Malicious AI Agent Skills Abused for Crypto Theft and macOS AMOS Delivery
Researchers reported multiple campaigns abusing AI agent “skills” as a new supply-chain-like initial access vector. In one case, a malicious ClawHub skill (bob-p2p) masqueraded as a decentralized API marketplace and was promoted via the AI-agent social platform Moltbook; once installed, it caused agents to retain plaintext Solana private keys and execute transactions that bought worthless $BOB tokens while routing value to attacker-controlled infrastructure. Staiker researchers and analyst Dan Regalado highlighted that agent-to-agent collaboration, shared workflows, and dependency chains can enable lateral movement without direct human interaction, making the technique repeatable and scalable beyond crypto-wallet theft.
Separately, Trend Micro described a shift in Atomic macOS Stealer (AMOS) distribution from cracked software to malicious OpenClaw skills hosted across ClawHub, SkillsMP, and GitHub. The campaign used seemingly benign SKILL.md instructions to trick models/users into installing a fake prerequisite (“OpenClawCLI”) from an external site; if followed, the workflow fetched and executed a Base64-encoded command that dropped a Mach-O universal binary (Intel and Apple Silicon). Trend Micro reported 39 malicious skills uploaded across repositories and stated that more than 2,200 malicious skills were ultimately found on GitHub, with AMOS targeting credentials, browser data, crypto wallets, Telegram data, VPN profiles, Apple Keychain items, and common user folders—underscoring that AI-agent ecosystems are becoming a practical malware delivery and data-theft channel.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Zscaler details DeepSeek-Claw skill delivering Remcos RAT and GhostLoader
Zscaler ThreatLabz reported that a malicious OpenClaw skill named "DeepSeek-Claw" impersonated a DeepSeek integration and delivered two malware chains. On Windows it installed Remcos RAT via an MSI and DLL sideloading with a signed GoToMeeting executable, while manual install paths triggered the cross-platform GhostLoader stealer targeting developer credentials, wallets, SSH keys, and cloud tokens.
Acronis links 575+ malicious ClawHub skills to 13 developer accounts
Acronis Threat Research Unit reported that ClawHub was hosting more than 575 malicious OpenClaw skills published by 13 developer accounts, with most attributed to the aliases hightower6eu and sakaen736jih. The report said the skills targeted Windows and macOS users with AMOS Stealer, trojans, and a cryptominer, using social engineering, hidden dependencies, password-protected archives, encoded commands, and prompt-injection-style abuse.
Researcher identifies 30 ClawHub skills in "ClawSwarm" crypto-swarm campaign
Manifold researcher Ax Sharma reported that 30 ClawHub skills published by the user "imaflytok" silently enrolled installed AI agents into a cryptocurrency-oriented swarm via onlyflies.buzz. The skills abused normal instruction files and skill functionality to make agents disclose metadata, store credentials locally, periodically check in, and in some cases generate Hedera wallets and submit private keys without user consent.
Silverfort discloses ClawHub ranking-manipulation vulnerability
Silverfort reported a ClawHub vulnerability that could allow attackers to manipulate marketplace rankings and push a malicious skill to the number-one position. The disclosure introduced a new platform-level weakness that could amplify discovery and distribution of malicious skills beyond the previously documented ClawHavoc campaign tactics.
Researchers observe live AMOS operator harden C2 during March campaign
In March 2026, Breakglass Intelligence analyzed an active fake OpenClaw skill campaign delivering Atomic macOS Stealer and observed the operator replace the original dropper with a revised version that changed encryption, added anti-VM checks, and rotated C2 credentials. After researchers authenticated to the live C2 and mapped its protocol, the operator hardened the infrastructure within 29 minutes by removing console endpoints and blocking uploads while keeping token validation active.
PolySwarm publishes ClawHavoc campaign details and follow-on tactics
PolySwarm publicly detailed the ClawHavoc campaign, including AMOS delivery on macOS, theft of OpenClaw bot configuration secrets, webhook-based exfiltration, and reverse shells. The report also described follow-on comment-based social engineering on popular Skills that redirected users to attacker infrastructure such as 91.92.242[.]30.
Researchers uncover bob-p2p ClawHub skill used in crypto scam
Staiker researchers identified a malicious ClawHub skill called "bob-p2p" that was promoted on Moltbook as a decentralized API marketplace. Once installed, it caused agents to store Solana wallet private keys in plaintext and buy worthless $BOB tokens while sending payments to attacker-controlled infrastructure.
Attackers shift AMOS delivery to malicious OpenClaw skills
Trend Micro reported a new Atomic macOS Stealer variant distributed through malicious OpenClaw skills uploaded to ClawHub, SkillsMP, and GitHub. The infection chain used benign-looking SKILL.md files to direct users to install a fake prerequisite and then execute a payload that could trigger a fake password prompt to capture the macOS system password.
ClawHavoc campaign expands across ClawHub as marketplace grows
By mid-February 2026, researchers said the campaign had grown to 824 identified malicious Skills, with more than 900 malicious Skills used overall as ClawHub exceeded 10,700 listed Skills. The operation targeted both Windows and macOS users with staged payload delivery, credential theft, reverse shells, and secret exfiltration.
