A major supply-chain attack has been uncovered within the ClawHub skill marketplace for OpenClaw bots, involving 341 malicious skills.
The discovery was led by Koi Security researcher Oren Yomtov and his AI assistant “Alex,” an OpenClaw bot configured for threat analysis. Suspicious of the rapidly growing volume of skills available on ClawHub, over 2,800 at the time, Alex flagged concerns about the lack of vetting in the ecosystem. This prompted a full audit of the marketplace, revealing a highly organized campaign leveraging trojanized skills to distribute malware, with attackers imitating legitimate utilities across finance, crypto, media, and productivity categories.
ClawHavoc campaign
The vast majority of the identified malicious skills were tied to a single operation now labeled ClawHavoc. Each infected skill included a “Prerequisites” section instructing users to download a password-protected ZIP file or run an obfuscated shell script. These files ultimately deployed payloads such as Atomic macOS Stealer (AMOS) or Windows infostealers.
For macOS users, the instructions led to glot.io-hosted shell commands that fetched a secondary dropper from attacker-controlled IP addresses such as 91.92.242.30. The final payload, a Mach-O binary, exhibited strong indicators of the AMOS malware family, including encrypted strings, universal architecture (x86_64 and arm64), and ad-hoc code signing. AMOS is sold as a Malware-as-a-Service (MaaS) on Telegram and is capable of stealing:
- Keychain passwords and credentials
- Cryptocurrency wallet data (60+ wallets supported)
- Browser profiles from all major browsers
- Telegram sessions
- SSH keys and shell history
- Files from user directories like Desktop and Documents
The AMOS stealer included custom functions such as copyDirectoryWithExclusions, enabling precise data theft while minimizing operational noise.
ClawHub is the central repository for OpenClaw bot skills, modular extensions that allow bots to gain new capabilities. The platform’s open nature and lack of rigorous review processes make it an attractive target for adversaries. The malicious packages impersonated high-demand utilities across multiple categories:
- Crypto utilities (111 skills) – Including Solana and Phantom wallet trackers
- YouTube tools (57 skills) – Including video summarizers and downloaders
- Prediction market bots (34 skills) – Targeting Polymarket users
- Auto-updaters (28 skills) – Ironically promoting system security
- Finance and social trends tools (51 skills) – Mimicking Yahoo Finance and X/Twitter trackers
- Google Workspace integrations (17 skills) – Accessing documents and emails
Attackers also deployed an extensive typosquatting strategy, registering over two dozen lookalike packages for core ClawHub tools (e.g., clawhubb, cllawhub, clawhub-cli).
Bots like OpenClaw often have access to email, calendars, messaging apps, and stored credentials. A single infected skill can compromise everything the bot sees, processes, or controls.
Users and organizations leveraging AI bot platforms like OpenClaw should use Koi Security’s Clawdex, a security tool for OpenClaw bots that offers pre-installation scanning and retroactive detection on already-installed skills.
In general, it is recommended to avoid executing prerequisite instructions from skills without verification, monitor bot permissions and data access scopes, and limit use of low-reputation skills.
Leave a Reply