- Palo Alto Networks Unit 42 found five malicious “skills” on ClawHub, the official OpenClaw marketplace, that lead to data theft and fraud.
- Threat actors evaded VirusTotal/ClawScan checks with inflated file sizes and evasive techniques, showing persistent supply chain risk.
- All malicious skills were removed and accounts were banned; The researchers urge strict provenance validation and source code audits for published packages.
ClawHub is the latest marketplace that hackers are poisoning with malware, in an attempt to compromise software developers and other power users. Earlier this week, security researchers from Palo Alto Networks’ Unit 42 team revealed they had found and reported five “skills” in that marketplace, which sought to infect their users with data-stealing malware.
First, some context: OpenClaw (originally published as Clawd/Clawdbot) was released in November 2025. It is an open source agent platform that performs actions on a computer, such as browsing the web or managing files, rather than simply answering questions like a chatbot. To perform different actions, OpenClaw must first learn how to perform them, which is done through “skills”: plugins that extend the agent’s capabilities.
Soon after, ClawHub was born, the official marketplace and registry for OpenClaw skills and add-ons, attracting not only the AI developer community but also cybercriminals. The first reports, published in February of this year, forced OpenClaw to integrate VirusTotal and ClawScan to better protect the community and allow proactive evaluation of published skills.
Persistent and evasive malicious abilities.
However, Unit 42 says this did not stop the threat actors and has since discovered multiple “persistent and evasive malicious abilities” on the platform.
In total, researchers discovered five skills, including two that delivered the AMOS information stealer, one that came with an inflated file size to fool scanners, and two that were essentially commission fraud, abusing the fact that an AI agent can make decisions and perform actions on the user’s behalf. Details on all five can be found at this link.
All five have since been reported to ClawHub, and OpenClaw removed them and the accounts behind them were banned.
Unit 42 recommends that organizations use a “rigorous supply chain verification framework” to stay secure: “We identify that skill execution occurs within the agent process. This requires active validation of publisher provenance and a line-by-line audit of package source files.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
