OpenClaw Marketplace Hosts Persistent Malicious AI Skills Despite VirusTotal Screening
Unit 42 identified five unblocked malicious skills on ClawHub between February–May 2026, including macOS infostealers, evasion techniques, and novel agentic financial schemes exploiting AI supply chain weaknesses.
Attack Brief
TargetOpenClaw AI agent ecosystem; ClawHub skill marketplace; macOS usersVectorMalicious AI skills published to ClawHub marketplace; semantic instruction hijacking; paste-site redirect lures; Base64-encoded curl-pipe-bash droppersAttributionunattributed
Technical Details
IoCs91.92.242.302.26.75.16hxxps://rentry.co/openclaw-codehxxp://2.26.75.16/Xuvewuyurglot.iorentry.cob6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007818aea6143282b352fdfdc0f3ebf77a36e54eb3bAffectedOpenClaw AI agent; ClawHub marketplace; macOS targets
Impact
SectorsFinancial servicesTrading platformsConfirmed DamageInfostealer deployment; cryptocurrency private key exfiltration; unauthorized agent command execution; financial scheme injection
Mitigation
PatchesClawHub integration with VirusTotal and ClawScanClawHub partnership with NVIDIA for skill documentation and analysisWorkaroundsAvoid executing prerequisite blocks from paste-site redirects; validate skill source and publisher reputation; isolate agent execution environments; monitor for semantic instruction hijacking in skill logic
Context
Previous CampaignsEarly February 2026 campaigns documented by Bitdefender Labs (~17% malicious skills), Koi Security ClawHavoc disclosure (341 malicious skills), and Trend Micro (Atomic macOS stealer distribution); AMOS C2 infrastructure at 91.92.242.30 remains active post-disclosureSimilar AttacksConventional software supply chain attacks on npm and PyPI; agentic threats represent novel paradigm leveraging natural language interpretation to bypass isolation constraints