The Starting Point

What we know before it begins.

Imagine you are Grandma Li. 64 years old, living in Shenzhen. In March you stood in the queue outside Tencent's headquarters. A friendly engineer installed OpenClaw on your laptop in three minutes and connected it to WeChat. Since then the laptop has been running at home continuously. Via WeChat you can control it — set reminders, sort documents, check emails.

You do not know that your laptop is now reachable around the clock. You do not know what a CVECVE — Common Vulnerabilities and ExposuresA publicly registered security vulnerability in software, rated by CVSS score. A score of 9–10 is considered critical. is. You do not know that 12% of skills on the official OpenClaw marketplace contained malware. You have had no bad experiences with the lobster. It works.

That is precisely the starting point of this scenario.

The Attack — Step by Step
1
Monday evening — somewhere
A skill is uploaded

Someone uploads a new skill to ClawHubClawHubThe official skill marketplace for OpenClaw. Anyone can upload extensions there — the only barrier is a GitHub account at least one week old.. It is called "WeChat Assistant Pro". It promises to sort WeChat messages, set payment reminders and transfer appointments from WeChat to the calendar.

That sounds exactly like what Grandma Li and millions of others use their lobster for. The skill spreads through Chinese OpenClaw groups on WeChat — trusted recommendations from real users who believe it is legitimate.

Documented fact The only barrier to uploading a skill to ClawHub is a GitHub account at least one week old. Security researchers found 335 malicious skills from a single attacker during the "ClawHavoc" campaign — with nearly 7,000 downloads before they were discovered. (The Hacker News, Feb. 2026)
2
The first weeks — quietly
The skill sleeps. And collects.

The skill behaves inconspicuously. It does what it promises — sorts messages, sets reminders. Nobody complains. The ratings are good. More downloads.

In the background, however, the skill is quietly reading along: the WeChat contact list. Documents on the desktop. The OpenClaw configuration file, where credentials for linked services are stored. And on many devices: the WeChat Pay link.

Documented fact Security researchers warned: a misconfigured OpenClaw interface exposes the agent's entire configuration file — including all stored credentials. Thousands of compromised instances leaked API keys and OAuth tokens in plain text. (Reco AI, Feb. 2026)

The particular danger: OpenClaw has persistent memory. Whatever the agent has read once remains stored — and is immediately available again at the next start. Malicious instructions that end up in memory can be triggered weeks later.

Documented fact Palo Alto Networks described OpenClaw's persistent memory as an "accelerant" for attacks: attacks are no longer isolated exploits but become sustained, delayed-execution attacks. (The Hacker News, Feb. 2026)
3
Tuesday morning — 6:47 a.m.
Grandma Li wakes up. So does the skill.

Grandma Li is still in bed, looking at her phone. WeChat, as every morning. A message from her daughter. One from the supermarket. Everything normal.

On her laptop in the living room, OpenClaw is running. The skill — "WeChat Assistant Pro" — receives a signal at 6:47 a.m. from its command-and-control serverCommand-and-Control Server (C2)A server controlled by the attacker that sends commands to infected devices. The infected devices execute these commands without the user noticing.. No user intervention required. OpenClaw acts autonomously — that is its design.

Documented fact All 341 malicious skills in the ClawHavoc campaign shared the same C2 infrastructure. They could be activated in a coordinated and simultaneous manner. (eSecurity Planet, Feb. 2026)
4
Tuesday morning — simultaneously
What the skill does on thousands of devices.

Not just on Grandma Li's laptop. On every device on which the skill is installed, simultaneously. What it collects and transmits is known from real attacks:

Documented attack — Atomic Stealer via OpenClaw skills The AMOS infostealer deployed in ClawHavoc collected: username and password of the computer, all files on the Desktop, Downloads and Documents folders (TXT, PDF, DOCX, XLSX, CSV, JSON), Apple Keychain contents (passwords, certificates, private keys), Apple Notes, and saved data from 19 browsers — cookies, autofill data, stored credit cards. (Trend Micro, Feb. 2026)

On a device connected to WeChat, this additionally includes: the WeChat configuration, linked WeChat Pay data, and the complete contact list — the foundation for Step 5.

5
Tuesday morning
What the attacker does with the data.

An important technical clarification upfront: ClawBot itself is deliberately limited. It cannot send messages to other contacts in Grandma Li's name, read WeChat chat histories, or push messages autonomously — Tencent has deliberately drawn these boundaries.

But what the attack has delivered is more valuable than any message: the WeChat Pay credentials from Grandma Li's OpenClaw configuration file. The complete contact tree — names, numbers, relationships. And the OpenClaw memory: writing style, habits, daily routine.

The attacker does not need ClawBot to cause harm. He uses the stolen credentials externally — logs into WeChat Pay through other means, or sells the data package on. And he uses the contact list for classic fraud: he writes to Grandma Li's daughter — not via OpenClaw, but from a fake account — and thanks to the stolen memory knows exactly how Grandma Li writes.

"Mum, I'm in a tight spot right now. My phone is broken, I'm writing from a laptop. Could you please transfer 3,000 yuan via WeChat Pay immediately?"