Researchers identify 341 malicious ClawHub skills in ClawHavoc campaign
PolySwarm reported that the ClawHavoc supply-chain poisoning campaign had already uploaded 341 malicious Skills to ClawHub by February 1, 2026. The skills used convincing documentation and fake setup prerequisites to trick OpenClaw users into executing malicious payloads.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware
cybersecuritynews.com
Open sourceMalicious OpenClaw Skill Distributes Remcos RAT and GhostLoader | Community Portal | Gurucul
community.gurucul.com
Open sourceOpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz
zscaler.com
Open sourcePoisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
acronis.com
Open sourceFake "OpenClaw Skill" AMOS Stealer: Cracking Two Encryption Schemes, Authenticating Against a Live C2, and Mapping an Active macOS Infostealer Campaign - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceThe ClawHavoc Campaign
blog.polyswarm.io
Open sourceNovel AI agent-powered crypto scam uncovered | SC Media
scworld.com
Open sourceMalicious OpenClaw Skills Used to Trick Users into Manual Password Entry for AMOS Infection
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw Abuse and Malicious Skills Used to Deliver Atomic macOS Stealer
Google suspended access to its *Antigravity* (Gemini developer) platform for many **OpenClaw** users after detecting OAuth token abuse tied to OpenClaw’s third-party OAuth plugin, which was used to access subsidized Gemini tokens and drove backend load spikes and service degradation. Reports indicated sudden `403` errors and account restrictions, with some users claiming broader Google account impacts (e.g., loss of access to Gemini tooling and, in some cases, Workspace/Gmail). Google stated the activity violated terms by using Antigravity infrastructure to power non-Antigravity products and described the traffic as “malicious usage” patterns, offering limited reinstatement for some users who may have been unaware. Separately, Trend Micro reported a supply-chain style campaign abusing the OpenClaw ecosystem to distribute **Atomic (AMOS) Stealer** via malicious “skills.” Threat actors allegedly uploaded hundreds of malicious skills to repositories/marketplaces (e.g., *ClawHub* and *SkillsMP*), hiding instructions in `SKILL.md` to manipulate AI-agent workflows into presenting fake setup steps and prompting a human-in-the-loop password entry to complete infection. The AMOS variant was observed exfiltrating data including Apple and KeePass keychains and user documents, and Trend Micro noted the specific samples lacked persistence and ignored `.env` files; identified malicious skills were reportedly taken down, though code artifacts remained accessible in associated GitHub repositories at the time of reporting.
Mar 21, 2026
Malicious OpenClaw skills abused via ClawHub to steal cryptocurrency and browser data
Security researchers reported that the *OpenClaw* self-hosted AI assistant ecosystem is being abused for malware distribution via **ClawHub**, a public registry for third-party “skills.” At least **14 malicious skills** uploaded over a short window masqueraded as crypto trading/wallet automation tools, but were designed to trick users into executing obfuscated setup commands that fetch and run remote scripts. Because OpenClaw skills are installed as executable code (not sandboxed) with access to local files and network resources, successful installs can enable credential theft and cryptocurrency wallet compromise on **Windows and macOS**, and one malicious listing reportedly reached prominent placement before removal, increasing the likelihood of accidental installs. Separate reporting also highlighted a related risk: a **1-click remote code execution (RCE)** issue affecting OpenClaw/Moltbot/ClawdBot was discussed in the security community, indicating that the same ecosystem is facing both supply-chain style extension abuse and potential direct exploitation paths. Organizations allowing developer or power-user adoption of OpenClaw should treat third-party skills as untrusted software, restrict installation sources, and monitor for social-engineering patterns such as “copy/paste this one-liner” installers that retrieve code from external servers—especially when tied to cryptocurrency-themed lures.
Feb 10, 2026
OpenClaw AI Agent Skills Abused for Credential Exposure and Prompt-Injection Backdooring
Security researchers and media reports warned that the open-source AI agent **OpenClaw** (formerly *Moltbot/Clawdbot*) can be abused via its *ClawHub* “skills” ecosystem, with findings that **~7.1% of marketplace skills** contributed to exposure of **API keys, credentials, and credit card data** due to problematic `SKILL.md` instructions. Snyk highlighted a particularly severe example, **buy-anything skill v2.0.0**, which performs credit-card “tokenization” in a way that can be used to **pilfer financial details** before prompting users to provide card information. Additional research described **indirect prompt-injection** risk: a malicious Google document can coerce OpenClaw into integrating a new **Telegram bot**, enabling follow-on actions such as **file exfiltration** and deployment of a **Sliver** command-and-control beacon for persistence, with potential for **privilege escalation, lateral movement, and ransomware execution**. Separately, one report noted OpenClaw’s move to scan skills with **VirusTotal**, but also emphasized that signature-based scanning is not a complete mitigation for **prompt-injection** and other logic-level abuses; other items in the same news roundup (e.g., telecom “Salt Typhoon” oversight) were unrelated to OpenClaw’s vulnerabilities.
Mar 21, 2026