ClawHub marketplace listings for two TradingView assistant skills. | Image: Palo Alto Networks
At a glance
| Field | Detail |
|---|---|
| Actor | Unattributed skill publishers; accounts banned by OpenClaw |
| Activity | Malicious AI agent skills: infostealer delivery, scanner evasion, agentic financial fraud |
| Targets | OpenClaw users, macOS traders, crypto and finance communities |
| Scale | Five skills found Feb-May 2026; 341 in the earlier ClawHavoc wave (Koi Security claim) |
| Status | Skills removed, accounts banned; no law enforcement action reported |
| Source | Palo Alto Networks Unit 42 |
TL;DR
Palo Alto Networks’ Unit 42 found five malicious OpenClaw skills on the ClawHub marketplace. The skills slipped past automated scanners between February and May 2026. They delivered macOS infostealers, dodged detection, and ran agentic financial scams.
What happened
ClawHub hosts third-party “skills” for OpenClaw, a fast-growing AI agent. Skills are markdown packages with broad access to local systems. That access makes the marketplace a prime supply chain target. After early attacks, ClawHub added VirusTotal and ClawScan screening. Even so, Unit 42 still found five malicious OpenClaw skills that evaded both tools. Researchers reported all five. OpenClaw then banned the accounts and deleted the skills.
Why agent skills are a new attack surface
Traditional malware fights language runtimes and containers. Agent skills face fewer of those limits. A skill speaks to the agent in plain language. It can then misuse the agent’s shells, files, and credential managers. No classic exploit is needed. The report describes this technique as semantic instruction hijacking. Because skill logic shares the agent’s authority, one bad skill can act through the user’s own sessions. Unit 42 warns that installation can grant an attacker “complete control over the agent’s identity.”
Infostealers
Two skills posed as TradingView assistants for macOS. Each hid a prerequisite block that pushed users to a paste-site lure. That lure ran a command, which fetched a macOS stealer from a fresh server. The delivery matched earlier ClawHavoc campaigns, yet used new infrastructure.
Scanner evasion
One skill, “omnicogg”, hid an AMOS downloader inside a padded README file. Around 22 MB of junk pushed the file past scanner size limits. As a result, the malware passed both ClawScan and VirusTotal.
Agentic fraud
Two skills abused the agent’s decision-making itself. A “money-radar” skill routed every financial recommendation through affiliate links from a flagged domain. The operator could swap products remotely after install. A second skill, “letssendit”, allegedly coordinated AI agents into a meme-coin pump-and-dump. The report frames this as outright financial fraud.
Who is behind it
The report does not name the publishers, and it redacts their account handles. OpenClaw banned the suspected accounts and removed the skills. No law enforcement action has been reported. Researchers tie the infostealer skills to ongoing ClawHavoc-style activity. Koi Security earlier documented 341 malicious skills under that label. Trend Micro separately confirmed AMOS delivery across the marketplace. Bitdefender claimed roughly 17% of early skills carried malicious payloads. Treat that figure as a vendor estimate, not a confirmed total.
Impact and scale
The flagged skills drew a few hundred downloads each, by the listing counts. The wider campaign is larger. The AMOS command server stayed active more than three months after first disclosure. The risk reaches anyone running OpenClaw with broad permissions. Stolen data can include browser credentials, session cookies, and crypto wallets.
What comes next
ClawHub has expanded screening, adding an NVIDIA analysis partnership on June 1. Still, attackers keep adapting to each new filter. To stay protected, audit your installed skills and remove any you do not use. Run AI agents inside isolated containers, away from sensitive data. Watch outbound traffic for calls to undocumented endpoints. Cross-check every external connection against the skill’s stated behavior. Above all, verify publisher provenance before you install anything.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.