[Security researchers uncovered 341 malicious skills on the ClawHub marketplace designed to infect systems with stealer malware.][The ClawHavoc campaign primarily targets macOS users, deploying the $500-1000/month Atomic Stealer (AMOS) to steal crypto assets and sensitive data.][The skills pose a supply chain risk by disguising themselves as popular cryptocurrency tools, YouTube utilities, and productivity bots to trick users.]
A recent security audit by Koi Security has uncovered hundreds of malicious skills on the ClawHub marketplace, exposing OpenClaw AI assistant users to significant supply chain risks. The investigation, assisted by an OpenClaw bot named Alex, identified 341 tainted skills across multiple campaigns targeting the ecosystem. This widespread infiltration marks a new vector for malware distribution within popular open-source platforms.
Most malicious skills, 335 in total, use a deceptive prerequisite step to install the Atomic Stealer (AMOS) on macOS systems, according to the ClawHavoc campaign findings. “You install what looks like a legitimate skill,” Koi researcher Oren Yomtov said. “But there’s a ‘Prerequisites’ section that says you need to install something first.” The instructions ultimately lead to a trojan that harvests API keys, credentials, and other sensitive data.
The skills cleverly masquerade as high-demand tools to attract victims, particularly in the cryptocurrency space. They pose as Solana wallet trackers, Polymarket trading bots, and even lost Bitcoin finders. Consequently, threat actors are exploiting the platform’s open nature and OpenClaw’s rising popularity to target users’ digital assets. Meanwhile, a separate report from OpenSourceMalware also flagged the same campaign, noting all skills share the same command-and-control infrastructure.
The campaign’s sophistication is heightened by OpenClaw’s inherent design vulnerabilities, which researchers describe as a “lethal trifecta.” According to a Palo Alto Networks report, the assistant’s access to private data, exposure to untrusted content, and ability to communicate externally creates significant risk. This combination is further amplified by persistent memory, enabling stateful, delayed-execution attacks. Consequently, malicious payloads can lie dormant in memory before activating under specific conditions.
In response to the threat, OpenClaw’s creator has introduced a user reporting feature to flag suspicious skills. The creator, Peter Steinberger, configured the system to auto-hide any skill receiving more than three unique reports. However, the restriction for publishers remains minimal, requiring only a GitHub account older than one week. This incident underscores the persistent challenge of securing open-source ecosystems against evolving social engineering tactics.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
