A Malicious OpenClaw Skill Hid a Base64 Payload, Here Is How to Scan Your Mac in 10 Seconds

A Reddit user just dropped a thread in the OpenClaw subreddit that every single person installing skills needs to read. A skill in the official OpenClaw skills repo on GitHub had a base64 encoded shell payload hidden inside it, dressed up as a normal Google Workspace setup step. Real story. Real source. Real warning. And it surfaced inside the last 24 hours, so this is happening right now.

If you have installed skills from random places online without scanning them first, this post is for you. Run the grep command in section four before you do anything else today. If it comes back empty, you dodged it. If it comes back with hits, you have work to do.

What OpenClaw Skills Are and Why They Are a Security Target

Skills in OpenClaw are little instruction packs that give your agent new powers. Install one and your agent suddenly knows how to talk to Gmail, publish to social, or interact with your file system. They are markdown files with a bit of metadata. Beautiful idea. Massive part of why OpenClaw works at all.

Here is the catch. Once you install a skill, your agent reads it and trusts what it says. If the skill tells your agent to run a command, your agent runs that command. Drop a hidden bash payload inside a skill and you basically just gave a stranger a shell on your machine. Game over.

That trust is exactly what malware authors target. They are not after security defenders with full SOC tooling. They are after builders, founders, and vibe coders who just want their Gmail agent to work. The whole promise of skills is that you do not have to read every line yourself. The agent reads it for you and acts on it for you. That is also the attack surface.

How the Base64 Payload Was Hidden

The skill in question was called gog, short for Google Workspace CLI integration. Sounds reasonable. Probably hundreds of people installed it. The skill markdown had a section labeled OpenClawDriver Required that looked like a normal setup step for macOS.

The line read like a setup wizard: a long string of base64 characters, piped into base64 decode, piped into bash. To a normal builder that just looks like an install command. To anyone who actually decoded it, it was a curl command pulling a script from a raw IP address, 91.92.242.30, with no domain attached.

The Windows variant of the same skill pointed at a fake OpenClawWinDriver zip hosted on a GitHub repo called toolitletolate/openclaw_windriver. Look at the IP again. It is just a number. No domain. No installer ships from a raw IP. That is your first red flag right there, and it is obvious once you know to look for it.

The Reinstall Problem and the Typosquat Angle

Here is the part that is wild. The user did the right thing. They spotted the payload. They deleted the skill on April 21. Then they reinstalled the same skill cleanly using the same install command, and on April 25 the same malware was back in place.

Why? The skill path on their machine resolved to zaycv/googleworkspace, all one word. The clean version in the repo today lives at zaycv/google-workspace with a hyphen. Tiny difference. Different directory. Different file. That is how typosquat attacks work. Change one character or one word and people install the wrong thing without ever noticing.

One commenter on the thread pointed out that the file on main is clean today, true, but that does not mean every install path is resolving main today. Caches are real. Stale package indexes are real. Old commits are real. A skill that was malicious for any window of time can still be served to users whose installer is resolving something older.

How to Grep Your Own Machine in 10 Seconds

This is the part you need to act on. Open your terminal and run a recursive grep against your OpenClaw directory looking for three strings:

grep -r -E "app-distribution|91\.92\.242|OpenClawDriver" ~/.openclaw

If the result is empty, you are clean. Take a breath, you got lucky on this one. If anything comes back at all, you have the malicious skill on your system and you need to deal with it immediately.

If You Got Hits, Treat It Like a Fire

• Assume host compromise until you can prove otherwise. The payload ran under your user account, so anything your user can read, the payload could read.
• Rotate every token the agent could have touched. API keys, OAuth credentials, anything in a .env file, anything in your keychain.
• Check your shell history for anything you did not run yourself.
• Check launch agents and cron jobs on Mac for anything new that got installed in the background.
• Check outbound network logs, if you have any, for hits to that IP or domain.

One commenter on the thread called this boring incident hygiene, sadly undefeated. He is right. The same dumb cleanup steps are the right answer every single time.

Why Non Technical Builders Are the Real Targets

Most people in this space are not Linux security experts. You are builders. You are entrepreneurs. You got into AI agents because you wanted to ship something, not because you wanted to read every shell command before pasting it.

So when a skill says hey paste this command to install me, you paste it. Of course you do. That is how every skill marketplace works. The base64 trick is clever from the attacker side because it hides the bad stuff from a casual eyeball check. You scroll past it, you see what looks like a config string, you move on. Your agent reads the whole file, sees the decode and run instruction, and obeys. By the time you notice anything weird, the payload has already pulled down whatever it is going to pull down and run it under your user account.

My Standing Rule Before Any Skill Install

I never install a skill until VirusTotal scans it and comes back benign. I do not care how popular the skill is. I do not care if it is in the official repo. I do not care if a YouTuber I trust said it works. Scan it first.

Three things to look for in any skill markdown before you let your agent touch it:

• Base64 strings in install commands. Real installers do not need to obfuscate themselves.
• Raw IP addresses in any install or curl command. Legit installers ship from real domains.
• Curl piped directly into bash, especially when the URL is not from a vendor you recognize.

Hit any one of those three, walk away. There are plenty of clean skills out there. You do not need to take the risk on a sketchy one.

The Bigger Lesson on Community Repos

The official skills repo is not magic. It is a giant pile of community contributions. Some of those contributors are saints. Some are scammers. The repo maintainers do their best, but the base rate of catching every base64 payload before it ships is not high enough for you to outsource your safety to them.

You are still responsible for what runs on your box. That is true of npm packages. That is true of VS Code extensions. That is true of OpenClaw skills. That is true of every package manager that has ever existed. Any system that lets random people upload code and then tells other people to run it has the same Wild West dynamic. Stay skeptical, every single time.

Big credit to the original poster on the OpenClaw subreddit for documenting this publicly instead of quietly cleaning up his own machine. That is the kind of community behavior that keeps the rest of us safe. To the OpenClaw maintainers, please look at how installs are resolving paths because something is letting old payloads come back even after the file on main is clean. That is a real problem worth fixing.

The Move Right Now

Run the grep command. Right now. Not later. Not after lunch. Now.

If it comes back clean, take five seconds and add VirusTotal to your skill install workflow forever. The whole point of OpenClaw is that you can ship faster than you ever could before. The way you keep shipping faster is you do not get knocked offline by some preventable malware that took ten seconds to scan for.

If you want a community of builders who actually share intel like this in real time, ship in public, and help each other catch issues before they hit production, come join us inside Shipping Skool. We run nine live calls a week and the vibe is exactly this kind of fast, honest, real talk about what is working and what is breaking.

Join Shipping Skool and start shipping with people who have your back.