Malicious OpenClaw Skills Deploy Atomic macOS Stealer Through Fake Driver Prompts
3 min. read 
Published on
Threat actors embedded AMOS stealer in 39 malicious OpenClaw skills across ClawHub, SkillsMP, GitHub. SKILL.md files trick AI agents into prompting manual OpenClawCLI driver installs. Fake password dialogs capture system credentials for full macOS compromise.
AMOS malware-as-a-service targets Apple credentials, browser data, crypto wallets, Telegram chats. Universal Mach-O binary runs on Intel and Apple Silicon Macs. Over 2,200 malicious skills discovered on GitHub repositories alone.
Attack chain starts with innocent-looking SKILL.md instruction. GPT-4o models prompt users to install fake OpenClawCLI from openclawcli.vercel.app. Claude Opus 4.5 flags malicious intent refusing execution.
Base64 payload drops unsigned binary triggering fake macOS password dialog. User-entered system password grants full persistence and data access. Single click compromises entire machine.
Once authenticated, AMOS enumerates 19 browsers for cookies, passwords, credit cards. 150 cryptocurrency wallets targeted alongside Apple Keychain, Notes, VPN profiles. Desktop, Documents, Downloads folders yield PDFs, CSVs, password databases.
ZIP archive compresses loot for socifiapp.com exfiltration. Campaign represents AI agent supply chain compromise evolution. Malicious skills bypass traditional cracked app delivery.
Developers face risks installing unverified OpenClaw extensions. Enterprise macOS deployments require skill allowlisting immediately. AI workflow isolation prevents automatic propagation.
Data Theft Targets Table
| Category | Specific Targets |
|---|---|
| Browsers | 19 apps cookies/passwords/cards |
| Crypto | 150 wallet applications |
| Apple | Keychain, Notes, VPN profiles |
| Files | Desktop/Documents/Downloads |
| Messaging | Telegram desktop chats |
| Formats | PDF, CSV, KDBX, DOCX |
Infection Indicators
| Type | Indicator |
|---|---|
| Fake Site | openclawcli.vercel.app |
| C2 Server | socifiapp.com |
| Payload IP | 91.92.242.30 |
| Download | /ece0f208u7uqhs6x |
| Binary | il24xgriequcys45 |
| Detection | Trojan.MacOS.Amos |
Containerized AI execution blocks privilege escalation attempts. Unsigned binary rejection training prevents dialog falls.
Protection Steps
- Verify OpenClaw skills before installation
- Test skills in isolated macOS containers
- Block openclawcli.vercel.app domains
- Disable AI agent external installs
- Monitor socifiapp.com connections
- Audit Mach-O binary signatures
- Deploy AMOS behavioral detection
macOS enterprise deployments require immediate skill repository scanning. MaaS operators evolve delivery exploiting AI extension trust. Rapid takedown lags behind repository proliferation.
FAQ
39 uploaded plus 2,200 additional GitHub variants.
GPT-4o prompts installation; Claude Opus 4.5 flags malicious.
Unsigned Mach-O binary execution post-Base64 decode.
Browsers, crypto wallets, Apple Keychain, documents.
socifiapp.com receives ZIP compressed victim data.
Full system access via legitimate user credentials.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages