Security researchers have identified multiple malicious skills on a marketplace for the OpenClaw ecosystem that can steal credentials, bypass security scans, and conduct other novel malicious activity for an attacker’s financial gain.

Researchers at Palo Alto Networks’ Unit 42 recently identified five malicious skills that appeared legitimate on ClawHub, OpenClaw’s dedicated marketplace, demonstrating that such platforms are emerging as a significant AI supply chain attack surface. ClawHub sells these skills — which can access local files, credentials, APIs, and other resources on the host system — to add functionality to the open source AI agent, which has seen meteoric adoption among developers and businesses since its launch last November. 

“The five skills represent three distinct threat categories leveraging the AI supply chain ecosystem,” Unit 42 researchers wrote in a blog post published on June 23. The three categories consist of infostealers, detection evasion, and agentic threats. If these skills spread across users of OpenClaw, they can threaten the platform in use across scores of organizations, they said.

Related:SocGholish Takedown Highlights Malicious TDS Threats

Two of the malicious skills included infostealers that connect to command-and-control (C2) infrastructure; the malware was directed at the macOS platform, according to the post. Another skill provided evasion capability using an inflated file size that could exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection. 

Finally, the last two skills represented agentic threats, including “agentic affiliate injection and agentic front-running,” both novel techniques that the skills’ developers can use for financial gain, according to the researchers.

Collectively, the malicious skills threaten organizations using OpenClaw by allowing threat actors to steal credentials and sensitive data; exfiltrate files and system information; manipulate agent behavior through hidden instructions; execute unauthorized actions on behalf of the user; and abuse access to connected services and workflows.

OpenClaw Security Woes Persist

The existence of the malicious skills on ClawHub represents yet another security challenge for OpenClaw, an AI agent framework that executes third-party skills from ClawHub. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain.

However, following its release and subsequent rapid adoption, OpenClaw, as many security experts feared, spawned numerous security concerns, including vulnerabilities that threatened deployments and other issues that included malicious skills being found on ClawHub, according to Unit 42. In fact, in early February 2026, Bitdefender Labs reported that approximately 17% of OpenClaw skills it analyzed in the first few weeks of the platform’s release carried malicious payloads. 

Related:He Thought He Was Secure; His Phone Number Was Stolen Anyway

Meanwhile, Koi Security’s ClawHavoc research earlier this year documented 341 malicious skills, and Trend Micro separately confirmed skills distributing Atomic macOS stealer (AMOS) malware across the marketplace, according to the Unit 42 researchers.

To address these issues and make the platform more secure, ClawHub integrated VirusTotal and ClawScan into its platform to enable proactive screening of published skills and code-level analysis to block skills flagged as malicious. However, the five skills discovered by Unit 42 bypassed automated security scanning and code-analysis mechanisms intended to protect users.

To be fair, ensuring that scans can detect all malicious “is generally a hard problem to solve,” observes Johan Edholm, a security engineer and co-founder at application security provider Detectify. Skills are really just sets of plain-language instructions the agent reads and trusts, and defending against such abuse is difficult, he explains via email. 

Related:Novo Nordisk Breach Highlights Software Development Pipeline Risk

“Because it’s plain language that LLMs will interpret, we can’t rely on (only) static checks to infer if the skill contains malicious intent or not,” Edholm says. “Adding a human to review everything before publication would add a bottleneck, which might not be desirable. One can use LLMs to review skills, which helps, but it won’t be perfect. Like with classic malware, it’s a bit of a cat-and-mouse game.”

Unit 42 reported all five of the malicious skills to ClawHub for takedown, and administrators subsequently deleted all of the skills and banned the related accounts, according to the post.

Emerging Threats to the AI Ecosystem

Unit 42’s analysis of the malicious skills uncovered several emerging agent-specific threats that extend beyond traditional malware, demonstrating how AI agents give outsiders new and creative ways to attack the supply chain.

One malicious skill dubbed “omnicogg,” for example, used a classic defense-evasion technique by hiding a malware downloader in a README file padded with junk data. Attackers designed the file to exceed processing limits of automated scanning systems, thus giving the payload cover while still passing marketplace security checks, the researchers noted.

The researchers also identified a financial advisory skill, “money-radar,” principally aimed at manipulating agent recommendations for profit. “The skill weaponized the agent’s advisory authority, routing all financial recommendations through affiliate links from a known-malicious domain,” according to the researchers. “The publisher retained dynamic control over which products it pushed after installation.”

Another skill identified by Unit 42, “letssendit,” represented arguably the most inventive and dangerous of the bunch. It coordinates a meme token pump-and-dump scheme by instructing agents to pool funds into wallets controlled by the operator, who could then acquire tokens ahead of the resulting demand and profit from subsequent price increases. 

In particular, this skill represents a novel use case of AI agents for an autonomous financial manipulation scheme, the researchers noted. It also goes beyond mere malware delivery or simple fraud and provides a potential glimpse of how agentic AI systems could be manipulated for malicious intent in the future.  

Defensive Strategies for AI Supply Chain Threats

Given the new threats that emerge with the use of agentic AI systems across organizations, they should strengthen their defensive posture, the researchers recommended. One key way to do this is by using “a rigorous supply chain verification framework,” they said. 

“We identified that skill execution occurs within the agent process,” the researchers wrote. “This necessitates active validation of publisher provenance and a line-by-line audit of package source files.”

Detectify’s Edholm advises organizations to treat any skill used in an agentic AI system as another way into the network for an attacker, “and put your attention on what it does while it’s running, not just on the moment you install it.” And like Unit 42, he recommends monitoring outbound traffic with undocumented endpoints. 

“Keep an eye on which outside servers your agents are talking to, check that against what each skill said it would need, and look closely at anything reaching a destination it never mentioned,” Edholm says. “Give the agent only the access it genuinely needs, check who actually published the skill, and keep watching over time rather than relying on a single inspection, because these systems change too fast for an occasional review to mean much.”

Indeed, Unit 42 researchers said, implementing more stringent verification steps for AI assets in an organization can help protect its environment by ensuring that the operational behavior of a skill aligns strictly with its stated technical specifications.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *