Palo Alto Networks Unit 42 reported that five malicious skills were uploaded to the OpenClaw/ClawHub AI agent marketplace and bypassed platform screening controls, despite ClawHub’s use of VirusTotal and ClawScan. The skills fell into three categories: macOS infostealer delivery, scanner evasion, and agentic abuse for financial gain. Two TradingView-themed skills redirected users through paste sites and used Base64-encoded curl-pipe-bash execution to install a macOS infostealer called cluw, while another skill, omnicogg, used a 22 MB padded README.md to evade scanning and linked to Atomic macOS Stealer infrastructure associated with 91.92.242[.]30.
Unit 42 also found two skills, money-radar and letssendit, that abused agent permissions without relying on traditional malware payloads. One forced affiliate-linked recommendations at runtime to generate commissions, while the other coordinated an agentic front-running scheme tied to a Solana meme-token pump-and-dump operation. OpenClaw said the reported accounts were banned and the skills removed from ClawHub, but the incident underscores a growing AI supply chain risk: marketplace skills can manipulate natural-language task execution while inheriting an agent’s authenticated access to files, shells, and credentials.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The report published technical details for threat hunting and incident response, including domains, IP addresses, file hashes, affected skill names, and detection queries related to the five malicious ClawHub skills. This expanded defender visibility into the OpenClaw marketplace abuse beyond the initial discovery and takedown.
Following the report to ClawHub, OpenClaw banned the associated accounts and removed the five malicious skills from the marketplace. This action was described as occurring after the reporting by Unit 42, but no specific date was given.
After identifying the five malicious skills, Unit 42 reported them to ClawHub. The report does not provide a specific date for the disclosure.
Unit 42 analyzed the OpenClaw/ClawHub AI agent skill ecosystem from February through May 2026 and found five malicious skills that bypassed ClawHub’s screening controls. The skills fell into three categories: macOS infostealer delivery, scanner evasion through file padding, and agentic abuse schemes for financial gain.
In January 2026, the ClawHavoc campaign used 12 compromised accounts to upload 1,184 malicious skills to the ClawHub marketplace. The article says the campaign led to 247,000 confirmed installations and $2.3 million in stolen cryptocurrency.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecybersecuritynews.com
Open sourcecommunity.gurucul.com
Open sourcedarkreading.com
Open sourceunit42.paloaltonetworks.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.