A security audit of ClawHub’s 2,857 skills uncovered 341 malicious skills across multiple campaigns, exposing users to new supply chain risks, according to new findings from Koui Security.
ClawHub is a marketplace designed to help OpenClaw users easily find and install third-party skills. It is an extension of the OpenClaw project, a self-hosted artificial intelligence (AI) assistant previously known as both Clawdbot and Moltbot.
This analysis, conducted by Koi with the help of an OpenClaw bot named Alex, found that 335 skills were using bogus prerequisites to install an Apple macOS stealer named Atomic Stealer (AMOS). The code name for this set is ClawHavoc.
“Maybe install something that looks like a legitimate skill, like solana-wallet-tracker or youtube-summarize-pro,” said Koi researcher Oren Yomtov. “The skill documentation looks professional, but there’s a ‘prerequisites’ section that says you need to install something first.”
This procedure includes instructions for both Windows and macOS systems. On Windows, users are asked to download a file called “openclaw-agent.zip” from the GitHub repository. On macOS, the documentation says to copy the installation script hosted on glot.[.]Type io and paste it into your Terminal app. The targeting of macOS is no coincidence, as there have been reports of people buying Mac Minis to run AI assistants 24/7.
Inside the password-protected archive resides a Trojan horse with keylogging capabilities that captures API keys, credentials, and other sensitive data on the machine, including data that the bot has already accessed. On the other hand, Grotto is[.]The io script contains obfuscated shell commands to retrieve the next stage payload from attacker-controlled infrastructure.
This requires access to another IP address (‘91.92.242’).[.]This shell script is configured to connect to the same server and retrieve a universal Mach-O binary that exhibits characteristics consistent with Atomic Stealer, a commodity stealer available for $500 to $1000 per month that can collect data from macOS hosts.
According to Coy, the malicious skill appears to be:
ClawHub Typosquats (e.g. clawhub, clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub) Cryptocurrency tools such as Solana wallets and wallet trackers Polymarket bots (e.g. Polymarket-trader, polymarket-pro, polytrading) YouTube utilities (e.g. youtube-summarize, youtube-thumbnail-grabber, youtube-video-downloader) Automatic updaters (e.g. auto-updater-agent, update, updater) Financial and social media tools (e.g. yahoo-finance-pro, x-trends-tracker) Google Workspace tools that claim integration with Gmail, Calendar, Sheets, Drive Ethereum Gas Tracker Lost Bitcoin Finder
Additionally, the cybersecurity firm said it has identified skills that either hide reverse shell backdoors within function code (such as better-polymarket or polymarket-all-in-one) or leak bot credentials to webhooks located in ~/.clawdbot/.env.[.]Site (e.g. rankaj).
This development is consistent with an OpenSourceMalware report that also flagged the same ClawHavoc campaign targeting OpenClaw users.
“This skill disguises itself as a virtual currency transaction automation tool and sends information-stealing malware to macOS and Windows systems,” said a security researcher who goes by the online alias 6mile.
“All these skills share the same command and control infrastructure (91.92.242)[.]30) They then use sophisticated social engineering to convince users to execute malicious commands and steal crypto assets such as exchange API keys, wallet private keys, SSH credentials, and browser passwords. ”
OpenClaw adds reporting options
This issue stems from the fact that ClawHub is open by default, allowing anyone to upload skills. The only limitation at this stage is that the publisher must have a GitHub account that is at least one week old.
The issue of malicious skills did not go unnoticed by OpenClaw creator Peter Steinberger, who subsequently published a reporting feature that allows signed-in users to flag skills. “Each user can have up to 20 active reports at one time,” the documentation states. “Skills with more than three unique reports are automatically hidden by default.”
The findings highlight how the open source ecosystem continues to be exploited by threat actors, who are now capitalizing on OpenClaw’s sudden popularity to orchestrate malicious campaigns and distribute malware at scale.
Palo Alto Networks warned in a report last week that OpenClaw is part of what Simon Willison, the British programmer who coined the term prompt injection, described as a “deadly trio” that makes AI agents vulnerable by design with access to private data, exposure to untrusted content, and the ability to communicate externally.
The intersection of these three features and OpenClaw’s persistent memory “acts as an accelerator” and amplifies the risk, the company added.
“With persistent memory, the attack is no longer just a point-in-time exploit, but a stateful, delayed-execution attack,” said researchers Sailesh Mishra and Sean P. Morgan. “Malicious payloads no longer need to immediately trigger execution upon delivery. Instead, they become fragmented, untrusted inputs that appear benign on their own, and can be written to long-term agent memory and later assembled into executable instruction sets.”
“This allows for time-shifted prompt injections, memory poisoning, and logic bomb-style activations. Exploits are created on ingestion, but only detonate when the agent’s internal state, goals, or tool availability align.”
Source link
