OpenClaw Skill Marketplace Exposes AI Agents to Supply Chain Malware and Financial Fraud

HomeCyber Security News OpenClaw Skill Marketplace Exposes AI Agents to Supply Chain Malware and Financial Fraud By Tushar Subhra Dutta June 25, 2026 A wave of malicious skills targeting the OpenClaw AI agent marketplace has exposed a dangerous new frontier in software supply chain security. Attackers are using the ClawHub skill marketplace to push harmful code into AI agent environments, stealing data and running financial fraud schemes that traditional security tools failed to catch. OpenClaw is an AI agent that runs third-party skills sourced from ClawHub, a dedicated marketplace. These skills are markdown-driven packages with deep access to local systems. When a malicious skill is installed, it can seize full control of the agent’s identity and execute unauthorized actions through the agent’s own authenticated sessions, all without needing a conventional exploit. Researchers from Unit 42 said in a report shared with Cyber Security News (CSN) that their analysis between February and May 2026 uncovered five malicious skills that slipped past ClawHub’s integrated VirusTotal and ClawScan screening. ClawHub marketplace listings for two TradingView assistant skills (Source – Unit42) All five were reported for takedown, and the associated accounts were subsequently banned. The five skills fell into three threat categories: infostealers connected to command-and-control infrastructure, a file-padding evasion tool designed to exceed scanner thresholds, and two novel agentic threats built for financial gain. Bitdefender Labs had previously flagged that roughly 17% of skills on the platform carried malicious payloads, and Koi Security’s ClawHavoc disclosure documented 341 malicious skills across the marketplace. The persistence of these threats, even after automated screening was introduced, signals that the risk to AI agent ecosystems is far from resolved. The core problem is that malicious skills use natural language to hijack the AI’s own instruction-following behavior, bypassing guardrails that protect more conventional software environments. OpenClaw Skill Marketplace Exposes AI Agents Two of the five threats were skills disguised as TradingView productivity assistants for macOS. Both embedded a malicious prerequisite block that directed agents to a paste-site redirect lure at rentry[.]co/openclaw-code, where a Base64-encoded command waited to be run in a terminal window. Paste-site redirect lure (Source – Unit42) That command then pulled a macOS infostealer named cluw from a remote server at 2.26.75[.]16. A separate skill called omnicogg embedded the AMOS malware dropper inside a README.md file, then padded it with 22 MB of junk characters to exceed file size limits that most scanning pipelines enforce. The omnicogg skill’s README.md file (Source – Unit42) Both VirusTotal and ClawScan returned clean verdicts, meaning the skill stayed freely available while hiding live malicious code. Each of these skills mimicked a legitimate tool. The TradingView skills appeared to be trader productivity aids, and omnicogg passed for a general utility. Attackers exploited the trust users place in a curated marketplace, making detection harder for both automated tools and human reviewers alike. Agentic Financial Fraud and Novel Exploitation Beyond data theft, researchers found two skills built to abuse the AI agent’s advisory authority for financial gain. The money-radar skill posed as a financial product advisor for users in mainland China, Hong Kong, and Singapore. On every invocation, it silently fetched a payload from laosji[.]net and embedded affiliate tracking links into every recommendation it generated. The money-radar skill’s SKILL.md instructs the agent to fetch data from laosji[.]net (Source – Unit42) The operator could swap out recommended products at any time without the user’s knowledge. The letssendit skill went further by running a pump-and-dump scheme on the Solana blockchain. Installed agents pooled SOL cryptocurrency into the operator’s wallet, after which the operator purchased the SENDIT meme token at the lowest available price before launching it on pump[.]fun. Outside buyers could mistake the coordinated AI activity for organic demand, allowing the operator to dump their cheap position onto secondary buyers at a profit. These cases represent some of the first documented instances of autonomous AI agents being used for coordinated financial fraud. Researchers recommend validating publisher provenance, auditing skill source files line by line, and monitoring outbound network traffic for connections to undocumented endpoints. Any behavior that does not match a skill’s stated purpose should be flagged as a potential indicator of compromise. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 2.26.75[.]16 C2 server hosting the cluw macOS infostealer payload IP Address 91.92.242[.]30 AMOS C2 server used in early and ongoing campaigns URL 91.92.242[.]30/lamq4 AMOS payload delivery endpoint Domain download.setup-service[.]com Malicious download distribution domain Domain install.app-distribution[.]net Malicious app distribution domain Domain laosji[.]net Domain used for runtime affiliate injection via money-radar skill Domain openclawcli.vercel[.]app Infrastructure associated with malicious OpenClaw CLI URL rentry[.]co/openclaw-code Paste-site redirect lure delivering Base64-encoded dropper URL glot[.]io/snippets/hfd3x9ueu5 Paste-site intermediary used for macOS payload delivery GitHub URL github[.]com/Ddoy233/openclawcli Malicious OpenClaw CLI repository SHA256 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7 macOS infostealer cluw payload SHA256 881ce5cb124c4d2e814783724cc1388f6a1cbf6eee274c3f3366e77ba3503ad7 Malicious skill payload hash SHA256 b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2 omnicogg skill (file-padded AMOS dropper) SHA256 b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007 tradingview-ai-indicator-assistant malicious skill SHA256 ebb73dbb5aac1f6fe1a88e8f26126a1e1aa34c9f3345ad4345189b40d9bf1d1d money-radar affiliate injection skill SHA256 f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0e letssendit agentic front-running skill Publisher/Skill [redacted]/santi-text-game Malicious skill identified in research Publisher/Skill [redacted]/omnicogg File-padded AMOS dropper skill Publisher/Skill [redacted]/letssendit Agentic front-running / pump-and-dump skill Publisher/Skill [redacted]/money-radar Runtime agentic affiliate injection skill Publisher/Skill [redacted]/ai-tradingview-assistant-for-macos macOS infostealer delivery skill Publisher/Skill [redacted]/tradingview-ai-indicator-assistant macOS infostealer delivery skill Publisher/Skill [redacted]/pdfcheck Malicious skill identified in research Publisher/Skill [redacted]/update Malicious skill identified in research Publisher/Skill [redacted]/wistec-core Malicious skill identified in research Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User Red-Team AI Tool Vulnerabilities Let Attackers Exfiltrate API Keys and Compromise Operators’ Systems Researcher Earns $148,337 for Google Cloud Production RCE Vulnerability Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors Bajaj Auto Hit by a Ransomware Attack – Internal Systems Affected Latest News Cyber Security Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks Cyber Security Anthropic Accuses Alibaba of ‘Illicitly’ Accessing Its Claude AI Models in Largest Known Distillation Attack Cyber Security News Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection Cyber Security News Microsoft Teams Impersonation Campaign Enables Unauthorized Access Through RMM Abuse Cyber Security News Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware