Malicious AI 'Skills' on OpenClaw's ClawHub Marketplace Bypass Scanners to Deliver Infostealers

Malicious AI 'Skills' on OpenClaw's ClawHub Marketplace Bypass Scanners to Deliver Infostealers - CyberNetSec.io

Report

Malicious AI 'Skills' on OpenClaw's ClawHub Marketplace Bypass Scanners to Deliver Infostealers

Unit 42 Uncovers Evasive Malicious AI Skills on OpenClaw's ClawHub Marketplace Deploying Infostealers

Malicious AI 'Skills' on OpenClaw's ClawHub Marketplace Bypass Scanners to Deliver Infostealers

HIGH

June 24, 2026

9m read

Supply Chain AttackMalwareThreat Intelligence

Related Entities

Organizations

Unit 42 Palo Alto Networks NVIDIA Bitdefender LabsKoi SecurityTrend Micro

Products & Tech

OpenClawClawHubVirusTotal ClawScan

Other

Atomic macOS stealer (AMOS) cluwClawHavoc

MITRE ATT&CK Techniques

T1204.002Execution

User Execution: Malicious File

T1059.004Execution

Command and Scripting Interpreter: Unix Shell

T1105Command and Control

Ingress Tool Transfer

T1027Defense Evasion

Obfuscated Files or Information

T1555Credential Access

Credentials from Password Stores

T1189Initial Access

Drive-by Compromise

Full Report

Executive Summary

Between February and May 2026, Unit 42 researchers uncovered a sophisticated threat campaign targeting the OpenClaw AI agent ecosystem. Malicious actors are successfully publishing dangerous 'skills' on ClawHub, the official marketplace, that bypass integrated security scanners, including VirusTotal. These skills leverage social engineering and obfuscation to trick users into executing commands that deploy infostealer malware, such as Atomic macOS stealer (AMOS) and a new variant named cluw. This activity represents a critical evolution of software supply chain attacks, specifically adapted for the unique architecture of agentic AI platforms. The lack of isolation in these environments means a single malicious skill can grant an attacker full control over the agent's permissions and access to the underlying system, posing a severe risk to users and organizations.

Threat Overview

OpenClaw is an AI agent designed to execute tasks using third-party plugins called 'skills', which are distributed through its dedicated ClawHub marketplace. This model creates a new type of software supply chain. While initial malicious campaigns in early 2026, such as ClawHavoc, were identified and led to enhanced scanning with VirusTotal and ClawScan, threat actors have adapted.

The latest campaign, observed by Unit 42, uses more evasive techniques. Attackers publish skills, such as tradingview-ai-indicator-assistant, that appear legitimate. However, the skill's markdown file contains a 'prerequisite block' that directs the user to an external website (a 'paste-site redirect lure') hosting a malicious command. The user is instructed to copy and paste this command into their terminal to enable the skill. This user-assisted execution bypasses the automated scanners that only analyze the skill package itself. Once executed, the command downloads and runs an infostealer payload, leading to credential theft and potential financial fraud.

This attack vector exploits the semantic gap in AI agent security. The agent interprets the malicious instructions as a legitimate user request, using its own system privileges to execute the attack. This circumvents traditional security boundaries that might exist in sandboxed application environments like npm or PyPI.

Technical Analysis

The attack chain primarily relies on user interaction prompted by a malicious skill.

Lure: The user installs a malicious skill from ClawHub, such as tradingview-ai-indicator-assistant (SHA256: b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007).

Social Engineering: The skill's prerequisite instructions direct the user to a paste-site, hxxps[:]//rentry[.]co/openclaw-code, which masquerades as a required activation step. This is a form of T1189 - Drive-by Compromise.

Execution: The user is instructed to copy a Base64-encoded string and pipe it into a shell. This technique, T1059.004 - Command and Scripting Interpreter: Unix Shell, is a classic 'curl-pipe-bash' attack. The use of Base64 is a form of T1027 - Obfuscated Files or Information.

Payload Delivery: The executed shell command fetches a second-stage payload via T1105 - Ingress Tool Transfer. In the case of the tradingview skill, the payload Xuvewuyur was downloaded from hxxp[:]//2.26.75[.]16. This payload was identified as a new macOS infostealer named cluw (SHA256: 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7).

C2 Communication & Data Theft: Once active, the infostealer harvests credentials and other sensitive data, fulfilling its objective of T1555 - Credentials from Password Stores. Older campaigns linked to the omnicogg skill (SHA256: b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2) delivered Atomic macOS stealer (AMOS), communicating with a C2 server at 91.92.242[.]30.

This campaign demonstrates the attackers' persistence, reusing the delivery template from the original ClawHavoc attacks but with new backend infrastructure and payloads to evade detection.

Impact Assessment

The primary impact of this campaign is the theft of sensitive information, including browser cookies, cryptocurrency wallet data, system passwords, and other credentials stored on the victim's machine. The targeting of TradingView users suggests a focus on individuals involved in financial markets, increasing the risk of direct financial loss.

From a broader perspective, this attack highlights a severe systemic risk in the burgeoning AI agent ecosystem. The lack of robust sandboxing and permission controls for third-party skills creates a trusted pathway for malware directly onto user systems. As AI agents become more integrated into personal and enterprise workflows, this type of supply chain attack could lead to widespread corporate espionage, large-scale data breaches, and significant financial fraud.

