ClawHub on the lookout: 341 malicious modules reveal a new attack vector in the software supply chain

A security audit of 2,857 "skills" published in ClawHub detected 341 malicious modules that were part of coordinated campaigns, according to the report of Koi Security. What started as a community tool to expand an IA wizard has become a malware distribution channel and a new risk vector in the software supply chain.

ClawHub, the market for skills for OpenClaw, was born to facilitate users to install extensions created by third parties in OpenClaw, the open source assistant previously known as Moltbot or Clawdbot. But that opening also makes it easier for malicious actors to upload packages that appear to be useful and legitimate. Koi documents that a large part of the committed skills included false "pre-requirement" instructions to force the execution of harmful code on the victims' teams.

The social engineering that researchers describe is simple and effective: the user installs an attractive skill - for example, a tool for Solana wallets or YouTube utilities - and follows a section that indicates previous steps. In Windows was asked to download a ZIP calledopenclaw-agent.zipfrom GitHub; in macOS, the instructions urged to copy and paste a script hosted in glot [.] io directly into the Terminal. That kind of indication is exactly what an attacker needs to convince someone to run code without checking.

Within the password-protected file found by Koi there is a Trojan with key registration capabilities designed to capture API keys, passwords and other sensitive information that could already be accessible from the wizard itself. For its part, the script hosted in glot [.] o runs osfussed commands aimed at recovering later stages of the attack from an infrastructure controlled by the attackers. In the infection chain there is a specific IP address (91.92.242.30) that serves to download another script and, finally, a universal Mach-O binary with characteristics consistent with Atomic Stealer (AMOS), a commercial stealer that according to the findings is offered on the market for several hundred dollars a month.

In addition to this family - called by researchers such as ClawHavoc - the attackers used suplanting and typosquating techniques to camouflage their skills: names very similar to ClawHub or variants with typographic errors, along with cryptomoneda-oriented utilities, bots for prediction platforms such as Polymarket, functions to download or summarize YouTube videos, self-updates and supposed integration with Google Workspace tools. Koi also identified skills that hid a reverse shell-type backdoor within apparently functional code and others that exfiltered wizard credentials, for example from the file ~ / .clawdbot / .env to webhook services.

The campaign confirmation did not come from a single source. A researcher who publishes as 6mile in OpenSourceMalware He reported a very similar activity, noting that modules spread malware aimed at stealing information related to exchanges, private wallets keys, SSH credentials and passwords stored in browsers. The infrastructure match between pointed samples reinforces the hypothesis of a large-scale coordinated operation.

The background problem is the design opening. ClawHub allows you to publish skills with a minimum requirement: that the author has a GitHub account just one week old. This low barrier combined with the growing curiosity of deploying private assistants prompted many people to run OpenLaw on a continuous basis on machines such as the Mac Mini, which already attracted attention in media such as Business Insider and generated hardware promotions at sites like Mashable.

In the face of the climbing, the OpenClaw team has added a function so that authenticated users can report suspicious skills. According to official documentation, each person can keep up to 20 active reports and objects that accumulate more than three unique complaints are automatically hidden from the catalogue. This measure represents a first step, but does not eliminate the risk inherent in a repository where anyone can publish code with little verification. You can see the moderation section in the OpenClaw documentation Here..

The incidents around OpenClaw and ClawHub have also reopened a broader debate on the safety of IA agents who can run local commands, store persistent memory and communicate with external resources. Palo Alto Networks published an analysis that warns that when an agent has access to private data, consumes content without guarantee of integrity and can interact with the network, a dangerous combination is created that some call the "lethal trilogy" or "lethal trifect" - a term coined by the developer Simon Willison - that makes these agents particularly vulnerable to sophisticated attacks and to "time-shifted" or delayed activation operations. Palo Alto's blog summarizes how persistent memory can convert point exploits into threats that are assembled and detonated over time; you can read that analysis on the site of Palo Alto Networks and Simon Willison's reflection on the " lethal trifect. "

What lessons does this episode leave? First, that the confidence implicit in modules published by third parties can be exploited relatively easily. Second, that the instructions to run commands in the Terminal are a classic way for the user to do the job of "activating" malware by itself by copy-past. And third, that the proliferation of agents with persistent memory and access to local resources requires stricter control measures in extension and skill catalogues.

Practical recommendations: do not run scripts glued from unknown pages, carefully review any pre-requisite order to download or run code, maintain backups and separate environments: if you are running a 24 / 7 wizard, consider using isolated machines and accounts without sensitive information. For platform managers such as ClawHub, the very low publication friction suggests the need for more automated and human scrutiny, as well as the possibility of mandatory signatures and reviews for skills requesting sensitive permits.

This incident is a wake-up call: the combination of curiosity about new IA tools, open platforms and malicious actors willing to monetize the theft of credentials and keys makes it inevitable that we will see more similar attempts if more rigid defenses are not adopted. To deepen technical research, the Koi Security report and OpenSourceMalware follow-up are recommended readings: Koi Security and OpenSourceMalware. It is also useful to review OpenClaw's documentation on ClawHub's moderation Here..