A Wake-Up Call for OpenClaw Users: 341 Malicious Skills Uncovered!
In a recent security audit, researchers from Koi Security uncovered a shocking 341 malicious skills on ClawHub, a marketplace for OpenClaw users. This discovery exposes users to new and unexpected supply chain risks.
ClawHub, an extension of the OpenClaw project, aims to simplify the process of finding and installing third-party skills for AI assistants. However, the findings reveal a dark side to this seemingly convenient platform.
The analysis, conducted with the assistance of an OpenClaw bot named Alex, uncovered a sophisticated scheme. A total of 335 skills were found to use fake prerequisites, luring users into installing an Apple macOS stealer known as Atomic Stealer (AMOS). This set of skills has been dubbed ClawHavoc.
"Imagine you're searching for a skill like 'solana-wallet-tracker' or 'youtube-summarize-pro,'" explains Koi researcher Oren Yomtov. "The documentation appears professional, but there's a catch. A 'Prerequisites' section pops up, asking you to install something first." This is where the trouble begins.
For Windows users, the instructions lead them to download a file named 'openclaw-agent.zip' from a GitHub repository. macOS users, on the other hand, are instructed to copy and paste a script hosted on glot[.]io into their Terminal app. The targeting of macOS is not random; reports suggest that many have invested in Mac Minis to run AI assistants around the clock.
Within the password-protected archive lies a trojan with keylogging capabilities, designed to capture sensitive data, including API keys and credentials. Meanwhile, the glot[.]io script contains obfuscated shell commands, leading to further malicious payloads from attacker-controlled servers.
But here's where it gets controversial: these skills, disguised as legitimate tools, are part of a larger campaign. They masquerade as cryptocurrency trading automation tools, targeting macOS and Windows systems with information-stealing malware.
The malicious skills take various forms, including:
- ClawHub typosquats (e.g., clawhub, clawhub1)
- Cryptocurrency tools like Solana wallets
- Polymarket bots (e.g., polymarket-trader)
- YouTube utilities (e.g., youtube-summarize)
- Auto-updaters (e.g., auto-updater-agent)
- Finance and social media tools
- Google Workspace integrations
- Ethereum gas trackers
- Lost Bitcoin finders
And this is the part most people miss: some skills even hide reverse shell backdoors within functional code, exfiltrating bot credentials to webhook[.]site.
The development is in line with a report from OpenSourceMalware, which also flagged the ClawHavoc campaign. Security researcher 6mile warns, "These skills use social engineering to convince users to execute malicious commands, stealing crypto assets and sensitive information."
The problem lies in ClawHub's open nature, allowing anyone to upload skills with minimal restrictions. OpenClaw's creator, Peter Steinberger, has acknowledged the issue and introduced a reporting feature, but is it enough to mitigate the risks?
These findings highlight the abuse of open-source ecosystems by threat actors. OpenClaw's sudden popularity has attracted malicious campaigns, exploiting its design and features. As Palo Alto Networks puts it, OpenClaw represents a "lethal trifecta" due to its access to private data, exposure to untrusted content, and external communication capabilities.
The intersection of these factors, combined with OpenClaw's persistent memory, creates an accelerant for attacks. Malicious payloads can now be delayed, fragmented, and assembled later, creating time-shifted prompt injection and memory poisoning.
This discovery serves as a stark reminder of the potential risks associated with open-source platforms. As we navigate the evolving landscape of AI and cybersecurity, it's crucial to remain vigilant and informed. What are your thoughts on this matter? Feel free to share your opinions and insights in the comments below!
