CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

More Malicious OpenClaw Skills Threaten AI Supply Chain

Dark Reading Archived Jun 24, 2026 ✓ Full text saved

OpenClaw removed five packages from ClawHub, its skills marketplace, that bypassed security checks even though they included infostealers and other threats.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK REMOTE WORKFORCE THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS More Malicious OpenClaw Skills Threaten AI Supply Chain OpenClaw removed five packages from ClawHub, its skills marketplace, that bypassed security checks even though they included infostealers and other threats. Elizabeth Montalbano,Contributing Writer June 24, 2026 6 Min Read SOURCE: KOSHIRO K VIA SHUTTERSTOCK Security researchers have identified multiple malicious skills on a marketplace for the OpenClaw ecosystem that can steal credentials, bypass security scans, and conduct other novel malicious activity for an attacker's financial gain. Researchers at Palo Alto Networks' Unit 42 recently identified five malicious skills that appeared legitimate on ClawHub, OpenClaw's dedicated marketplace, demonstrating that such platforms are emerging as a significant AI supply chain attack surface. ClawHub sells these skills — which can access local files, credentials, APIs, and other resources on the host system — to add functionality to the open source AI agent, which has seen meteoric adoption among developers and businesses since its launch last November.  "The five skills represent three distinct threat categories leveraging the AI supply chain ecosystem," Unit 42 researchers wrote in a blog post published on June 23. The three categories consist of infostealers, detection evasion, and agentic threats. If these skills spread across users of OpenClaw, they can threaten the platform in use across scores of organizations, they said. Related:SocGholish Takedown Highlights Malicious TDS Threats Two of the malicious skills included infostealers that connect to command-and-control (C2) infrastructure; the malware was directed at the macOS platform, according to the post. Another skill provided evasion capability using an inflated file size that could exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection.  Finally, the last two skills represented agentic threats, including "agentic affiliate injection and agentic front-running," both novel techniques that the skills' developers can use for financial gain, according to the researchers. Collectively, the malicious skills threaten organizations using OpenClaw by allowing threat actors to steal credentials and sensitive data; exfiltrate files and system information; manipulate agent behavior through hidden instructions; execute unauthorized actions on behalf of the user; and abuse access to connected services and workflows. OpenClaw Security Woes Persist The existence of the malicious skills on ClawHub represents yet another security challenge for OpenClaw, an AI agent framework that executes third-party skills from ClawHub. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. However, following its release and subsequent rapid adoption, OpenClaw, as many security experts feared, spawned numerous security concerns, including vulnerabilities that threatened deployments and other issues that included malicious skills being found on ClawHub, according to Unit 42. In fact, in early February 2026, Bitdefender Labs reported that approximately 17% of OpenClaw skills it analyzed in the first few weeks of the platform's release carried malicious payloads.  Related:He Thought He Was Secure; His Phone Number Was Stolen Anyway Meanwhile, Koi Security's ClawHavoc research earlier this year documented 341 malicious skills, and Trend Micro separately confirmed skills distributing Atomic macOS stealer (AMOS) malware across the marketplace, according to the Unit 42 researchers. To address these issues and make the platform more secure, ClawHub integrated VirusTotal and ClawScan into its platform to enable proactive screening of published skills and code-level analysis to block skills flagged as malicious. However, the five skills discovered by Unit 42 bypassed automated security scanning and code-analysis mechanisms intended to protect users. To be fair, ensuring that scans can detect all malicious "is generally a hard problem to solve," observes Johan Edholm, a security engineer and co-founder at application security provider Detectify. Skills are really just sets of plain-language instructions the agent reads and trusts, and defending against such abuse is difficult, he explains via email.  Related:Novo Nordisk Breach Highlights Software Development Pipeline Risk "Because it's plain language that LLMs will interpret, we can't rely on (only) static checks to infer if the skill contains malicious intent or not," Edholm says. "Adding a human to review everything before publication would add a bottleneck, which might not be desirable. One can use LLMs to review skills, which helps, but it won't be perfect. Like with classic malware, it's a bit of a cat-and-mouse game." Unit 42 reported all five of the malicious skills to ClawHub for takedown, and administrators subsequently deleted all of the skills and banned the related accounts, according to the post. Emerging Threats to the AI Ecosystem Unit 42's analysis of the malicious skills uncovered several emerging agent-specific threats that extend beyond traditional malware, demonstrating how AI agents give outsiders new and creative ways to attack the supply chain. One malicious skill dubbed "omnicogg," for example, used a classic defense-evasion technique by hiding a malware downloader in a README file padded with junk data. Attackers designed the file to exceed processing limits of automated scanning systems, thus giving the payload cover while still passing marketplace security checks, the researchers noted. The researchers also identified a financial advisory skill, "money-radar," principally aimed at manipulating agent recommendations for profit. "The skill weaponized the agent's advisory authority, routing all financial recommendations through affiliate links from a known-malicious domain," according to the researchers. "The publisher retained dynamic control over which products it pushed after installation." Another skill identified by Unit 42, "letssendit," represented arguably the most inventive and dangerous of the bunch. It coordinates a meme token pump-and-dump scheme by instructing agents to pool funds into wallets controlled by the operator, who could then acquire tokens ahead of the resulting demand and profit from subsequent price increases.  In particular, this skill represents a novel use case of AI agents for an autonomous financial manipulation scheme, the researchers noted. It also goes beyond mere malware delivery or simple fraud and provides a potential glimpse of how agentic AI systems could be manipulated for malicious intent in the future.   Defensive Strategies for AI Supply Chain Threats Given the new threats that emerge with the use of agentic AI systems across organizations, they should strengthen their defensive posture, the researchers recommended. One key way to do this is by using "a rigorous supply chain verification framework," they said.  "We identified that skill execution occurs within the agent process," the researchers wrote. "This necessitates active validation of publisher provenance and a line-by-line audit of package source files." Detectify's Edholm advises organizations to treat any skill used in an agentic AI system as another way into the network for an attacker, "and put your attention on what it does while it's running, not just on the moment you install it." And like Unit 42, he recommends monitoring outbound traffic with undocumented endpoints.  "Keep an eye on which outside servers your agents are talking to, check that against what each skill said it would need, and look closely at anything reaching a destination it never mentioned," Edholm says. "Give the agent only the access it genuinely needs, check who actually published the skill, and keep watching over time rather than relying on a single inspection, because these systems change too fast for an occasional review to mean much." Indeed, Unit 42 researchers said, implementing more stringent verification steps for AI assets in an organization can help protect its environment by ensuring that the operational behavior of a skill aligns strictly with its stated technical specifications. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