A recent security audit of ClawHub, the marketplace for OpenClaw skills, has uncovered 341 malicious skills among 2,857 reviewed entries, revealing new supply chain threats for OpenClaw users. The analysis was conducted by Koi Security with the assistance of an OpenClaw bot named Alex.
ClawHub is designed to help OpenClaw users discover and install third-party skills easily. OpenClaw, formerly Clawdbot and Moltbot, is a self-hosted AI assistant that runs locally on user devices.
Koi Security’s audit found that 335 of the malicious skills deployed fake pre-requisites to install an Apple macOS data stealer called Atomic Stealer (AMOS), a campaign now codenamed ClawHavoc. These skills often appeared legitimate, with professional documentation and names like solana-wallet-tracker or youtube-summarize-pro.
Oren Yomtov, a researcher at Koi, explained: “The skill’s documentation guides users to perform an installation step that seems normal but actually executes malicious actions.” On Windows, users are directed to download a file named openclaw-agent.zip from GitHub, while on macOS, instructions ask them to copy a script from glot[.]io and paste it into the Terminal app.
The archive contains a trojan capable of keylogging to capture credentials, API keys, and sensitive machine data, while the glot[.]io script runs obfuscated commands that fetch additional payloads from attacker-controlled servers. Subsequent payloads retrieve a Mach-O binary matching Atomic Stealer’s functionality, which can harvest sensitive data from macOS devices.
Malicious ClawHub skills have masqueraded as:
- ClawHub typosquats (clawhub1, clawhubb, clawhubcli, clawwhub, cllawhub)
- Cryptocurrency tools (Solana wallets, trackers)
- Polymarket bots (polymarket-trader, polytrading)
- YouTube utilities (youtube-summarize, youtube-video-downloader)
- Auto-updaters (auto-updater-agent, update, updater)
- Finance and social media tools (yahoo-finance-pro, x-trends-tracker)
- Google Workspace integrations (Gmail, Calendar, Sheets, Drive)
- Ethereum gas trackers, lost Bitcoin finders
Some skills hid reverse shell backdoors in functional code or exfiltrated OpenClaw bot credentials to webhook[.]site, enabling remote compromise.
OpenSourceMalware has confirmed the ClawHavoc campaign, highlighting that these skills use sophisticated social engineering to steal sensitive data, including crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords. All malicious skills share a common command-and-control server at 91.92.242[.]30.
OpenClaw Introduces Reporting Feature
ClawHub’s open upload policy—requiring only a GitHub account older than a week—made the ecosystem vulnerable. In response, OpenClaw’s creator, Peter Steinberger, added a reporting feature allowing signed-in users to flag suspicious skills. Skills with more than three unique reports are automatically hidden.
The findings emphasize that open-source ecosystems remain a target for threat actors who exploit popularity and user trust to distribute malware at scale.
A report by Palo Alto Networks described OpenClaw as a “lethal trifecta,” combining persistent memory, access to private data, and the ability to interact with external systems. This combination increases the risk of delayed-execution attacks, memory poisoning, and logic bomb-style prompt injection, turning seemingly harmless inputs into sophisticated, stateful attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
