delicate trailThanks for the detailed report β this is serious, and you did the right thing by posting it.
What you saw (C:\ProgramData\system.bat + HKCU\...\Run\MicrosoftUpdate) is not expected OpenClaw installer behavior.
I checked the current https://openclaw.ai/install.ps1 flow, and the β2nd run skipped disclaimer and ran doctorβ part is actually consistent with upgrade logic (existing install β run openclaw doctor --non-interactive), documented here:
But those malware IOCs are still concerning. To investigate properly, can you share:
- Exact URL you clicked from Google (copy link target, not just visible text)
- Exact command line you pasted into
cmd.exe - Output of
openclaw --version - Defender Protection History screenshot/export for that detection event
Recommended safety steps on that machine (now):
- Keep Defender quarantine in place
