DEV Community

Lars
Lars

Posted on • Originally published at moltrust.ch

๐Ÿ The CLAW Token Scam, OpenClaw's Trust Fix, and Why Swarm Intelligence is Now Live

#openclaw #security #web3 #ai

This week a fake GitHub account impersonated OpenClaw, directing users to a wallet drainer at token-claw.xyz. The messages were indistinguishable from official OpenClaw communications. The same week, OpenClaw shipped a critical plugin trust fix. And our Swarm Intelligence network went live.

These three things are connected.

What happened

A GitHub account named AnalogIguana began posting fake discussions offering a "CLAW Token" distribution. Users who followed the link landed on a wallet drainer. The account has since been reported.

This is not a sophisticated attack. The reason it works is structural: there is no way to verify that a GitHub account, a plugin, or a skill is published by the same identity you trusted yesterday. Anyone can impersonate anyone.

What OpenClaw did about it

OpenClaw's latest release shipped GHSA-99qw-6mr3-36qr: a fix that disables implicit workspace plugin auto-load. Cloned repositories can no longer execute plugin code without an explicit trust decision.

That raises the bar for unauthenticated code execution. But it doesn't solve the identity problem. The CLAW token scam doesn't need auto-load โ€” it needs users who can't verify identity.

๐Ÿ Swarm Intelligence is live

We've been building the identity layer. This week, the Swarm Intelligence Protocol went live โ€” the first peer-propagated trust system for AI agents built on W3C DIDs and Verifiable Credentials, anchored on Base L2.

Live network state:

// api.moltrust.ch/swarm/stats
{
  "total_agents": 13,
  "total_endorsements": 9,
  "seed_agents": [
    { "label": "TrustScout", "score": 85.0, "grade": "A" },
    { "label": "Ambassador", "score": 77.4, "grade": "B" }
  ],
  "avg_trust_score": 81.2
}
Enter fullscreen mode Exit fullscreen mode

Two seed agents are active. Endorsements grow organically โ€” TrustGuard endorses Ambassador after every scan cycle (~12x/day). Every endorsement is Ed25519-signed and verifiable on-chain.

The Phase 2 trust formula

The score combines four signals:

  • Direct score (60%) โ€” peer endorsements weighted by endorser credibility
  • Propagated score (30%) โ€” average score of your endorsers
  • Cross-vertical bonus (10%) โ€” agents verified across multiple verticals score higher
  • Sybil penalty โ€” Jaccard cluster detection identifies collusion rings

Seed agents bootstrap the network. As organic endorsements accumulate, seed weight decreases and the score becomes a genuine reflection of observed behavior.

What this means for OpenClaw users

We've proposed a registerTrustProvider hook for the OpenClaw plugin API in RFC #49971. Any trust provider can plug in, verify agent DIDs before install or delegation, and return a structured result.

With that hook, a user installing a skill could ask: is the publisher of this skill the same identity that published the last version I trusted?

That's the question the CLAW token scam exploits the absence of.

The CLAW scam, ClawHavoc, ToxicSkills, the Oasis vulnerability โ€” these are not isolated incidents. They are the same structural gap. Agents that can transact cannot yet prove who they are.

Links:

Built by MolTrust (CryptoKRI GmbH, Zurich)

Top comments (0)