RESEARCHERS uncovered a large malware campaign abusing AI skills for Claude Code and Moltbot users, with over 400 malicious skills published on ClawHub and GitHub between late January and early February 2026, masquerading as crypto trading tools. OpenClaw, previously known as MoltBot and ClawdBot, is an open-source personal AI assistant platform that lets users install community-created “skills” and can run locally or via messaging apps, which created security risks when malicious skills are installed.
OpenSourceMalware warns that these skills used social engineering to trick users into running commands that installed info-stealing malware on Windows and macOS, stealing crypto keys, credentials and passwords, with all samples sharing the same command-and-control infrastructure.
A total of 386 skills were involved, largely posing as crypto tools, and one account, hightower6eu, dominated the campaign by uploading dozens of near-identical skills; ClawHub’s maintainer admitted the registry cannot be secured and many malicious skills remain online. The campaign is described as a supply-chain attack targeting Claude Code and Moltbot skills, relying on social engineering rather than technical exploits.
According to OpenSourceMalware, the attack demonstrated weak security reviews in the skills publication process and suggests a financial motive targeting cryptocurrency traders.