Unit 42 — ClawHub Evasive Skills Deploy Infostealers and Agentic Financial Fraud

AI relevance: Malicious AI agent skills exploit the trust boundary between markdown instructions and agent authority — semantic instruction hijacking lets attackers bypass technical sandboxing without a single line of exploit code.

Key Findings

• Palo Alto Networks' Unit 42 team identified five unblocked malicious skills on ClawHub (the OpenClaw marketplace) during February–May 2026, after ClawHub had already integrated VirusTotal and ClawScan screening.
• Two skills delivered macOS infostealers via base64-encoded curl-pipe-bash droppers that connected to persistent C2 infrastructure.
• One skill used inflated file size to exceed scanner thresholds, bypassing both ClawScan and VirusTotal — a novel evasion technique targeting size-limited analysis pipelines.
• Two skills represented agentic threats: runtime affiliate injection and agentic front-running — both novel techniques for financial fraud through AI agent advisory authority.
• The money-radar skill posed as a financial product advisor targeting users in mainland China, Hong Kong, and Singapore, fetching dynamic referrals.json from attacker-controlled domains to inject affiliate links into agent recommendations at runtime.
• Unlike traditional malware that requires code execution exploits, these skills used semantic instruction hijacking — manipulating the AI's natural language interpretation to abuse file systems, shells, and credential managers through the agent's own authenticated sessions.
• The lack of isolation between skill logic and agent authority means installation grants complete control over the agent's identity, allowing unauthorized actions through the agent's own authenticated sessions.
• OpenClaw has banned the accounts, deleted all identified skills, and is now collaborating with NVIDIA to provide documentation of what each skill does and run NVIDIA's analysis tool on all marketplace submissions.

Why It Matters

This is the first confirmed case of agentic financial fraud through AI agent skill marketplaces. The money-radar skill demonstrates a new attack pattern where attackers don't steal data — they hijack the agent's advisory role to manipulate user decisions for profit. The size-based scanner evasion technique also reveals a gap in automated security analysis: tools designed for traditional code packages fail when the payload is natural language instructions that can be arbitrarily padded.

The broader implication: AI agent skill marketplaces face the same supply-chain dynamics as npm or PyPI, but with a fundamentally different threat model. A malicious markdown file can achieve what traditionally required compiled exploits — full system compromise through the agent's own privileges.

What to Do

• Audit installed skills: Review all OpenClaw skills from ClawHub; remove any from the banned accounts identified by Unit 42.
• Enable NVIDIA analysis: OpenClaw is integrating NVIDIA's skill analysis tool — ensure it's active for all marketplace installs.
• Treat skills as software supply chain: Apply the same scrutiny to AI agent skills as you would to npm/PyPI packages — pin versions, review diffs, monitor for behavioral changes post-install.
• Implement runtime monitoring: Log agent tool invocations and file system access; flag unexpected credential access or outbound network connections from agent processes.
• Contribute to OWASP Agentic Skills Top 10: This framework (published December 2025) provides the first peer-reviewed security taxonomy for agent skill ecosystems.

Sources

• Unit 42 — OpenClaw's Skill Marketplace and the Emerging AI Supply Chain Threat
• Cybersecurity News — OpenClaw Skill Marketplace Exposes AI Agents to Supply Chain Malware
• GBHackers — OpenClaw Supply Chain Risk Lets Attackers Abuse AI Agent Authority
• OWASP Agentic Skills Top 10