Malicious AI 'Skills' on OpenClaw's ClawHub Marketplace Bypass Scanners (cyber.netsecops.io)

Between February and May 2026, researchers from Unit 42 identified a sophisticated threat campaign targeting the OpenClaw AI agent ecosystem, where malicious actors published harmful 'skills' on the ClawHub marketplace that bypass existing security measures, including VirusTotal. These malicious skills exploit social engineering techniques to trick users into executing commands that deploy infostealer malware, such as the Atomic macOS stealer (AMOS) and a new variant named "cluw." This development marks a significant escalation in software supply chain attacks specifically tailored for AI platforms, raising alarms about the security architecture of agentic AI environments. The attacks hinge on user interaction, prompting individuals to unwittingly run malicious commands under the guise of legitimate skill activation. This capability allows attackers to exploit the semantic gap in AI agent security, granting complete control over the agent's permissions and access to sensitive information. As these AI agents become increasingly integrated into both personal and enterprise workflows, the implications are severe; the absence of robust sandboxing and permission controls for third-party skills puts users at risk of credential theft and financial fraud, thereby paving the way for potential large-scale data breaches and corporate espionage.