IOCs — Directly from Articles

Type

ip_address_v4

Value

91.92.242.30

Description

C2 server for AMOS malware dropper.

Type

ip_address_v4

Value

2.26.75.16

Description

Payload server for 'cluw' infostealer.

Type

url

Value

https://rentry.co/openclaw-code

Description

Paste-site redirect lure hosting malicious commands.

Type

file_hash_sha256

Value

b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007

Description

Malicious skill: tradingview-ai-indicator-assistant.

Type

file_hash_sha256

Value

818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7

Description

'cluw' macOS infostealer payload.

Type

file_hash_sha256

Value

b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2

Description

Malicious skill: omnicogg.

Type

file_name

Value

Xuvewuyur

Description

Filename of the 'cluw' infostealer payload.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect related activity:

Type

command_line_pattern

Value

curl .* | .*bash

Description

Detects the common curl-pipe-bash execution method.

Type

command_line_pattern

Value

echo .* | base64 --decode | bash

Description

Detects execution of Base64-encoded scripts.

Type

url_pattern

Value

rentry.co/*

Description

Network traffic to the paste-site used in the attack.

Type

process_name

Value

OpenClaw

Description

Look for child processes spawned by the OpenClaw agent, especially curl, bash, or sh.

Type

log_source

Value

EDR Telemetry / Sysmon / macOS Endpoint Security Framework

Description

Source for monitoring process creation and command-line arguments.

Type

network_traffic_pattern

Value

Outbound to 91.92.242.30 or 2.26.75.16

Description

Connections to known malicious IP addresses.

Detection & Response

Detecting this threat requires monitoring beyond the initial skill download. Security teams should focus on post-installation behavior.

Process Monitoring: Implement Endpoint Detection and Response (EDR) rules to monitor for suspicious process chains originating from the OpenClaw agent. Specifically, alert on OpenClaw spawning shell interpreters like bash or sh, which then initiate network connections with tools like curl or wget. This can be achieved through D3FEND's D3-PA: Process Analysis.

Command Line Auditing: Log all command-line arguments for executed processes. Create SIEM alerts for patterns like curl | bash or base64 --decode | bash, which are highly indicative of this attack vector.

Network Traffic Analysis: Use network security tools and proxies to perform D3-NTA: Network Traffic Analysis. Block outbound connections to the IOCs listed above. Additionally, create alerts for connections to known anonymous paste sites like rentry.co or pastebin.com from sensitive systems or by unusual processes.

File Integrity Monitoring: Monitor for the creation of unexpected executable files in user directories, which may indicate a downloaded payload.

If a compromise is suspected, immediately isolate the affected host from the network, revoke any credentials that may have been stored on the machine, and begin a forensic investigation to determine the extent of the breach.

Mitigation

Mitigating this threat requires a combination of technical controls and user awareness.

User Training: This is the most critical defense. Educate users of AI agents about the dangers of third-party skill marketplaces. Specifically, train them to never copy and paste commands from untrusted sources into a terminal, even if presented as a necessary step to enable a feature. This aligns with MITRE ATT&CK Mitigation M1017 - User Training.

Application Control: Implement application allowlisting policies to prevent the execution of unauthorized scripts and binaries. A strict policy could block shell interpreters from being invoked by applications like OpenClaw. This corresponds to D3FEND's D3-EAL: Executable Allowlisting.

Principle of Least Privilege: Run AI agents like OpenClaw with the minimum necessary permissions. If possible, use containerization or sandboxing technologies to isolate the agent and its skills from the underlying operating system and sensitive user data. This relates to M1048 - Application Isolation and Sandboxing.

Network Filtering: Implement outbound traffic filtering rules on firewalls and web proxies to block access to the known malicious IPs and the rentry.co domain. This is a direct application of D3FEND's D3-OTF: Outbound Traffic Filtering.

Timeline of Events

1

February 1, 2026

Initial reports from Bitdefender, Koi Security, and Trend Micro detail the first wave of malicious skills on ClawHub.

2

February 15, 2026

Unit 42 begins analysis of the ClawHub marketplace, lasting through May 2026.

3

May 17, 2026

The malicious 'tradingview-ai-indicator-assistant' skill is published to ClawHub.

4

June 1, 2026

ClawHub announces a partnership with NVIDIA to enhance skill screening.

5

June 23, 2026

Unit 42 publishes its research on the evasive malicious skills and the emerging AI supply chain threat.

6

June 24, 2026

This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Educate users on the risks of AI marketplaces and the danger of executing commands from untrusted sources.

Execution Prevention

M1038enterprise

Use application control solutions to prevent agents like OpenClaw from spawning shell interpreters or executing arbitrary code.

Restrict Web-Based Content

M1021enterprise

Use web filters to block access to known malicious domains and untrusted paste sites.

Antivirus/Antimalware

M1049enterprise

Deploy endpoint protection to detect and block known infostealer payloads like AMOS and cluw.

Application Isolation and Sandboxing

M1048enterprise

Run AI agents in a sandboxed or containerized environment to limit their access to the host system and user data.

Audit

M1047enterprise

Enable comprehensive logging of command-line activity and process creation to detect suspicious behavior.

D3FEND Defensive Count

[truncated for AI cost control]