Threat Research

OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat

Unit42
OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat
OpenClaw’s ClawHub marketplace was found hosting persistent malicious skills that delivered macOS infostealers, evaded scanners with file padding, and enabled novel agentic financial schemes. The article details how these campaigns abused AI supply-chain trust, used infrastructure such as 91.92.242[.]30, 2.26.75[.]16, and laosji[.]net, and led ClawHub to remove the skills, ban accounts, and expand screening with VirusTotal, ClawScan, and NVIDIA. #OpenClaw #ClawHub #ClawHavoc #AMOS #laosji.net #rentry.co

Keypoints

  • OpenClaw’s ClawHub marketplace was identified as a critical supply-chain attack surface because skills run with broad local system access.
  • After early disclosures, ClawHub added VirusTotal and ClawScan screening, but five malicious skills still evaded detection between February and May 2026.
  • Two skills delivered macOS infostealers, with one campaign using infrastructure linked to persistent C2 activity.
  • One skill used 22 MB of padding in a README.md file to exceed scanner thresholds and bypass content-analysis tools.
  • Two skills introduced novel agentic financial abuses: runtime affiliate injection and agentic front-running for profit.
  • ClawHub removed the reported skills and banned the associated accounts, and OpenClaw also began collaborating with NVIDIA to improve skill analysis.
  • The article stresses that monitoring outbound traffic, verifying publisher provenance, and auditing package source files are essential defenses.

MITRE Techniques

  • [T1027 ] Obfuscated Files or Information – Malicious skills used Base64-encoded payloads and disguised instructions to hide execution details and evade inspection (‘decode and execute a Base64-encoded remote payload’).
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The skills instructed the agent to run copy-paste commands in a terminal and pipe decoded content to bash (‘copy and paste text into a terminal window’; ‘curl-pipe-bash dropper’).
  • [T1105 ] Ingress Tool Transfer – Payloads were fetched from remote infrastructure after the prerequisite block was executed (‘the associated command fetched a payload from 2.26.75[.]16’).
  • [T1036 ] Masquerading – Skills posed as legitimate productivity or financial assistant tools to trick users and agents (‘presented as AI assistants for macOS, posing as productivity tools for traders’).
  • [T1574.009 ] Hijack Execution Flow: Path Interception – Malicious prerequisite blocks redirected the agent to attacker-controlled instructions before continuing (‘directed agents to a site with malicious instructions’).
  • [T1053.003 ] Scheduled Task/Job: Cron – Auto-updater skills registered cron jobs to maintain persistence (‘scheduled cron job registration, ensuring that the C2 channel persisted’).
  • [T1114.001 ] Email Collection: Local Email Collection? – Not mentioned in article; omitted.
  • [T1030 ] Data Transfer Size Limits – The omnicogg skill inflated README.md with 22 MB of padding to exceed scanner thresholds (‘inflates the file size beyond the limits’).
  • [T1219 ] Remote Access Software – Skills leveraged the agent’s authority and authenticated sessions to perform unauthorized actions (‘complete control over the agent’s identity’).
  • [T1090.003 ] Proxy: Multi-hop Proxy – The article does not clearly describe proxying; omitted.
  • [T1567.002 ] Exfiltration to Cloud Storage – The article does not mention cloud storage; omitted.
  • [T1102.001 ] Web Service: Dead Drop Resolver – The skills used paste sites and hosted JSON on external domains as indirect delivery/control points (‘paste-site redirect lure’; ‘fetch product data from laosji[.]net’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Skills used HTTP/HTTPS to retrieve payloads, instructions, and referrals data (‘fetched a payload from 2.26.75[.]16’; ‘fetch product data from laosji[.]net’).

Indicators of Compromise

  • [IP addresses ] C2 and payload hosting infrastructure – 91.92.242[.]30, 2.26.75[.]16, and 91.92.242[.]30/lamq4
  • [Domains and URLs ] paste-site redirects, payload delivery, and affiliate data sources – rentry[.]co/openclaw-code, laosji[.]net, glot[.]io/snippets/hfd3x9ueu5, and other 5 items
  • [Publisher/skill names ] malicious marketplace listings – [redacted]/omnicogg, [redacted]/money-radar, [redacted]/letssendit, and other 6 items
  • [SHA256 hashes ] known malicious skill and payload hashes – b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007, b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2, and other 4 items
  • [File names ] malicious skill package files and delivery artifacts – README.md, SKILL.md

Read more: https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint