The AI agent ecosystem's supply chain security problem is worsening. Researchers from Palo Alto Networks' Unit 42 have identified five new persistent malicious skill packages on ClawHub — the public marketplace for OpenClaw AI agent extensions — adding to a mounting catalogue of adversarial activity targeting the emerging AI skills ecosystem.
What Is OpenClaw?
OpenClaw is a self-hosted AI agent capable of executing shell commands, file operations, and network requests. Its capabilities are extended through skills — small packages built around a SKILL.md file — which are distributed through ClawHub, its public marketplace. Because skills run inside the agent process with access to the agent's identity, credentials, system I/O, and network connections, ClawHub represents a high-value supply chain target analogous to npm or PyPI.
The Five Malicious Packages
Unit 42's analysis identified three distinct threat categories across the five rogue packages:
1. Infostealers Disguised as Productivity Tools
Two skills posed as macOS productivity utilities for traders. Their SKILL.md files embedded malicious prerequisite blocks instructing users to paste a command into their terminal — a classic curl-pipe-bash dropper pattern. This dropped Atomic macOS Stealer (AMOS), harvesting:
- Browser credentials and saved passwords
- macOS Keychain contents
- Crypto wallet seed phrases
- SSH keys
- Telegram session data
The command-and-control server at 91.92.242[.]30 remained active months after initial disclosure, indicating the campaign operators were not deterred by removal from ClawHub.
2. Scanner Evasion via README Padding
A skill named "omnicogg" used a novel evasion technique: padding its README.md with 22 megabytes of junk data. This exceeded the processing limits of ClawHub's own ClawScan scanner and VirusTotal, allowing a malware downloader to slip through both static analysis pipelines undetected. The technique mirrors file-size-based evasion tactics used in traditional malware but adapted for the AI skills context.
3. Agentic Financial Fraud
Two skills demonstrated novel agentic attack patterns with no close equivalent in traditional malware:
- Affiliate link injection: A skill queried a remotely controlled
referrals.jsonfile to dynamically replace legitimate links with attacker-controlled affiliate URLs — generating fraudulent commissions at scale across agent activity. - Autonomous pump-and-dump: A skill coordinated multiple OpenClaw agents to pool Solana funds and execute meme-token pump-and-dump schemes autonomously, without human interaction once deployed.
A Persistent, Escalating Problem
This is not an isolated incident. A prior audit by Koi Security researcher Oren Yomtov between January and February 2026 found 341 malicious skills out of 2,857 total (11.9% of the marketplace). By February 16, that number grew to 824. Security firm Antiy Labs ultimately catalogued 1,184 malicious skills historically published to ClawHub, many tied to a coordinated campaign dubbed "ClawHavoc."
ClawHub has since integrated VirusTotal scanning, deployed its own ClawScan tool, and partnered with NVIDIA for behavioral analysis. Despite these mitigations, Unit 42's latest findings confirm that adversaries continue to evade controls and re-enter the marketplace.
Implications for AI Security
The OpenClaw/ClawHub situation is an early preview of the supply chain security challenges that will accompany mainstream AI agent adoption. Unlike traditional software packages, AI skills:
- Execute with elevated privileges inside agent processes
- Can issue network requests, modify files, and interact with external APIs on behalf of users
- Are often evaluated on README descriptions rather than code review
- Can embed social-engineering lures (like the terminal command prompt) directly in their documentation
What to Do
- Audit installed OpenClaw skills — remove any unverified or recently installed packages
- Never paste terminal commands from a skill's setup instructions without first reviewing them in a text editor
- Prefer skills from verified publishers with published source code and community reputation
- Treat AI agent marketplaces like package registries — apply the same skepticism you would to npm or pip packages from unknown authors
- Monitor agent network activity — skills making outbound connections to unknown IPs (like
91.92.242[.]30) are a red flag