341 Malicious OpenClaw Skills Distribute Atomic Stealer

Security researchers at Koi Security identified 341 malicious skills on ClawHub, the official marketplace for OpenClaw AI assistant extensions. The campaign, dubbed ClawHavoc, targets cryptocurrency users and developers with fake productivity tools that deliver the Atomic Stealer infostealer to macOS systems.

The discovery comes during a rough week for OpenClaw, the buzzy AI agent platform that shot to prominence after rebranding from MoltBot in January. Beyond the malicious skills issue, the project has disclosed three high-severity security vulnerabilities in the past three days—including a one-click remote code execution flaw that requires only visiting a malicious webpage.

What Is OpenClaw?

OpenClaw is an open-source AI agent that can execute shell commands, read and write files, browse the web, and interact with other applications on behalf of users. Skills are community-contributed extensions that expand its capabilities—think browser extensions, but for an AI assistant with system-level access.

That architecture creates obvious security risks. Granting an AI agent elevated privileges means any malicious skill can abuse those permissions. The platform's rapid growth has attracted both legitimate developers and opportunistic attackers looking to exploit users who trust the ecosystem.

The ClawHavoc Campaign

Researchers audited 2,857 total skills on ClawHub and found 341 containing malicious code—a 12% poisoning rate. The operation targets both macOS and Windows users, though macOS attacks appear more sophisticated.

The malicious skills masquerade as cryptocurrency trading tools and productivity utilities:

• Solana wallet trackers
• Polymarket trading bots
• YouTube summarization tools
• Google Workspace integrations
• Typosquatted versions of popular legitimate skills

All 341 skills share common command-and-control infrastructure, suggesting a single threat actor or coordinated group behind the campaign.

How the Attack Works

The malware doesn't hide inside the skill code itself. Instead, attackers use a social engineering approach that exploits user trust.

When installing a malicious skill, users see a "Prerequisites" section claiming additional software must be installed first. The instructions vary by platform:

On macOS: Users are directed to copy a shell command from an external site (glot[.]io) and paste it into Terminal. The obfuscated script fetches payloads from attacker infrastructure at 91.92.242[.]30.

On Windows: Users download a ZIP file from a GitHub repository protected with the password "openclaw," extract it, and run an executable named openclaw-agent.exe.

Both vectors rely on users voluntarily executing malicious code—bypassing most automated defenses. The technique mirrors ClickFix campaigns that trick users into running PowerShell commands through fake CAPTCHA prompts.

The Payload: Atomic Stealer

Of the 341 malicious skills, 335 deliver Atomic Stealer (AMOS), a commodity macOS infostealer available as a subscription service for $500-1,000 per month.

Once installed, Atomic Stealer harvests:

• Cryptocurrency wallet private keys
• Exchange API keys
• SSH credentials
• Browser passwords and cookies
• The OpenClaw environment file (~/.clawdbot/.env), which may contain additional API keys

The focus on cryptocurrency assets isn't surprising. Crypto theft offers immediate, irreversible financial gain. Unlike stolen credit cards that require laundering, compromised wallet keys provide direct access to funds. The Trust Wallet breach earlier this year demonstrated the stakes: attackers stole $7 million through a compromised browser extension in a single incident.

Beyond Malicious Skills

The skill marketplace problem is just one piece of OpenClaw's security troubles. The platform disclosed CVE-2026-25253 (CVSS 8.8) on January 30—a token exfiltration vulnerability enabling full gateway compromise.

More concerning: researchers demonstrated that clicking a single malicious link can trigger remote code execution through cross-site WebSocket hijacking. OpenClaw's server doesn't validate WebSocket origin headers, allowing attackers to hijack authenticated sessions from malicious webpages.

"OpenClaw is a security dumpster fire," wrote Laurie Voss, founding CTO of npm, on LinkedIn. Peter Steinberger, OpenClaw's creator, acknowledged the criticism and committed to improving agentic security.

Why This Matters

The ClawHub campaign highlights a recurring pattern: every popular software ecosystem eventually attracts supply chain attacks. We've seen it with npm packages, VS Code extensions, and now AI agent marketplaces.

OpenClaw's architecture amplifies the risk. Users grant the agent significant system access by design. A compromised skill doesn't need to exploit vulnerabilities—it inherits the permissions users already granted.

The 12% poisoning rate on ClawHub is alarming. For comparison, malicious package rates on npm and PyPI typically hover below 1%. Either ClawHub's vetting is unusually weak, or attackers have prioritized the platform due to its user base of technically savvy early adopters—often developers with access to production infrastructure and cryptocurrency holdings.

Recommendations

For OpenClaw users:

1. Audit installed skills - Review every skill for unknown prerequisites or external download requirements
2. Check skill provenance - Verify publishers have established histories and multiple legitimate skills
3. Never execute prerequisite commands - Legitimate skills don't require manual shell commands
4. Update immediately - Ensure you're running version 2026.1.29 or later to address CVE-2026-25253
5. Rotate exposed credentials - If you've installed suspicious skills, assume API keys and wallet seeds are compromised

OpenClaw has added a reporting feature allowing users to flag suspicious skills. Skills receiving three or more unique reports are now hidden by default—a reactive measure that won't help users who already installed malicious extensions.