Palo Alto Networks' Unit 42 research team has raised an alarm regarding ClawHub, the official marketplace for OpenClaw skills. According to a report released this week, five malicious skills were discovered, including two designed to steal sensitive data on macOS systems. This incident highlights a persistent supply chain threat targeting developers and advanced users who rely on OpenClaw to automate tasks through AI agents.
OpenClaw's Functionality and the Role of Skills
OpenClaw is an open-source platform launched in November 2025 that enables AI agents to perform concrete actions such as browsing the web or managing files, rather than simply answering questions. To execute specific tasks, OpenClaw requires "skills," which are add-on modules that extend its capabilities. ClawHub emerged as the official registry for these skills, quickly attracting both developers and cybercriminals.
Sponsored Protocol
Earlier in February 2026, initial attempts to distribute malware via ClawHub prompted developers to integrate scanners such as VirusTotal and ClawScan for proactive moderation. However, as the recent discovery shows, these measures have not been sufficient to stop attackers.
The Five Malicious Skills Uncovered by Unit 42
Researchers identified five malicious skills employing advanced evasion techniques. Two of them delivered the AMOS infostealer, a known malware that steals passwords, cryptocurrency wallets, and other sensitive data on macOS. A third skill used artificially inflated file sizes to bypass security checks, exploiting the fact that scanners like ClawScan might skip overly large files. The remaining two were essentially commission fraud schemes: they abused the AI agent's ability to make decisions on behalf of the user, generating fraudulent transactions.
Sponsored Protocol
Unit 42 noted that these skills were designed to be persistent and hard to detect. For instance, some used code obfuscation and injection techniques to hide malicious payloads within seemingly harmless functions.
ClawHub's Response and Security Recommendations
All five skills were reported to ClawHub, which promptly removed them and banned the responsible accounts. Despite this, Unit 42 warns that the supply chain risk remains high. The researchers recommend that organizations adopt a rigorous supply chain verification framework, including provenance validation and line-by-line code audits of skill packages. "Skill execution occurs within the agent process, necessitating active validation of publisher provenance and a detailed review of source files," the report states.
Sponsored Protocol
This incident is not isolated. Similar attacks have targeted extension marketplaces for other AI platforms, demonstrating that cybercriminals constantly seek new vectors to distribute malware. For OpenClaw users, it is crucial to download skills only from verified sources and keep defenses updated. Insights on securing development platforms are also available in other articles on our site, such as Firebase Hosting for Static Apps, which discusses secure deployment practices.
To better understand supply chain attack dynamics, you can refer to Wikipedia's entry on supply chain attacks. Additionally, staying informed through reports from leading security teams like Unit 42 is highly recommended.
