A wave of malicious skills targeting the OpenClaw AI agent marketplace has exposed a dangerous new frontier in software supply chain security.
Attackers are using the ClawHub skill marketplace to push harmful code into AI agent environments, stealing data and running financial fraud schemes that traditional security tools failed to catch.
OpenClaw is an AI agent that runs third-party skills sourced from ClawHub, a dedicated marketplace. These skills are markdown-driven packages with deep access to local systems.
When a malicious skill is installed, it can seize full control of the agent’s identity and execute unauthorized actions through the agent’s own authenticated sessions, all without needing a conventional exploit.
Researchers from Unit 42 said in a report shared with Cyber Security News (CSN) that their analysis between February and May 2026 uncovered five malicious skills that slipped past ClawHub’s integrated VirusTotal and ClawScan screening.
All five were reported for takedown, and the associated accounts were subsequently banned.
The five skills fell into three threat categories: infostealers connected to command-and-control infrastructure, a file-padding evasion tool designed to exceed scanner thresholds, and two novel agentic threats built for financial gain.
Bitdefender Labs had previously flagged that roughly 17% of skills on the platform carried malicious payloads, and Koi Security’s ClawHavoc disclosure documented 341 malicious skills across the marketplace.
The persistence of these threats, even after automated screening was introduced, signals that the risk to AI agent ecosystems is far from resolved.
The core problem is that malicious skills use natural language to hijack the AI’s own instruction-following behavior, bypassing guardrails that protect more conventional software environments.
OpenClaw Skill Marketplace Exposes AI Agents
Two of the five threats were skills disguised as TradingView productivity assistants for macOS.
Both embedded a malicious prerequisite block that directed agents to a paste-site redirect lure at rentry[.]co/openclaw-code, where a Base64-encoded command waited to be run in a terminal window.
That command then pulled a macOS infostealer named cluw from a remote server at 2.26.75[.]16.
A separate skill called omnicogg embedded the AMOS malware dropper inside a README.md file, then padded it with 22 MB of junk characters to exceed file size limits that most scanning pipelines enforce.
Both VirusTotal and ClawScan returned clean verdicts, meaning the skill stayed freely available while hiding live malicious code.
Each of these skills mimicked a legitimate tool. The TradingView skills appeared to be trader productivity aids, and omnicogg passed for a general utility.
Attackers exploited the trust users place in a curated marketplace, making detection harder for both automated tools and human reviewers alike.
Agentic Financial Fraud and Novel Exploitation
Beyond data theft, researchers found two skills built to abuse the AI agent’s advisory authority for financial gain. The money-radar skill posed as a financial product advisor for users in mainland China, Hong Kong, and Singapore.
On every invocation, it silently fetched a payload from laosji[.]net and embedded affiliate tracking links into every recommendation it generated.
![The money-radar skill's SKILL.md instructs the agent to fetch data from laosji[.]net (Source - Unit42)](https://blog.shomoysoft.com/storage/blog-images/the20money-radar20skills20skillmd20instructs20the20agent20to20fetch20data20from20laosji5b5dnet20source20-20unit42-f522eeb5.webp)
The operator could swap out recommended products at any time without the user’s knowledge. The letssendit skill went further by running a pump-and-dump scheme on the Solana blockchain.
Installed agents pooled SOL cryptocurrency into the operator’s wallet, after which the operator purchased the SENDIT meme token at the lowest available price before launching it on pump[.]fun.
Outside buyers could mistake the coordinated AI activity for organic demand, allowing the operator to dump their cheap position onto secondary buyers at a profit.
These cases represent some of the first documented instances of autonomous AI agents being used for coordinated financial fraud.
Researchers recommend validating publisher provenance, auditing skill source files line by line, and monitoring outbound network traffic for connections to undocumented endpoints.
Any behavior that does not match a skill’s stated purpose should be flagged as a potential indicator of compromise.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 2.26.75[.]16 | C2 server hosting the cluw macOS infostealer payload |
| IP Address | 91.92.242[.]30 | AMOS C2 server used in early and ongoing campaigns |
| URL | 91.92.242[.]30/lamq4 | AMOS payload delivery endpoint |
| Domain | download.setup-service[.]com | Malicious download distribution domain |
| Domain | install.app-distribution[.]net | Malicious app distribution domain |
| Domain | laosji[.]net | Domain used for runtime affiliate injection via money-radar skill |
| Domain | openclawcli.vercel[.]app | Infrastructure associated with malicious OpenClaw CLI |
| URL | rentry[.]co/openclaw-code | Paste-site redirect lure delivering Base64-encoded dropper |
| URL | glot[.]io/snippets/hfd3x9ueu5 | Paste-site intermediary used for macOS payload delivery |
| GitHub URL | github[.]com/Ddoy233/openclawcli | Malicious OpenClaw CLI repository |
| SHA256 | 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7 | macOS infostealer cluw payload |
| SHA256 | 881ce5cb124c4d2e814783724cc1388f6a1cbf6eee274c3f3366e77ba3503ad7 | Malicious skill payload hash |
| SHA256 | b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2 | omnicogg skill (file-padded AMOS dropper) |
| SHA256 | b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007 | tradingview-ai-indicator-assistant malicious skill |
| SHA256 | ebb73dbb5aac1f6fe1a88e8f26126a1e1aa34c9f3345ad4345189b40d9bf1d1d | money-radar affiliate injection skill |
| SHA256 | f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0e | letssendit agentic front-running skill |
| Publisher/Skill | [redacted]/santi-text-game | Malicious skill identified in research |
| Publisher/Skill | [redacted]/omnicogg | File-padded AMOS dropper skill |
| Publisher/Skill | [redacted]/letssendit | Agentic front-running / pump-and-dump skill |
| Publisher/Skill | [redacted]/money-radar | Runtime agentic affiliate injection skill |
| Publisher/Skill | [redacted]/ai-tradingview-assistant-for-macos | macOS infostealer delivery skill |
| Publisher/Skill | [redacted]/tradingview-ai-indicator-assistant | macOS infostealer delivery skill |
| Publisher/Skill | [redacted]/pdfcheck | Malicious skill identified in research |
| Publisher/Skill | [redacted]/update | Malicious skill identified in research |
| Publisher/Skill | [redacted]/wistec-core | Malicious skill identified in research |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
