All incidents

Malicious OpenClaw skills distribute infostealers via ClawHub

malwareopenJun 24, 2026 — Jul 1, 2026
Malicious OpenClaw skills distribute infostealers via ClawHub

RESEARCHERS from Palo Alto Networks Unit 42 uncovered five malicious skills on the ClawHub marketplace for the OpenClaw AI agent that were used to distribute macOS infostealers and facilitate financial fraud between February and May 2026. The skills abused the agent’s trusted authority to run harmful code without relying on traditional software vulnerabilities.

The malicious capabilities were packaged as seemingly legitimate OpenClaw skills and passed ClawHub’s automated security scans, allowing them to remain undetected for weeks. They abused the agent’s trusted authority to run harmful code without relying on traditional software vulnerabilities.

They included credential stealers that harvested passwords and session tokens from infected macOS hosts, and they also provided fraudulent financial advice designed to trick users into revealing banking details.

Although no specific threat actor has been linked to the campaign, the activity coincided with a rise in fraudulent investment schemes targeting English‑speaking users. Researchers noted that the skills were active during a period when similar macOS‑focused infostealer campaigns were observed in the wild.

The incident shows how AI agent marketplaces can become a vector for supply chain abuse, highlighting the need for tighter vetting of third‑party skills before they are made available to organisations. It also highlights the importance of treating AI‑driven automation with the same scrutiny applied to traditional software components.

Organisations using OpenClaw should enforce a strict approval process for any skill downloaded from ClawHub, verifying the publisher’s identity and reviewing the skill’s code for unauthorised network calls or data collection routines.

Continuous behavioural monitoring of deployed skills is recommended, together with the implementation of application‑control policies that limit the agent’s access to sensitive files and credentials unless explicitly required.

Intelligence briefing updated Jul 1, 2026

Root sourceunit42.paloaltonetworks.com
Timeline Coverage

Swipe to explore timeline