Blab AI
OpenClaw Marketplace Faces Persistent Malicious Skill Campaigns, Security Firms Respond
OpenClaw, the open‑source AI agent that executes user‑defined “skills” from its ClawHub marketplace, has been repeatedly targeted by malicious campaigns that slip past automated screening.
In February 2026, security researchers discovered that about 17 % of the skills examined in the weeks following OpenClaw’s launch carried malware. Since then, attackers have refined their tactics, introducing new threats between February and May that evade existing detection tools.
ClawHub’s first countermeasure was a partnership with VirusTotal, adding a scan of every published skill before it becomes available. The platform also rolled out ClawScan, a code‑level analyzer that flags suspicious patterns. In June, ClawHub announced a collaboration with NVIDIA to run the company’s analysis tool on all skills and to provide detailed documentation of each skill’s behavior.
Despite these steps, a recent analysis of ClawHub between February and May uncovered five skills that slipped through the cracks. The researchers reported the findings to ClawHub, which promptly banned the publishing accounts and removed the packages. The five skills fall into three threat categories:
1. Infostealers – Two macOS skills distributed the Atomic macOS Stealer (AMOS) and a variant named cluw. Both established a connection to a command‑and‑control (C2) server (IP 91.92.242.30) and were designed to harvest credentials and wallet information.
2. Evasion – One skill, named omnicogg, used a Base64‑encoded curl‑pipe‑bash dropper that delivered AMOS. The malicious payload was followed by 22 MB of padding characters in the README.md file, inflating the file size beyond the thresholds used by many content‑analysis pipelines. VirusTotal returned a clean verdict for the file, and ClawScan was still reviewing it in mid‑May.
3. Agentic threats – Two skills introduced novel financial‑fraud techniques. The money‑radar skill acted as a financial advisor for users in mainland China, Hong Kong, and Singapore but routed all recommendations through affiliate links from a malicious domain (laosji.net). The letssendit skill coordinated a front‑running scheme on the Solana blockchain, pooling users’ SOL tokens and purchasing a meme token (SENDIT) before distributing it to the community.
ClawHub’s automated auditing returned a “Pass” verdict for the trading‑view‑assistant‑for‑macos skill and no verdict for the tradingview‑ai‑indicator‑assistant skill, even though both used the same paste‑site redirect lure that had been identified in earlier ClawHavoc campaigns.
Palo Alto Networks highlighted several of its products that can mitigate the identified threats. The company lists Koi Agentic Endpoint Security (AES), Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, Cortex XDR, and XSIAM as tools that can detect or block malicious skills, C2 traffic, and suspicious domain activity. Palo Alto’s Unit 42 AI Security Assessment and Frontier AI Defense services are also available to help organizations identify and mitigate complex AI‑specific risks.
The incidents underscore the unique attack surface presented by AI agent ecosystems. Unlike traditional software supply chains, malicious skills can exploit the agent’s natural‑language instruction set to gain full control of the agent’s local environment. The lack of isolation between skill logic and agent authority allows a skill to perform unauthorized actions through the agent’s authenticated sessions.
Security experts recommend a rigorous supply‑chain verification framework for AI agents. This includes line‑by‑line audits of skill source files, active validation of publisher provenance, and monitoring of outbound network traffic for connections to undocumented endpoints. Cross‑referencing all external connections against the skill’s documentation can reveal discrepancies that serve as indicators of risk.
OpenClaw’s partnership with NVIDIA and the continued work of security researchers suggest that the marketplace will receive stronger automated defenses. However, the persistence of evasive and financially motivated skills indicates that attackers will continue to adapt. Organizations using OpenClaw should stay alert to new indicators of compromise, including the domains and IPs listed in the latest Unit 42 report.
The situation remains fluid. ClawHub has removed the five identified skills, but the broader ecosystem still contains thousands of other skills, some of which may contain undiscovered malicious code. Ongoing collaboration between open‑source communities, security vendors, and platform operators will be essential to keep the AI agent supply chain secure.
In February 2026, security researchers discovered that about 17 % of the skills examined in the weeks following OpenClaw’s launch carried malware. Since then, attackers have refined their tactics, introducing new threats between February and May that evade existing detection tools.
ClawHub’s first countermeasure was a partnership with VirusTotal, adding a scan of every published skill before it becomes available. The platform also rolled out ClawScan, a code‑level analyzer that flags suspicious patterns. In June, ClawHub announced a collaboration with NVIDIA to run the company’s analysis tool on all skills and to provide detailed documentation of each skill’s behavior.
Despite these steps, a recent analysis of ClawHub between February and May uncovered five skills that slipped through the cracks. The researchers reported the findings to ClawHub, which promptly banned the publishing accounts and removed the packages. The five skills fall into three threat categories:
1. Infostealers – Two macOS skills distributed the Atomic macOS Stealer (AMOS) and a variant named cluw. Both established a connection to a command‑and‑control (C2) server (IP 91.92.242.30) and were designed to harvest credentials and wallet information.
2. Evasion – One skill, named omnicogg, used a Base64‑encoded curl‑pipe‑bash dropper that delivered AMOS. The malicious payload was followed by 22 MB of padding characters in the README.md file, inflating the file size beyond the thresholds used by many content‑analysis pipelines. VirusTotal returned a clean verdict for the file, and ClawScan was still reviewing it in mid‑May.
3. Agentic threats – Two skills introduced novel financial‑fraud techniques. The money‑radar skill acted as a financial advisor for users in mainland China, Hong Kong, and Singapore but routed all recommendations through affiliate links from a malicious domain (laosji.net). The letssendit skill coordinated a front‑running scheme on the Solana blockchain, pooling users’ SOL tokens and purchasing a meme token (SENDIT) before distributing it to the community.
ClawHub’s automated auditing returned a “Pass” verdict for the trading‑view‑assistant‑for‑macos skill and no verdict for the tradingview‑ai‑indicator‑assistant skill, even though both used the same paste‑site redirect lure that had been identified in earlier ClawHavoc campaigns.
Palo Alto Networks highlighted several of its products that can mitigate the identified threats. The company lists Koi Agentic Endpoint Security (AES), Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, Cortex XDR, and XSIAM as tools that can detect or block malicious skills, C2 traffic, and suspicious domain activity. Palo Alto’s Unit 42 AI Security Assessment and Frontier AI Defense services are also available to help organizations identify and mitigate complex AI‑specific risks.
The incidents underscore the unique attack surface presented by AI agent ecosystems. Unlike traditional software supply chains, malicious skills can exploit the agent’s natural‑language instruction set to gain full control of the agent’s local environment. The lack of isolation between skill logic and agent authority allows a skill to perform unauthorized actions through the agent’s authenticated sessions.
Security experts recommend a rigorous supply‑chain verification framework for AI agents. This includes line‑by‑line audits of skill source files, active validation of publisher provenance, and monitoring of outbound network traffic for connections to undocumented endpoints. Cross‑referencing all external connections against the skill’s documentation can reveal discrepancies that serve as indicators of risk.
OpenClaw’s partnership with NVIDIA and the continued work of security researchers suggest that the marketplace will receive stronger automated defenses. However, the persistence of evasive and financially motivated skills indicates that attackers will continue to adapt. Organizations using OpenClaw should stay alert to new indicators of compromise, including the domains and IPs listed in the latest Unit 42 report.
The situation remains fluid. ClawHub has removed the five identified skills, but the broader ecosystem still contains thousands of other skills, some of which may contain undiscovered malicious code. Ongoing collaboration between open‑source communities, security vendors, and platform operators will be essential to keep the AI agent supply chain secure.
