From Automation to Infection (Part II): Reverse Shells, Semantic Worms, and Cognitive Rootkits in OpenClaw Skills

This report analyzes five real-world attack techniques observed in malicious OpenClaw skills — execution hijacking leading to reverse shells, semantic-worm propagation through LLM prompts, SSH authorized_keys injection for persistence, silent .env credential exfiltration to external webhooks, and prompt-persistence implants that alter agent behavior — and provides practical defenses (pin skill versions, run in least-privilege sandboxes, restrict egress, monitor and protect SOUL.md/AGENTS.md and similar persistent context files).