A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security. The researchers, working with an OpenClaw bot named Alex, said 335 of the malicious skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS), with the campaign codenamed ClawHavoc. ClawHub is a marketplace for OpenClaw users to find and install third‑party skills and is an extension to the OpenClaw project, a self-hosted AI assistant.
The analysis found that the malicious skills share the same command‑and‑control infrastructure (91.92.242[.]30) and use social engineering to convince users to execute malicious commands that harvest crypto assets and credentials. Windows documentation invites users to download openclaw-agent[.]zip from a GitHub repository, while macOS instructions direct users to paste a script from glot[.]io into Terminal, illustrating targeted cross‑platform delivery. OpenClaw’s creator has added a reporting feature so users can flag skills, with auto-hidden skills once they accumulate more than three unique reports.