Trojan AI: OpenClaw “Skills” Marketplace Flooded with Malware

The booming ecosystem of personal AI agents has hit its first major security speed bump. VirusTotal has released a report detailing a massive supply chain attack targeting OpenClaw (formerly Clawdbot), a popular self-hosted AI agent platform. Attackers are flooding the platform’s marketplace with malicious “skills”—extensions designed to enhance the AI’s capabilities—that are actually Trojan horses for malware.

“What started as an ecosystem for extending AI agents is rapidly becoming a new supply-chain attack surface,” the report warns.

OpenClaw is powerful because it allows AI agents to execute real commands on a user’s machine, from file operations to network requests. Users extend this functionality by installing “skills” from ClawHub, a public marketplace.

However, because these skills run with the same permissions as the agent, they are a security nightmare if compromised. “Skills are a gift for productivity and, unsurprisingly, a gift for malware authors too,” the report notes.

VirusTotal’s analysis found that “hundreds of OpenClaw skills… are actively malicious”. These malicious packages often disguise themselves as helpful tools for finance tracking, crypto analytics, or social media trends.

The report highlights a specific threat actor operating under the username “hightower6eu”. This user has published over 300 skills that appear legitimate on the surface but serve a singular malicious purpose.

“The skills cover a wide range of apparently harmless use cases… but they all follow a similar pattern: users are instructed to download and execute external code from untrusted sources,” the report explains.

For example, a skill named “Yahoo Finance” claims to provide stock quotes but includes a “Prerequisite” step instructing users to download an external agent. For Windows users, this file is a password-protected ZIP containing a Trojan. For macOS users, it’s an obfuscated shell script that downloads the Atomic Stealer (AMOS) malware.

“Nothing in the file is technically ‘malware’ by itself. The malware is the workflow,” the researchers observe, pointing out how the attack relies on social engineering rather than exploiting code vulnerabilities.

The payloads delivered by these skills are severe. The macOS variant identified in the report is a sophisticated information stealer designed to “harvest sensitive user data, including system and application passwords, browser cookies… and cryptocurrency wallets”.

Once installed, the malware runs silently in the background, exfiltrating data to a remote command-and-control server before deleting itself to cover its tracks.

To combat this, VirusTotal has added support for OpenClaw skills to its Code Insight tool, using AI models like Gemini 1.5 Flash to analyze the behavior of these packages.

For users of OpenClaw and similar AI agents, the advice is stark: “For personal AI agents, the supply chain is not a detail, it’s the whole product”. Users are urged to treat skill folders as trusted boundaries and be “extremely skeptical” of any extension that asks them to run external binaries or paste commands into a terminal.

Related Posts:

• One Click to “God Mode”: The Critical OpenClaw Flaw That Handed Attackers Your Master Keys
• Phishing Alert: Fake WeTransfer & HunCERT Pages Hosted on AWS S3 & Cloudflare Turnstile Stealing Credentials
• Atomic Stealer Malware Targets macOS Users with Fake Evernote Crack