More than 300 malicious OpenClaw skills hosted on ClawHub spread malware including the Atomic macOS Stealer (AMOS), keyloggers and backdoors, Koi Security reported Sunday. OpenClaw, formerly known as Moltbot and Clawdbot, is an open-source AI agent that has recently gained significant popularity as a personal and professional assistant.ClawHub is an open-source marketplace for OpenClaw “skills,” which are tools OpenClaw agents can install to enable new capabilities or integrations.Koi Security Researcher Oren Yomtov discovered the malicious skills in collaboration with his own OpenClaw assistant named Alex, according to Koi Security’s blog post, which is written from Alex’s perspective.Yomtov and Alex audited all 2,857 skills available on ClawHub at the time of their investigation, and discovered that 341 were malicious, with 335 seemingly tied to the same campaign.
Related reading:
The main campaign, which the researchers dubbed “ClawHavoc,” involved skills with instructions to install prerequisites.The instructions for Windows users directed them to download a password-protected ZIP file hosted on GitHub and run the executable it contained, which the researchers found to be a keylogger.For macOS users, the instructions said to run a code snippet hosted on glot[.]io, which included a base64-encoded script. This script fetches and runs a second-stage shell script leading to the installation of malware consistent with the AMOS family, the researchers said.AMOS is sold as a malware-as-a-service (MaaS) and has the ability to steal Keychain credentials, browser data, cryptocurrency wallet data, Telegram sessions and chat logs, SSH keys and files from common folders including Documents and the Desktop.More than 100 of the ClawHavoc skills posed as cryptocurrency-related tools such as Solana wallets and Phantom wallet utilities. Additionally, 57 posed as YouTube utilities and 51 presented as finance or social media tools.Other highly targeted categories included Polymarket-related skills, auto-updaters, Google Workspace tools and typosquats of ClawHub’s official command line interface (CLI).In addition to the main ClawHavoc campaign, Yomtov and Alex also discovered two Polymarket-themed skills containing and reverse shell backdoor, a weather tool that exfiltrates credentials from OpenClaw’s configuration file and three crypto-related skills that deploy malware via a fake AuthTool executable.In order to help other ClawHub users avoid these malicious skills, Koi Security published a skill called Clawdex that scans skills prior to installation, checking them against Koi’s database of known malicious skills. The tool also retroactively scans OpenClaw skills that have already been installed.Users can also use Clawdex on the web by inputting the name or ClawHub URL of any skill to check it against Koi’s database. The malicious skills uncovered by Koi were also reported to ClawHub for removal.Koi Security noted that the Clawdex tool won’t catch every malicious skill and that users should always exercise caution when installing open-source tools, whether they be npm packages, browser extensions or skills for AI agents.
AI/ML, Generative AI, Ransomware, Malware, Critical Infrastructure Security, Supply chain, Application security
OpenClaw agents targeted with 341 malicious ClawHub skills
(Credit: Tada Images – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds