Openclaw Security Warning
Malicious Openclaw Skills, the 17% Supply Chain Threat You Missed

You installed that helpful AI skill to analyze spreadsheets. Now it’s draining your crypto wallet while whispering financial advice laced with hidden affiliate links.
Here’s the thing about OpenClaw’s marketplace that nobody told you: these markdown-driven packages come with broad local system access. Installing one bad skill doesn’t just break your system. It hands complete control of your agent’s identity and authenticated sessions to strangers.
The 17% Problem That Started It All
Early February 2026. Bitdefender Labs dropped a bombshell that should have stopped everyone cold.
Roughly 17 percent of analyzed OpenClaw skills carried malicious payloads in those first vulnerable weeks after release. Nearly one in five tools carried poison.
Then Koi Security revealed ClawHavoc. They documented 341 malicious skills distributed through the ClawHub marketplace. This wasn’t amateur hour. Trend Micro confirmed the big leagues were involved too, tracking Atomic macOS Stealer malware across the platform.
The delivery methods were surgically clever. Attackers used Base64-encoded curl-pipe-bash droppers and paste-site redirects hiding on glot.io and rentry.co. Auto-updater cron jobs ensured persistence. One distinct campaign cluster even exfiltrated cryptocurrency private keys via the Telegram Bot API, operating independently from the shared dropper infrastructure.
The Screening Mirage
ClawHub scrambled to respond. They integrated VirusTotal and ClawScan to proactively screen published skills and block flagged downloads. By June 2026, OpenClaw partnered with NVIDIA to run analysis tools on all skills and provide documentation of what each package actually does.
But between February and May 2026, Unit 42 identified five unblocked malicious skills still available despite these new screening measures. OpenClaw banned the involved accounts and deleted all five skills after Unit 42 disclosure, but the window for damage was already open.
Two of those five skills delivered macOS infostealers connecting to command-and-control servers, indicating persistent threat actor activity. One new payload called “cluw” was served from IP address 2.26.75.16 via a paste-site redirect at rentry.co/openclaw-code. The other infostealer was the AMOS malware, served from 91.92.242.30—the same C2 server still active more than three months after initial public disclosure.
Then there’s “omnicogg.” This skill used defense evasion by padding its README.md with 22 MB of junk characters to exceed file-size scanner thresholds, bypassing both ClawScan and VirusTotal. The scanners skipped content analysis because pipelines often decline abnormally large files rather than process them.
When Skills Become Scams
But the most insidious threats weren’t just stealing data. They were hijacking trust and autonomy.
Take “money-radar.” This runtime agentic affiliate injection skill posed as a financial product advisor. But behind the scenes, it fetched a referrals.json file from laosji.net to embed affiliate tracking links into all agent recommendations. Because the skill generated financial advice itself, those affiliate links appeared embedded in expert recommendations rather than intercepted clicks. The operator could dynamically rotate affiliate partners and products after installation without your involvement or awareness.
Or consider “letssendit.” This agentic front-running skill instructed installed agents to autonomously pool Solana cryptocurrency into the operator’s wallet. Once enough agents contributed SOL, the operator front-ran the distribution by buying the SENDIT meme token at the lowest bonding curve price before public allocation. The token then launched on pump.fun, where external buyers could mistake coordinated AI botnet activity for organic retail demand—a pump-and-dump scheme and potential rug pull.
The technical reality is sobering. Malicious skills use semantic instruction hijacking to misuse the AI’s natural language interpretation, bypassing conventional language runtime or container limits. The lack of isolation between skill logic and agent authority means installing a malicious skill grants complete control over the agent’s identity.
Your Defense Playbook
Unit 42 recommends rigorous publisher provenance validation, line-by-line audits of package source files, and active monitoring of outbound network traffic post-installation. Organizations should cross-reference any external connection against the skill’s stated documentation, treating discrepancies as observable risk indicators.
For Palo Alto Networks customers, protection is available through Koi Agentic Endpoint Security, Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, Cortex XDR, and Cortex XSIAM.
Your AI agent trusts you to vet its skills. Audit before you install, or prepare to pay the price.