- Palo Alto Networks’ Unit 42 found five malicious “skills” on ClawHub, OpenClaw’s official marketplace, delivering info stealers and scams
- Threat actors bypassed VirusTotal/ClawScan checks with inflated file sizes and evasive techniques, showing ongoing supply chain risk
- All malicious skills were removed and accounts banned; researchers call for strict provenance validation and source code auditing for published packages
ClawHub is the latest marketplace that hackers are poisoning with malware in an attempt to compromise software developers and other power users. Earlier this week, security researchers from Palo Alto Networks’ Unit 42 team revealed that they found and reported five “skills” on the marketplace that attempted to infect their users with infostealer malware.
First, a little context: OpenClaw (originally released as Clawd/Clawdbot) was released in November 2025. It is an open source agent platform that performs actions on a computer, such as browsing the web or managing files, rather than simply answering questions like a chatbot. To perform various actions, OpenClaw must first learn how to do them, which is done through “skills” – add-ons that expand the agent’s capabilities.
Soon after, ClawHub was born – the official marketplace and registry for OpenClaw skills and plugins, attracting not only the AI developer community, but also cybercriminals. Early reports, published in February of this year, forced OpenClaw to integrate VirusTotal and ClawScan to better protect the community and allow proactive screening of published skills.
Persistent and evasive malicious skills
However, Entity 42 says this did not stop threat actors and that it has since discovered several “persistent and evasive malicious skills” on the platform.
In total, the researchers discovered five skills, including two that delivered AMOS infostealer, one that came with an inflated file size to fool scanners, and two that were essentially commission fraud that abuses the fact that an AI agent can make decisions and perform actions on behalf of the user. Details of all five can be found at this link.
All five were subsequently reported to ClawHub and OpenClaw had them removed and the accounts behind them banned.
Unit 42 recommends that organizations use a “strict supply chain verification framework” to stay secure: “We have identified that skill execution occurs within the agent process. This necessitates active validation of publisher origin and a line-by-line audit of package source files.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
