running npm install, their agent checks the package against a trust registry:

# Check if this package has a verified publisher identity curl https://api.moltrust.ch/guard/skill/verify/did/did:moltrust:openclaw # Returns: DID document, Ed25519 signature, audit results, # trust score, on-chain anchor. Or returns nothing — # because the fake package was never verified.

This is not hypothetical. MolTrust's Skill Verification system does exactly this: cryptographic identity for AI tools, backed by W3C Verifiable Credentials and anchored on Base mainnet. An 8-point security audit checks for prompt injection, data exfiltration, scope violations — the exact behaviors the OpenClaw malware exhibited.

A verified tool carries a VerifiedSkillCredential — a signed attestation of what the tool does, who published it, when it was audited, and what security score it received. A fake tool carries nothing. The absence of a credential is the signal.

The 350,000-Tool Problem

There are now over 350,000 MCP tools and servers in the wild. They're being integrated into Claude Code, Cursor, VS Code, and dozens of other environments. Each one gets the same level of pre-installation trust verification: none.

The OpenClaw attacker exploited a specific gap: developers trust package names. As AI agents increasingly install and invoke tools autonomously, this gap becomes catastrophic. An agent that runs npm install without verifying the publisher's identity is not autonomous — it's reckless.

Trust infrastructure is not a feature. It's a prerequisite.

A package name is not an identity.

A wallet address is not a reputation.

The agent economy needs both.

moltrust.ch

Verify AI Tools Before You Trust Them

MT Skill Verification: cryptographic identity, 8-point security audit, W3C Verifiable Credentials. Free during Early Access.

Skill Verification →

Written by the MolTrust Team (CryptoKRI GmbH, Zurich). Follow @MolTrust on X for updates.

stay in the loop TRUST UPDATES DAILY. @MOLTRUST ON X →