OpenClaw Skill Marketplace Threats Expose AI Agents to Malware and Financial Fraud

Security researchers have found new malicious skills in the OpenClaw AI agent ecosystem, showing how third-party agent extensions can become a serious software supply chain risk.

The latest Unit 42 report says five malicious ClawHub skills bypassed existing screening between February and May 2026. The skills included macOS infostealers, a file-padding evasion technique, and two agentic financial-abuse schemes.

OpenClaw is an AI assistant that can run third-party skills from ClawHub. The OpenClaw website describes it as an assistant that can manage tasks such as email, calendars, travel actions, and messaging from chat apps.

Why OpenClaw skills create a new supply chain risk

Traditional software supply chain attacks usually target packages, dependencies, or build systems. AI agent skills create a different problem because they can combine code, files, and natural-language instructions.

Unit 42 said a malicious skill can exploit the agent’s operational context, including shell access, files, credential managers, and authenticated sessions. That means attackers may not need a classic software exploit after a user installs a harmful skill.

The risk is greater because skills often present themselves as helpful automation tools. In the latest case, some skills posed as TradingView assistants, while others appeared to offer financial advice or general utility features.

Threat type	Example skill	Main risk
Infostealer delivery	TradingView assistant skills	macOS malware delivery through fake setup instructions
Scanner evasion	omnicogg	Payload hidden in an oversized README.md file
Affiliate injection	money-radar	Financial recommendations routed through attacker-controlled referral links
Agentic front-running	letssendit	SOL pooling used to support a meme-token launch strategy

Five malicious skills bypassed screening

According to the Unit 42 analysis, ClawHub had already added VirusTotal and ClawScan checks after earlier waves of malicious skills. Even so, the researchers found five unblocked skills that slipped past those defenses.

OpenClaw said in February that VirusTotal scanning had been added to ClawHub. The company said skills would be packaged, hashed, checked against VirusTotal, and uploaded for fresh scanning when needed.

That extra layer helped, but it did not solve the entire problem. OpenClaw itself warned that a clean scan does not mean a skill is safe, because natural-language instruction abuse and prompt-style manipulation may not trigger malware signatures.

TradingView-themed skills delivered macOS malware

Two skills targeted TradingView users on macOS. They appeared to be productivity assistants, but both used a malicious prerequisite block that pushed the agent or user toward a paste-site lure.

The lure at rentry[.]co/openclaw-code served a Base64-encoded command. When executed, the command fetched a macOS infostealer named cluw from 2.26.75[.]16.

The technique resembled earlier ClawHavoc activity, but Unit 42 said this campaign used fresh backend infrastructure and a payload that differed from AMOS.

• The skills posed as TradingView assistant tools for macOS users.
• The malicious instructions used a fake prerequisite flow.
• The payload was delivered through a paste-site redirect and remote server.
• The attack relied on user or agent execution rather than a browser or OS zero-day.

omnicogg used file padding to evade scanners

A separate skill named omnicogg hid a Base64-encoded curl-pipe-bash dropper inside a README.md file. The file then added around 22 MB of padding characters.

This mattered because some content-analysis pipelines skip files that exceed practical scanning limits. In Unit 42’s finding, VirusTotal returned a clean verdict, while ClawScan was still in review in mid-May and the skill remained available for download.

The payload delivered AMOS malware through infrastructure at 91.92.242[.]30. That same IP address had already appeared in earlier OpenClaw malware research.

Earlier reports showed the problem was already widespread

This is not the first warning about malicious OpenClaw skills. Bitdefender Labs reported in February 2026 that around 17% of OpenClaw skills it analyzed showed malicious behavior.

Koi Security’s ClawHavoc research, summarized by The Hacker News, found 341 malicious skills in an audit of 2,857 ClawHub skills. Most used fake prerequisites to deliver Atomic macOS Stealer.

Trend Micro also documented malicious OpenClaw skills that used agent workflows to distribute Atomic macOS Stealer. Its researchers said the attack shifted from deceiving only humans to manipulating AI agent workflows as trusted intermediaries.