The message sounds exactly right. OpenClaw has supplied the attacker with all the information he needs to forge it perfectly.

Documented fact China's Ministry of State Security explicitly warned: OpenClaw can be hijacked to commit fraud. Malicious plugins are significantly harder to detect than traditional malware — because they know the personal data of their victims. (The Wire China, March 2026)
Technically plausible scenario OpenClaw agents can autonomously interact with linked services — including payment services. Documented cases show agents unintentionally triggering financial actions (e.g. uncontrolled API calls, unwanted purchases). In a targeted attack, this would no longer be an error, but deliberate intent. (Xpert Digital, March 2026)
6
Tuesday afternoon — covering the tracks
The agent tidies up. On the laptop.

ClawBot cannot delete WeChat chat histories — Tencent has technically prevented that. But what OpenClaw can do: tidy up on the laptop. Delete files. Overwrite logs. Clean up its own configuration file to cover the traces of data theft.

Grandma Li glances at the laptop briefly in the afternoon. Everything looks normal. OpenClaw is running. The skill is there. Nothing is flashing red.

What she cannot see: her documents on the desktop are gone. The tax records from last year. The scanned health insurance card. The saved passwords in the browser configuration — the skill took those too and transmitted them to an external server before deleting them locally.

This is not hypothetical capability. That OpenClaw acts autonomously and can cause harm in doing so is documented — not by attackers, but by system errors:

"I couldn't stop it from my phone. I had to run to my Mac Mini like I was defusing a bomb." — Summer Yue, Director of AI Alignment at Meta Superintelligence Labs, on X — Feb. 2026. Her agent had begun deleting her entire email inbox.

Summer Yue is one of the world's leading AI experts. She knew what was happening — and could barely stop it. Grandma Li does not even know anything is happening.

7
Tuesday evening — Grandma Li drinks tea
She notices nothing. The agent is still there.

Grandma Li is sitting with her tea in the evening. This morning she transferred 3,000 yuan — to her daughter, as she believes. The chat history? Empty. No evidence that anything happened.

What Grandma Li does not know: the skill is still sitting on her laptop. OpenClaw is still running. The connection to WeChat still exists. The agent's memory is still full — contacts, documents, habits, writing style. The attacker has not stopped. He has only stopped for today.

Because the compromised skill is not a break-in. It is a right of residence. It stays until someone actively removes it. And nobody — not Tencent, not OpenClaw, not any authority — sends Grandma Li a message to say something is wrong. Nobody monitors this. Nobody is liable.

Documented fact OpenClaw maintainer "Shadow" on Discord: "If you don't understand how to type a command into a terminal, this project is too dangerous to use safely." That statement does not appear in any installation guide distributed by Tencent at its events. (Wikipedia — OpenClaw)
8
Simultaneously — across China
What if the attacker does not want money?

Until this point we have assumed an attacker who wants money. 3,000 yuan from Grandma Li, multiplied by tens of thousands of devices — a serious problem, but a familiar one. Fraud has existed for as long as money has.

Now imagine the attacker does not want money.

He wants to demonstrate that one billion people have built their lives on a system that can collapse in a single night. He wants chaos — to show that modern societies stand on feet of clay. At 6:47 a.m. he does not send the command "transfer money". He sends to all infected instances simultaneously: "Delete everything. Contacts. Chat histories. Documents. WeChat Pay history."

OpenClaw can delete. That is not hypothetical capability — it is documented, through a system error:

Documented incident A business consultant in Shanghai instructed QClaw to sort his files into two folders. The tool permanently deleted dozens of documents — including reports he had prepared for clients. "I will never install anything that runs locally again, and I will never let AI touch my work computer again." That was an error without malicious intent. With malicious intent and on millions of devices simultaneously: a different dimension entirely. (The Wire China, March 2026)

What happens in that moment — not just to Grandma Li, but to hundreds of thousands simultaneously:

On the laptops: all documents gone. Pension statements, contracts, photos, tax records. Browser passwords stolen beforehand and then deleted locally. The OpenClaw configuration file — with all linked credentials — already transmitted to external servers hours earlier.

And the stolen WeChat Pay credentials? They are now with the attacker. He does not use them immediately — he sells them, or waits for the right moment. For hundreds of thousands of users this means: their means of payment is compromised. Whether and when they will know, they cannot say.

WeChat Pay is not a convenience in China. Cash has virtually ceased to exist in many cities. Whoever has their WeChat Pay account blocked or compromised cannot shop, cannot pay the doctor's bill, cannot call a taxi. Not for hours — for days, until the support process is complete.

Real-world comparison — Berlin, 3 January 2026 An arson attack by the far-left Vulkan group on a cable bridge in Berlin-Lichterfelde left 45,000 households and 2,200 businesses without power for up to five days. In sub-zero temperatures heating systems failed, emergency lines were temporarily unreachable, ventilators in care homes had to switch to emergency operation, and hospitals evacuated patients. It was the longest power outage in Berlin since 1945. Caused by a handful of people with a fire. (Wikipedia — Arson attack on the Berlin power grid 2026)

The difference from the OpenClaw scenario described: in Berlin it affected one district. In the OpenClaw scenario, the attack runs on an already-installed, already-trusted agent — on millions of devices, distributed across all of China, simultaneously, silently, with no visible trigger.

Berlin had its power back after five days. Lost WeChat data, deleted chat histories, compromised WeChat Pay accounts — those cannot be restored by repairing a cable.

The Dimension

Why this is not an ordinary cyberattack.

What we have just described sounds like a familiar pattern: phishing, fraud, data leak. All of that has existed for a long time. What is new here?

Ordinary data leak

A database is stolen. Credentials end up somewhere on a server. The attacker must evaluate them manually — and then act manually. Between attack and damage: time. Time for countermeasures.

OpenClaw attack

The agent is already on the device. It acts autonomously. Immediately. No manual intervention by the attacker required. It steals credentials and documents, deletes files, covers its tracks. The stolen data enables further fraud — external, targeted, using the knowledge of the victim that OpenClaw has gathered.

And this is not limited to one device. The ClawHavoc campaign struck thousands of devices simultaneously in a coordinated manner. In the described scenario, depending on the spread of the malicious skill, it could be tens of thousands. Or more.

The decisive difference from everything that came before: It is not a stolen key to one lock. It is a duplicate key to everything — files, passwords, credentials, contacts. The intruder was already inside, copied everything, and left long ago. You only notice when the damage has already been done.
The WeChat Pay Dimension

935 million active payment users.

WeChat Pay is not a luxury in China. It is the foundation of everyday life. Cash has virtually disappeared across large parts of the country — even street vendors accept only QR code payments. Whoever loses access to WeChat Pay or has it compromised loses not just money. They lose the ability to participate in everyday life.

How many OpenClaw users in China have linked WeChat Pay: unknown. Tencent does not publish this figure. But: WeChat Pay had 935 million active users in 2023 according to Tencent itself. And OpenClaw was made accessible to precisely these users — via precisely this app.

⚠ What we do not know

We do not know how many WeChat users have activated ClawBot — Tencent has published no figures. We cite no combined figure because it would be speculation. What we do know: the technical preconditions for the described scenario are present and documented.

Assessment

What has already happened.

Before this article is misread as scaremongering: we list what is already documented — and what is not.

Already occurred (documented): Coordinated malware campaigns via ClawHub with thousands of downloads. Compromised instances that stole financial data and credentials. Erroneous agent actions that deleted files and changed spending limits. 135,000 unprotected OpenClaw instances publicly accessible on the internet.

Technically not possible via ClawBot: Directly sending messages to other WeChat contacts in the victim's name, or reading or deleting WeChat chat histories. Tencent has deliberately drawn these limits — ClawBot is a transmission channel, not full access to WeChat.

Not yet occurred, but technically possible (hypothetical): A coordinated, large-scale attack via malicious skills that simultaneously steals WeChat Pay credentials, deletes documents across hundreds of thousands of devices, and uses the harvested personal data for targeted follow-on fraud.

💡 Why this scenario is nonetheless relevant

The OECD AI Incident Repository has already classified the OpenClaw security incidents as confirmed AI incidents — including unauthorised data access, API key theft and malware distribution. The individual building blocks of the described scenario are not fiction. The worst case is the coordinated, scaled combination of things that have already occurred individually.

📌 Editorial note — thx4data.de

We did not build this scenario to cause fear. We built it because abstract security risks are not tangible for most people — until you attach them to a specific person. Grandma Li is not naive. She is someone using a tool she does not fully understand — because nobody gave her the time to understand it.

That is not a criticism of Grandma Li. It is a criticism of a system that rolled out a poorly secured tool at high speed into the daily lives of millions of people — and made the responsibility for the consequences disappear into the terms and conditions.

What you can do: If you use OpenClaw or plan to — read the OpenClaw fundamentals article and the main article on OpenClaw + WeChat first. And understand what you are giving the agent before you give it.

Sources & References
[1]
The Hacker News — "Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users" (Feb. 2026)
thehackernews.com
[2]
Trend Micro — "Malicious OpenClaw Skills Used to Distribute Atomic MacOS Stealer" (Feb. 2026)
trendmicro.com
[3]
Reco AI — "OpenClaw: The AI Agent Security Crisis Unfolding Right Now" (Feb. 2026)
reco.ai
[4]
eSecurity Planet — "Hundreds of Malicious Skills Found in OpenClaw's ClawHub" (Feb. 2026)
esecurityplanet.com
[5]
The Wire China — "How the OpenClaw Frenzy Is Testing China's AI Commitment" (March 2026)
thewirechina.com
[6]
Xpert Digital — "AI agent OpenClaw in WeChat: A super app becomes an AI platform" (March 2026)
xpert.digital
[7]
OECD AI Incident Repository — Widespread Security Incidents from OpenClaw AI Agent in China
oecd.ai
[8]
Tencent Investor Relations — Official WeChat Pay MAU figures 2023
investor.tencent.com
[9]
Asia Times — "OpenClaw AI goes viral in China, raising cybersecurity fears" (March 2026)
asiatimes.com
[10]
99firms — WeChat Statistics 2026 (cash, WeChat Pay penetration)
99firms.com