A recent security review has revealed widespread abuse within ClawHub, exposing serious risks for OpenClaw users who rely on third party skills. Researchers found hundreds of malicious skills designed to steal sensitive data, highlighting a growing supply chain threat in the AI assistant ecosystem.
The audit reviewed 2857 skills available on ClawHub and identified 341 malicious ones linked to multiple attack campaigns, according to findings by Koi Security. ClawHub is a marketplace that helps OpenClaw users discover and install third party skills. OpenClaw is a self hosted AI assistant previously known as Clawdbot and Moltbot. The investigation was carried out with help from an OpenClaw bot named Alex. Of the malicious skills found, 335 were tied to a campaign named ClawHavoc, which used fake prerequisites to trick users into installing a macOS data stealer called Atomic Stealer.
“You install what looks like a legitimate skill, maybe solana wallet tracker or youtube summarize pro,” said Koi researcher Oren Yomtov. “The skill’s documentation looks professional. But there’s a Prerequisites section that says you need to install something first.” On Windows, users were directed to download a file called openclaw agent zip from a GitHub repository. On macOS, they were asked to paste a script from glot dot io into the Terminal app. macOS users were a clear target as many people reportedly run OpenClaw on Mac Minis around the clock.
Investigators found that the Windows archive contained a password protected trojan with keylogging features that could capture API keys, credentials, and other sensitive data. On macOS, the script used obfuscated commands to download additional payloads from attacker controlled servers, including an IP address listed as 91.92.242 dot 30. This ultimately delivered a Mach O binary with behavior matching Atomic Stealer, a paid malware tool known to extract data from macOS systems.
Koi Security said the malicious skills posed as ClawHub lookalikes, cryptocurrency tools, Polymarket bots, YouTube utilities, auto updaters, finance and social media tools, Google Workspace integrations, Ethereum gas trackers, and even lost Bitcoin recovery tools. Some skills hid reverse shell backdoors inside working code, while others silently sent bot credentials from the local environment file to external servers, putting OpenClaw users at significant risk.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
