More Malicious OpenClaw Skills Threaten AI Supply Chain
Dark ReadingArchived Jun 24, 2026✓ Full text saved
OpenClaw removed five packages from ClawHub, its skills marketplace, that bypassed security checks even though they included infostealers and other threats.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
REMOTE WORKFORCE
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
NEWS
More Malicious OpenClaw Skills Threaten AI Supply Chain
OpenClaw removed five packages from ClawHub, its skills marketplace, that bypassed security checks even though they included infostealers and other threats.
Elizabeth Montalbano,Contributing Writer
June 24, 2026
6 Min Read
SOURCE: KOSHIRO K VIA SHUTTERSTOCK
Security researchers have identified multiple malicious skills on a marketplace for the OpenClaw ecosystem that can steal credentials, bypass security scans, and conduct other novel malicious activity for an attacker's financial gain.
Researchers at Palo Alto Networks' Unit 42 recently identified five malicious skills that appeared legitimate on ClawHub, OpenClaw's dedicated marketplace, demonstrating that such platforms are emerging as a significant AI supply chain attack surface. ClawHub sells these skills — which can access local files, credentials, APIs, and other resources on the host system — to add functionality to the open source AI agent, which has seen meteoric adoption among developers and businesses since its launch last November.
"The five skills represent three distinct threat categories leveraging the AI supply chain ecosystem," Unit 42 researchers wrote in a blog post published on June 23. The three categories consist of infostealers, detection evasion, and agentic threats. If these skills spread across users of OpenClaw, they can threaten the platform in use across scores of organizations, they said.
Related:SocGholish Takedown Highlights Malicious TDS Threats
Two of the malicious skills included infostealers that connect to command-and-control (C2) infrastructure; the malware was directed at the macOS platform, according to the post. Another skill provided evasion capability using an inflated file size that could exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection.
Finally, the last two skills represented agentic threats, including "agentic affiliate injection and agentic front-running," both novel techniques that the skills' developers can use for financial gain, according to the researchers.
Collectively, the malicious skills threaten organizations using OpenClaw by allowing threat actors to steal credentials and sensitive data; exfiltrate files and system information; manipulate agent behavior through hidden instructions; execute unauthorized actions on behalf of the user; and abuse access to connected services and workflows.
OpenClaw Security Woes Persist
The existence of the malicious skills on ClawHub represents yet another security challenge for OpenClaw, an AI agent framework that executes third-party skills from ClawHub. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain.
However, following its release and subsequent rapid adoption, OpenClaw, as many security experts feared, spawned numerous security concerns, including vulnerabilities that threatened deployments and other issues that included malicious skills being found on ClawHub, according to Unit 42. In fact, in early February 2026, Bitdefender Labs reported that approximately 17% of OpenClaw skills it analyzed in the first few weeks of the platform's release carried malicious payloads.
Related:He Thought He Was Secure; His Phone Number Was Stolen Anyway
Meanwhile, Koi Security's ClawHavoc research earlier this year documented 341 malicious skills, and Trend Micro separately confirmed skills distributing Atomic macOS stealer (AMOS) malware across the marketplace, according to the Unit 42 researchers.
To address these issues and make the platform more secure, ClawHub integrated VirusTotal and ClawScan into its platform to enable proactive screening of published skills and code-level analysis to block skills flagged as malicious. However, the five skills discovered by Unit 42 bypassed automated security scanning and code-analysis mechanisms intended to protect users.
To be fair, ensuring that scans can detect all malicious "is generally a hard problem to solve," observes Johan Edholm, a security engineer and co-founder at application security provider Detectify. Skills are really just sets of plain-language instructions the agent reads and trusts, and defending against such abuse is difficult, he explains via email.
Related:Novo Nordisk Breach Highlights Software Development Pipeline Risk
"Because it's plain language that LLMs will interpret, we can't rely on (only) static checks to infer if the skill contains malicious intent or not," Edholm says. "Adding a human to review everything before publication would add a bottleneck, which might not be desirable. One can use LLMs to review skills, which helps, but it won't be perfect. Like with classic malware, it's a bit of a cat-and-mouse game."
Unit 42 reported all five of the malicious skills to ClawHub for takedown, and administrators subsequently deleted all of the skills and banned the related accounts, according to the post.
Emerging Threats to the AI Ecosystem
Unit 42's analysis of the malicious skills uncovered several emerging agent-specific threats that extend beyond traditional malware, demonstrating how AI agents give outsiders new and creative ways to attack the supply chain.
One malicious skill dubbed "omnicogg," for example, used a classic defense-evasion technique by hiding a malware downloader in a README file padded with junk data. Attackers designed the file to exceed processing limits of automated scanning systems, thus giving the payload cover while still passing marketplace security checks, the researchers noted.
The researchers also identified a financial advisory skill, "money-radar," principally aimed at manipulating agent recommendations for profit. "The skill weaponized the agent's advisory authority, routing all financial recommendations through affiliate links from a known-malicious domain," according to the researchers. "The publisher retained dynamic control over which products it pushed after installation."
Another skill identified by Unit 42, "letssendit," represented arguably the most inventive and dangerous of the bunch. It coordinates a meme token pump-and-dump scheme by instructing agents to pool funds into wallets controlled by the operator, who could then acquire tokens ahead of the resulting demand and profit from subsequent price increases.
In particular, this skill represents a novel use case of AI agents for an autonomous financial manipulation scheme, the researchers noted. It also goes beyond mere malware delivery or simple fraud and provides a potential glimpse of how agentic AI systems could be manipulated for malicious intent in the future.
Defensive Strategies for AI Supply Chain Threats
Given the new threats that emerge with the use of agentic AI systems across organizations, they should strengthen their defensive posture, the researchers recommended. One key way to do this is by using "a rigorous supply chain verification framework," they said.
"We identified that skill execution occurs within the agent process," the researchers wrote. "This necessitates active validation of publisher provenance and a line-by-line audit of package source files."
Detectify's Edholm advises organizations to treat any skill used in an agentic AI system as another way into the network for an attacker, "and put your attention on what it does while it's running, not just on the moment you install it." And like Unit 42, he recommends monitoring outbound traffic with undocumented endpoints.
"Keep an eye on which outside servers your agents are talking to, check that against what each skill said it would need, and look closely at anything reaching a destination it never mentioned," Edholm says. "Give the agent only the access it genuinely needs, check who actually published the skill, and keep watching over time rather than relying on a single inspection, because these systems change too fast for an occasional review to mean much."
Indeed, Unit 42 researchers said, implementing more stringent verification steps for AI assets in an organization can help protect its environment by ensuring that the operational behavior of a skill aligns strictly with its stated technical specifications.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Editor's Choice
APPLICATION SECURITY
FIFA Bug Exposes World Cup Streams to Remote Takeover
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBERSECURITY OPERATIONS
EU Gets a Head Start in Developing 6G Network Security
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBER RISK
UK Social Media Ban for Minors Has Privacy Experts Worried
byRobert Lemos
JUN 17, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS