OpenClaw is an AI agent that runs third-party skills from ClawHub, a markdown marketplace with system-level access in the agentic software supply chain.
After launch, malicious activity was found. ClawHub added VirusTotal and ClawScan, but from Feb–May 2026, five malicious skills still bypassed defenses.
These included macOS infostealers with C2 links, evasion via oversized files, and agentic financial abuse like affiliate injection and front-running.
ClawHub is now working with NVIDIA to improve analysis, while security tools like Cortex XDR and Advanced WildFire help protect against such threats.
AI Agent Skills as a Supply Chain Risk:
Software supply chain attacks in AI agents differ from npm or PyPI ecosystems.
Malicious skills can use semantic instruction hijacking to bypass runtime limits and access files, shells, and credentials.
Because skills often share full agent authority, they can effectively take control of the agent’s authenticated sessions.
Early Campaign Activity on ClawHub:
In Feb 2026, reports (Bitdefender, Koi Security, Trend Micro) found widespread malicious OpenClaw skills, including AMOS macOS stealer distribution.
Base64 C2 droppers, platform-specific delivery, cron-based persistence, Telegram crypto theft, and mass-published malicious skills.
ClawHub added VirusTotal and later ClawScan for screening, with NVIDIA collaboration for analysis.
Most malicious skills were removed, though some infrastructure and evolving attacks persisted.
Malicious Skills Distributing ClawHavoc Payload:
On May 17, 2026, two TradingView macOS “AI assistant” skills were published on ClawHub using the same malicious prerequisite block.
Both redirected users to a paste-site lure that instructed Base64 Terminal execution, leading to a remote payload that downloaded a macOS infostealer (“cluw”).
The campaign used a known ClawHavoc pattern with new infrastructure, while ClawHub’s checks failed to detect the malicious skills.
File Padding for Defense Evasion:
The omnicogg skill was an early ClawHub threat using a Base64 curl-pipe-bash dropper to deliver AMOS malware via 91.92.242[.]30.
It hid the payload in a README.md with 22 MB of padding to evade scanners.
Despite prior disclosure, it still passed some checks and remained available.
Read More: https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
Be the first to comment.