VIRUSTOTAL has released a report detailing a supply-chain attack targeting OpenClaw (formerly Clawdbot), with attackers flooding the platform’s marketplace with malicious “skills” that masquerade as helpful extensions but act as Trojan horses for malware. The findings note that hundreds of OpenClaw skills are actively malicious, including ones that appear legitimate but download and execute external code from untrusted sources.
A specific threat actor operating under the username “hightower6eu” has published over 300 skills, and the reported payloads include a Windows password-protected ZIP containing a Trojan and a macOS obfuscated shell script that downloads the Atomic Stealer (AMOS) malware. The study describes the malware as a broad information stealer that harvests data such as system and application passwords, browser cookies and cryptocurrency wallets, exfiltrating it to a remote command-and-control server before deleting itself.
To help defenders, VirusTotal has added support for OpenClaw skills to its Code Insight tool, leveraging AI models like Gemini 1.5 Flash to analyse these packages, and the guidance emphasises treating skill folders as trusted boundaries and exercising extreme caution with any extension that asks users to run external binaries or paste commands into a terminal. According to VirusTotal, for personal AI agents the supply chain is not a detail but the whole product. 3 February 2026.