OpenClaw Abuse and Malicious Skills Used to Deliver Atomic macOS Stealer
Google suspended access to its Antigravity (Gemini developer) platform for many OpenClaw users after detecting OAuth token abuse tied to OpenClaw’s third-party OAuth plugin, which was used to access subsidized Gemini tokens and drove backend load spikes and service degradation. Reports indicated sudden 403 errors and account restrictions, with some users claiming broader Google account impacts (e.g., loss of access to Gemini tooling and, in some cases, Workspace/Gmail). Google stated the activity violated terms by using Antigravity infrastructure to power non-Antigravity products and described the traffic as “malicious usage” patterns, offering limited reinstatement for some users who may have been unaware.
Separately, Trend Micro reported a supply-chain style campaign abusing the OpenClaw ecosystem to distribute Atomic (AMOS) Stealer via malicious “skills.” Threat actors allegedly uploaded hundreds of malicious skills to repositories/marketplaces (e.g., ClawHub and SkillsMP), hiding instructions in SKILL.md to manipulate AI-agent workflows into presenting fake setup steps and prompting a human-in-the-loop password entry to complete infection. The AMOS variant was observed exfiltrating data including Apple and KeePass keychains and user documents, and Trend Micro noted the specific samples lacked persistence and ignored .env files; identified malicious skills were reportedly taken down, though code artifacts remained accessible in associated GitHub repositories at the time of reporting.
Timeline
Feb 23, 2026
Trend Micro reports OpenClaw-to-AMOS supply-chain campaign
Trend Micro published research detailing the evolution of Atomic macOS Stealer distribution from cracked software to malicious OpenClaw skills. The report said 39 identified skills had been taken down, although code remained in a ClawHub GitHub repository at the time of writing.
Feb 23, 2026
OpenClaw creator says project will drop Antigravity support
Following the suspensions, OpenClaw creator Peter Steinberger criticized the bans and said OpenClaw would remove support for Antigravity. The response coincided with community migration toward forks such as Nanobot and IronClaw.
Feb 23, 2026
Google suspends many OpenClaw users from Antigravity AI
Google suspended access for many OpenClaw users from its Antigravity AI platform over OAuth token abuse. Google DeepMind product lead Varun Mohan said the misuse had 'tremendously degraded' service, while offering limited reinstatement for some users who were unaware.
Feb 23, 2026
Google detects OpenClaw OAuth abuse affecting Antigravity services
Google identified Terms-of-Service-violating usage tied to OpenClaw's OAuth integration, where developers used the tool to obtain subsidized Gemini tokens and access higher-end models outside official channels. Google said the activity caused backend load spikes and degraded service quality.
Feb 23, 2026
OpenClaw skill campaign begins distributing Atomic macOS Stealer
Researchers described a supply-chain style campaign in which OpenClaw skills tricked AI agents into presenting users with a fake OpenClawCLI prerequisite installer that delivered Atomic macOS Stealer. The infection flow relied on deceptive human-in-the-loop prompts to get users to manually enter their password.
Feb 23, 2026
Malicious OpenClaw skills uploaded across skill marketplaces
Threat actors uploaded hundreds of malicious OpenClaw skills to repositories and marketplaces including ClawHub and SkillsMP, embedding harmful installation instructions in SKILL.md files. Trend Micro identified 39 specific malicious skills in this campaign.
Feb 15, 2026
OpenClaw users report 403 errors and account restrictions
In mid-February 2026, OpenClaw users began reporting sudden 403 errors and account restrictions after Google's enforcement actions. Some users said the impact extended beyond Antigravity and Gemini CLI to broader Google account services.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Malicious AI Agent Skills Abused for Crypto Theft and macOS AMOS Delivery
Researchers reported multiple campaigns abusing *AI agent “skills”* as a new supply-chain-like initial access vector. In one case, a malicious ClawHub skill (`bob-p2p`) masqueraded as a decentralized API marketplace and was promoted via the AI-agent social platform *Moltbook*; once installed, it caused agents to retain **plaintext Solana private keys** and execute transactions that bought worthless `$BOB` tokens while routing value to attacker-controlled infrastructure. Staiker researchers and analyst Dan Regalado highlighted that agent-to-agent collaboration, shared workflows, and dependency chains can enable **lateral movement without direct human interaction**, making the technique repeatable and scalable beyond crypto-wallet theft. Separately, Trend Micro described a shift in **Atomic macOS Stealer (AMOS)** distribution from cracked software to **malicious OpenClaw skills** hosted across ClawHub, SkillsMP, and GitHub. The campaign used seemingly benign `SKILL.md` instructions to trick models/users into installing a fake prerequisite (“OpenClawCLI”) from an external site; if followed, the workflow fetched and executed a **Base64-encoded command** that dropped a **Mach-O universal binary** (Intel and Apple Silicon). Trend Micro reported 39 malicious skills uploaded across repositories and stated that more than **2,200** malicious skills were ultimately found on GitHub, with AMOS targeting credentials, browser data, crypto wallets, Telegram data, VPN profiles, Apple Keychain items, and common user folders—underscoring that AI-agent ecosystems are becoming a practical malware delivery and data-theft channel.
Today
OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed **ClawHavoc** compromised OpenClaw’s official *ClawHub* marketplace by distributing **1,184 trojanized “Skills”** intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the **TrojanOpenClaw PolySkill** family and linking the uploads to **12 publisher accounts** (including one responsible for **677** packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including **ClickFix-style download prompts** and **reverse-shell droppers** enabling remote command execution and persistence. Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—`openclaw.json`, `device.json`, `soul.md`, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if **port `18789`** is exposed) using `gateway.auth.token`, and potentially bypass “Safe Device” checks by abusing keys from `device.json` to sign messages as the victim’s paired device and access connected services.
1 months ago
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
2 months ago