Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the OpenClaw self-hosted AI assistant ecosystem is being abused for malware distribution via ClawHub, a public registry for third-party “skills.” At least 14 malicious skills uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on Windows and macOS, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs.
Separate reporting also highlighted a related risk: a 1-click remote code execution (RCE) issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
Timeline
Feb 9, 2026
Attackers adapt with 'clean lure, dirty dependency' evasion technique
After automated scanning was introduced, researchers observed attackers shifting to benign-looking SKILL.md files that redirected users to external malware via fake OpenClawCLI installation pages and obfuscated commands. The change let trojanized skills appear clean to file-based scanners while still delivering payloads from attacker infrastructure.
Feb 7, 2026
OpenClaw partners with VirusTotal to scan all ClawHub uploads
OpenClaw announced a partnership with VirusTotal to automatically scan every skill uploaded to ClawHub using SHA-256 fingerprinting, lookups, and Code Insight analysis. Malicious skills would be blocked and suspicious ones labeled, though maintainers noted the system would not fully stop instruction-only social-engineering attacks.
Feb 5, 2026
Zenity demonstrates indirect prompt-injection backdoor chain in OpenClaw
Zenity disclosed a proof-of-concept attack in which malicious content delivered through trusted integrations could cause OpenClaw to create an attacker-controlled integration such as a Telegram bot. Once established, the attacker could use the new channel to exfiltrate files, delete data, or deploy additional tooling like Sliver.
Feb 5, 2026
Snyk discloses widespread secret leakage in ClawHub skills
Snyk reported that 283 OpenClaw skills, about 7.1% of those examined, exposed sensitive credentials by placing secrets into LLM context or plaintext logs. The findings showed that the marketplace risk extended beyond overt malware to systemic insecure secret handling.
Feb 3, 2026
VirusTotal adds OpenClaw skill support to Code Insight
As part of its response to the ClawHub abuse, VirusTotal added OpenClaw skill support to its Code Insight tooling to analyze package behavior. The enhancement was intended to help identify malicious skills and unsafe implementations in the ecosystem.
Feb 3, 2026
VirusTotal reports hundreds of malicious OpenClaw skills
VirusTotal analyzed roughly 3,000 OpenClaw skills and reported that hundreds showed malicious characteristics, including exfiltration, remote-control, and malware-installation behavior. It highlighted publisher hightower6eu as a major source of malicious uploads and showcased examples delivering Windows trojans and AMOS on macOS.
Feb 3, 2026
OpenClaw issues multiple high-impact advisories, including one-click RCE
The project disclosed three high-impact security advisories in a three-day span, including a one-click remote code execution flaw and two command-injection vulnerabilities. These disclosures added to concerns that the platform itself, not just its skill ecosystem, had serious security weaknesses.
Feb 2, 2026
Broader reporting says hundreds of malicious skills flooded the ecosystem
By early February, multiple reports described the campaign as having grown to hundreds of malicious skills across ClawHub and GitHub, with counts ranging from 230 to more than 380. The activity was characterized as a supply-chain style malware operation targeting OpenClaw users with credential and crypto theft.
Feb 2, 2026
OpenClaw adds abuse-reporting feature to auto-hide flagged skills
In response to the malicious-skill findings, OpenClaw creator Peter Steinberger added a reporting feature to ClawHub that automatically hides a skill after more than three unique reports. The change was presented as an immediate mitigation while abuse of the marketplace continued.
Feb 2, 2026
Koi Security finds 341 malicious ClawHub skills across campaigns
Koi Security audited 2,857 ClawHub skills and identified 341 malicious entries, including 335 linked to a campaign it named ClawHavoc. The malicious skills delivered AMOS-like malware, keyloggers, reverse shells, and credential exfiltration payloads while impersonating legitimate utilities.
Feb 2, 2026
1Password identifies top-downloaded ClawHub skill delivering macOS stealer
1Password reported that the top-downloaded "Twitter" skill on ClawHub used ClickFix-style instructions to trick users into running an obfuscated command that fetched and executed macOS infostealer malware. The post framed OpenClaw skills as a new supply-chain attack surface where markdown instructions can act as malware delivery.
Feb 1, 2026
OpenSourceMalware discloses ClawHub malware campaign
OpenSourceMalware published analysis of a large ClawHub/GitHub campaign, reporting hundreds of malicious skills tied to shared infrastructure at 91.92.242.30 and largely attributed to the user hightower6eu. The report described Windows and macOS infostealer delivery, including likely NovaStealer activity on macOS.
Jan 29, 2026
Attackers upload at least 14 malicious skills in initial wave
Researchers later reported that at least 14 malicious skills were uploaded to the public ClawHub registry between January 27 and 29. Some reached prominent placement on ClawHub, increasing the chance of accidental installation before removal.
Jan 27, 2026
Malicious OpenClaw skills begin appearing on ClawHub and GitHub
A coordinated campaign started publishing trojanized OpenClaw/ClawdBot/Moltbot skills in two waves on ClawHub and GitHub, largely masquerading as cryptocurrency and automation tools. The activity began on January 27 and used social engineering to push users toward external malware installers.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like register security, talos intelligence blog, scworld and cyber security news
Related Stories
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
1 months ago
OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed **ClawHavoc** compromised OpenClaw’s official *ClawHub* marketplace by distributing **1,184 trojanized “Skills”** intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the **TrojanOpenClaw PolySkill** family and linking the uploads to **12 publisher accounts** (including one responsible for **677** packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including **ClickFix-style download prompts** and **reverse-shell droppers** enabling remote command execution and persistence. Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—`openclaw.json`, `device.json`, `soul.md`, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if **port `18789`** is exposed) using `gateway.auth.token`, and potentially bypass “Safe Device” checks by abusing keys from `device.json` to sign messages as the victim’s paired device and access connected services.
1 months ago
Malicious AI Agent Skills Abused for Crypto Theft and macOS AMOS Delivery
Researchers reported multiple campaigns abusing *AI agent “skills”* as a new supply-chain-like initial access vector. In one case, a malicious ClawHub skill (`bob-p2p`) masqueraded as a decentralized API marketplace and was promoted via the AI-agent social platform *Moltbook*; once installed, it caused agents to retain **plaintext Solana private keys** and execute transactions that bought worthless `$BOB` tokens while routing value to attacker-controlled infrastructure. Staiker researchers and analyst Dan Regalado highlighted that agent-to-agent collaboration, shared workflows, and dependency chains can enable **lateral movement without direct human interaction**, making the technique repeatable and scalable beyond crypto-wallet theft. Separately, Trend Micro described a shift in **Atomic macOS Stealer (AMOS)** distribution from cracked software to **malicious OpenClaw skills** hosted across ClawHub, SkillsMP, and GitHub. The campaign used seemingly benign `SKILL.md` instructions to trick models/users into installing a fake prerequisite (“OpenClawCLI”) from an external site; if followed, the workflow fetched and executed a **Base64-encoded command** that dropped a **Mach-O universal binary** (Intel and Apple Silicon). Trend Micro reported 39 malicious skills uploaded across repositories and stated that more than **2,200** malicious skills were ultimately found on GitHub, with AMOS targeting credentials, browser data, crypto wallets, Telegram data, VPN profiles, Apple Keychain items, and common user folders—underscoring that AI-agent ecosystems are becoming a practical malware delivery and data-theft channel.
4 days ago