A technical analysis by Koi Security found 341 malicious skills on the ClawHub marketplace after auditing 2,857 entries, with most installing a macOS information stealer or backdoor.
KEY FACTS
- Incident 341 malicious skills identified on ClawHub
- Scope audit covered 2,857 marketplace skills
- Primary payload 335 skills use fake prerequisites to deliver an Apple macOS stealer
- Command server multiple malicious items point to the same IP address 91.92.242.30
335 skills instruct users to install fake prequisites that lead to an Apple macOS stealer known as Atomic Stealer. On Windows the steps include downloading a file called openclaw-agent.zip from GitHub. On macOS the documentation tells users to paste a script from glot.io into Terminal.
Inside a password protected archive the analysis found a trojan with keylogging function that captures API keys, credentials and other sensitive data. The macOS script contains obfuscated shell commands that fetch further payloads from attacker controlled infrastructure and retrieve a Mach O binary consistent with Atomic Stealer.
Malicious skills were published under many categories and names, including ClawHub typosquats, cryptocurrency tools such as Solana wallet trackers, Polymarket bots, YouTube utilities, auto updaters and Google Workspace integration tools. Some packages hide reverse shell backdoors inside functional code or exfiltrate bot credentials from local configuration files to webhooks.
ClawHub is open by default and allows anyone with a GitHub account that is at least one week old to publish skills. OpenClaw creator Peter Steinberger added a reporting feature that lets signed in users flag skills and automatically hide items with more than three unique reports.
WHY IT MATTERS
Malicious skills can deliver credential stealers and persistent backdoors to machines used as AI assistants. The open skill marketplace combined with agents that retain state increases the risk that stolen credentials and long term memory can be abused to mount follow on attacks.