Unit 42 — Malicious OpenClaw Skills on ClawHub Delivered Infostealers and Crypto Fraud

AI relevance: Agent skill marketplaces are a new software supply-chain surface — malicious skills share the agent's full authority over shell, files, and credentials, turning a plain-language instruction package into a complete system compromise vector with no classic exploit required.

  • Palo Alto Networks' Unit 42 discovered five malicious OpenClaw skills on the ClawHub marketplace that evaded both VirusTotal and ClawScan screening between February and May 2026.
  • Two skills posed as TradingView assistants for macOS. Each hid a prerequisite block that directed users to a paste-site lure, which fetched a macOS infostealer from freshly provisioned infrastructure — matching earlier ClawHavoc campaign patterns.
  • One skill, "omnicogg", embedded an AMOS (Atomic macOS Stealer) downloader inside a padded README file. Approximately 22 MB of junk data pushed the file past scanner size limits, defeating both ClawScan and VirusTotal detection.
  • Two skills abused the agent's decision-making directly: a "money-radar" skill routed every financial recommendation through attacker-controlled affiliate links, and a "letssendit" skill allegedly coordinated AI agents into a meme-coin pump-and-dump scheme.
  • Unit 42 describes the technique as semantic instruction hijacking — because skill logic shares the agent's authority, one malicious skill can act through the user's own sessions with no classic exploit needed.
  • The wider campaign is larger than five skills: Koi Security previously documented 341 malicious skills under the "ClawHavoc" label, and Trend Micro confirmed AMOS delivery across the marketplace. Bitdefender estimated roughly 17% of early skills carried malicious payloads.
  • ClawHub has expanded screening, adding an NVIDIA analysis partnership on June 1, but attackers continue adapting to each new filter. OpenClaw banned the suspected accounts and removed the skills.
  • Stolen data can include browser credentials, session cookies, and cryptocurrency wallets — anything accessible through the agent's session identity.

Why it matters

Agent skill marketplaces replicate the npm/PyPI supply-chain problem but with higher stakes: a malicious package traditionally needs a runtime exploit to achieve code execution. A malicious agent skill needs only natural language — it inherits the agent's shell access, file permissions, and credential stores by design. The "semantic instruction hijacking" pattern means traditional malware scanners (signature-based, size-limited) are structurally mismatched to the threat.

What to do

  • Audit all installed OpenClaw skills. Remove any you do not actively use or cannot trace to a verified publisher.
  • Run AI agents inside isolated containers with scoped filesystem and network access — never with unrestricted host permissions.
  • Monitor outbound traffic from agent sessions for calls to undocumented endpoints or paste-sites.
  • Verify publisher provenance before installing any skill. Treat skills with prerequisite blocks that fetch external scripts as high-risk.
  • For marketplace operators: size-limited scanning is insufficient. Implement behavioral analysis of skill instruction patterns, not just binary payload detection.

Sources