Security researchers have uncovered a significant threat within the ClawHub marketplace, identifying 341 malicious skills designed to steal data from users of the OpenClaw AI assistant. These compromised skills, part of a campaign dubbed "ClawHavoc," exploit the trust users place in third-party extensions to distribute potent malware, particularly targeting macOS users.

Key Takeaways

• 341 malicious skills discovered on ClawHub, a marketplace for OpenClaw AI assistant extensions.

• The "ClawHavoc" campaign primarily targets macOS users with the Atomic Stealer (AMOS) malware.

• Malicious skills use deceptive "Prerequisites" to trick users into downloading malware or executing malicious scripts.

• Compromised skills impersonate popular tools for cryptocurrency, YouTube, finance, and productivity.

• OpenClaw has implemented a reporting feature to help mitigate the issue.

The ClawHavoc Campaign Detailed

Koi Security's audit of 2,857 skills on ClawHub revealed a widespread campaign that has been codenamed ClawHavoc. The majority of the malicious skills, 335 in total, employ fake prerequisites to install a macOS stealer known as Atomic Stealer (AMOS). Users are enticed to install seemingly legitimate skills, such as "solana-wallet-tracker" or "youtube-summarize-pro," which then prompt them to install additional "prerequisites."

For Windows users, this involves downloading a file named "openclaw-agent.zip." macOS users are instructed to copy and paste an installation script from glot[.]io into their Terminal. This script fetches further payloads from attacker-controlled infrastructure, ultimately leading to the deployment of AMOS, a sophisticated stealer capable of harvesting API keys, credentials, and other sensitive data from macOS hosts. AMOS is reportedly available for purchase on Telegram.

Impersonation and Deception Tactics

The malicious skills masquerade as a wide array of popular and useful tools to gain user trust. These include:

• ClawHub typosquats (e.g., clawhubb, cllawhub)

• Cryptocurrency tools (e.g., Solana wallet trackers)

• YouTube utilities (e.g., video summarizers, downloaders)

• Prediction market bots (e.g., Polymarket traders)

• Finance and social media tools (e.g., Yahoo Finance trackers)

• Google Workspace integrations

• Ethereum gas trackers

In addition to these, some skills were found to hide reverse shell backdoors or exfiltrate bot credentials directly to webhook sites. The campaign also leverages extensive typosquatting, registering domain names and skill names that closely resemble legitimate ones to trick users.

OpenClaw's Response and Broader Implications

The vulnerability stems from ClawHub's open nature, allowing anyone with a GitHub account older than a week to upload skills. Recognizing the severity of the issue, OpenClaw creator Peter Steinberger has introduced a reporting feature. Users can now flag suspicious skills, and those receiving more than three unique reports are automatically hidden.

This incident highlights the ongoing risks associated with open-source ecosystems, where threat actors can exploit growing popularity to distribute malware at scale. The findings underscore the potential dangers of AI agents that have access to private data, are exposed to untrusted content, and can communicate externally, creating what some experts describe as a "lethal trifecta" of vulnerabilities.

Sources

• Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users, The Hacker News.

• 341 OpenClaw skills distribute macOS malware via ClickFix instructions, CyberInsider.

• OpenClaw targets ClawHub users, Notepad++ update delivers malware, APT28 attackers abuse Microsoft Officezero-day, IT Security News.