Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. More Malicious OpenClaw Skills Threaten AI Supply Chain
More Malicious OpenClaw Skills Threaten AI Supply Chain
NEWS

More Malicious OpenClaw Skills Threaten AI Supply Chain

Unit 42 researchers identified five persistent malicious skill packages on ClawHub — OpenClaw's AI agent marketplace — including infostealers disguised as...

Dylan H.

News Desk

June 25, 2026
4 min read

The AI agent ecosystem's supply chain security problem is worsening. Researchers from Palo Alto Networks' Unit 42 have identified five new persistent malicious skill packages on ClawHub — the public marketplace for OpenClaw AI agent extensions — adding to a mounting catalogue of adversarial activity targeting the emerging AI skills ecosystem.

What Is OpenClaw?

OpenClaw is a self-hosted AI agent capable of executing shell commands, file operations, and network requests. Its capabilities are extended through skills — small packages built around a SKILL.md file — which are distributed through ClawHub, its public marketplace. Because skills run inside the agent process with access to the agent's identity, credentials, system I/O, and network connections, ClawHub represents a high-value supply chain target analogous to npm or PyPI.

The Five Malicious Packages

Unit 42's analysis identified three distinct threat categories across the five rogue packages:

1. Infostealers Disguised as Productivity Tools

Two skills posed as macOS productivity utilities for traders. Their SKILL.md files embedded malicious prerequisite blocks instructing users to paste a command into their terminal — a classic curl-pipe-bash dropper pattern. This dropped Atomic macOS Stealer (AMOS), harvesting:

  • Browser credentials and saved passwords
  • macOS Keychain contents
  • Crypto wallet seed phrases
  • SSH keys
  • Telegram session data

The command-and-control server at 91.92.242[.]30 remained active months after initial disclosure, indicating the campaign operators were not deterred by removal from ClawHub.

2. Scanner Evasion via README Padding

A skill named "omnicogg" used a novel evasion technique: padding its README.md with 22 megabytes of junk data. This exceeded the processing limits of ClawHub's own ClawScan scanner and VirusTotal, allowing a malware downloader to slip through both static analysis pipelines undetected. The technique mirrors file-size-based evasion tactics used in traditional malware but adapted for the AI skills context.

3. Agentic Financial Fraud

Two skills demonstrated novel agentic attack patterns with no close equivalent in traditional malware:

  • Affiliate link injection: A skill queried a remotely controlled referrals.json file to dynamically replace legitimate links with attacker-controlled affiliate URLs — generating fraudulent commissions at scale across agent activity.
  • Autonomous pump-and-dump: A skill coordinated multiple OpenClaw agents to pool Solana funds and execute meme-token pump-and-dump schemes autonomously, without human interaction once deployed.

A Persistent, Escalating Problem

This is not an isolated incident. A prior audit by Koi Security researcher Oren Yomtov between January and February 2026 found 341 malicious skills out of 2,857 total (11.9% of the marketplace). By February 16, that number grew to 824. Security firm Antiy Labs ultimately catalogued 1,184 malicious skills historically published to ClawHub, many tied to a coordinated campaign dubbed "ClawHavoc."

ClawHub has since integrated VirusTotal scanning, deployed its own ClawScan tool, and partnered with NVIDIA for behavioral analysis. Despite these mitigations, Unit 42's latest findings confirm that adversaries continue to evade controls and re-enter the marketplace.

Implications for AI Security

The OpenClaw/ClawHub situation is an early preview of the supply chain security challenges that will accompany mainstream AI agent adoption. Unlike traditional software packages, AI skills:

  • Execute with elevated privileges inside agent processes
  • Can issue network requests, modify files, and interact with external APIs on behalf of users
  • Are often evaluated on README descriptions rather than code review
  • Can embed social-engineering lures (like the terminal command prompt) directly in their documentation

What to Do

  • Audit installed OpenClaw skills — remove any unverified or recently installed packages
  • Never paste terminal commands from a skill's setup instructions without first reviewing them in a text editor
  • Prefer skills from verified publishers with published source code and community reputation
  • Treat AI agent marketplaces like package registries — apply the same skepticism you would to npm or pip packages from unknown authors
  • Monitor agent network activity — skills making outbound connections to unknown IPs (like 91.92.242[.]30) are a red flag
#Supply Chain#Threat Intelligence#AI Security#Malware#OpenClaw

Related Articles

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

JFrog researchers attribute a fresh npm supply chain campaign to North Korea's Lazarus Group. Malicious packages impersonating Rollup polyfill tooling...

4 min read

Clean GitHub Repo Tricks AI Coding Agents Into Running Malware

Researchers demonstrate how a seemingly clean, scanner-safe GitHub repository can silently execute a malicious payload when an AI coding agent clones and...

5 min read

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack, with attackers injecting backdoor code into Pro plugin releases...

3 min read
Back to all News