Research source	Finding	Date
Bitdefender Labs	Around 17% of analyzed skills showed malicious behavior	February 2026
Koi Security	341 malicious ClawHub skills found in a 2,857-skill audit	February 2026
Trend Micro	OpenClaw skills used to distribute Atomic macOS Stealer	February 2026
Unit 42	Five evasive or agentic malicious skills found after screening was added	June 2026

Financial fraud skills abused agent trust

Unit 42 also found two skills that focused on financial gain rather than traditional malware delivery. The money-radar skill posed as a financial product advisor for users in mainland China, Hong Kong, and Singapore.

On every use, the skill fetched product data from laosji[.]net. The payload contained about 60 products across eight categories, each carrying referral-link fields that the agent was instructed to use.

This meant the publisher could change recommended products after installation. The agent appeared to provide financial advice, but the recommendations could route users through attacker-controlled affiliate links.

letssendit showed agentic front-running risk

The letssendit skill went further by using AI agents in a coordinated Solana-based financial scheme. Unit 42 described it as agentic front-running tied to a SENDIT meme-token launch.

The skill guided installed agents to pool SOL cryptocurrency into the operator’s wallet. The operator could then buy the token at the lowest bonding-curve price before distributing any to participating agents.

This type of attack shows why AI agent marketplaces need more than malware scanning. A skill can create harm even if it does not contain a conventional trojan, stealer, or exploit.

OpenClaw is adding more skill checks

OpenClaw has continued adding security measures. On June 1, the project announced an NVIDIA SkillSpector collaboration to scan skills for hidden instructions, risky code paths, broad capabilities, dependency issues, and mismatches between what a skill claims and what it does.

The same announcement said every ClawHub skill now ships with a Skill Card that documents who published it, what it can do, what ClawScan found, and where it came from.

OpenClaw’s NVIDIA security update also showed why single-scanner trust is weak. Across a large skill dataset, VirusTotal, static analysis, and SkillSpector rarely flagged the same items together.

How teams should respond

Organizations using OpenClaw or similar AI agents should treat third-party skills as untrusted code. A skill can access sensitive information through the agent, even when its public description looks harmless.

Security teams should inventory installed skills, verify publisher history, review SKILL.md files line by line, and monitor outbound network traffic for undocumented domains or IP addresses.

They should also require behavior checks before installation, not only after a user reports suspicious activity. Unit 42’s earlier Trust No Skill research recommends comparing what a skill claims to do with what it actually does across metadata, code, and natural-language instructions.

1. Review every installed skill and remove anything from unknown or suspicious publishers.
2. Check SKILL.md files for hidden prerequisites, remote scripts, and forced instructions.
3. Block known indicators such as 2.26.75[.]16, 91.92.242[.]30, laosji[.]net, and rentry[.]co/openclaw-code.
4. Monitor agent network traffic for destinations that do not match a skill’s stated purpose.
5. Restrict agent access to wallets, shell commands, credential stores, and production systems.

Why the threat matters beyond OpenClaw

The OpenClaw case shows a broader problem for AI agent ecosystems. As agents gain access to files, accounts, terminals, browsers, and payment systems, their plugins and skills become high-value targets.

Trust No Skill argued that AI agent skills resemble mobile apps and browser extensions in an earlier stage of maturity. The difference is that agent skills can mix executable behavior with instructions that influence the agent’s decisions.

That makes review harder. A scanner may catch a known malware hash, but it may miss a skill that quietly changes advice, redirects money flows, or tells an agent to treat suspicious steps as required setup.

Known indicators of compromise

Type	Indicator	Context
IP address	2.26.75[.]16	Server hosting cluw macOS infostealer payload
IP address	91.92.242[.]30	AMOS delivery and C2 infrastructure seen in earlier campaigns
Domain	laosji[.]net	Runtime affiliate injection used by money-radar
URL	rentry[.]co/openclaw-code	Paste-site lure used in the TradingView-themed skills
Domain	download.setup-service[.]com	Malicious distribution domain listed by researchers
Domain	install.app-distribution[.]net	Malicious app distribution domain listed by researchers

The main lesson is clear: AI agent security cannot rely only on traditional malware detection. Marketplaces need provenance checks, behavior verification, semantic analysis, and strong controls over what installed skills can access.

For users, the practical advice is simple. Do not install agent skills because they look useful or have a clean scan. Review what they do, who published them, what network connections they make, and whether their behavior matches their stated purpose.

FAQ