Unit 42 researchers have documented a sustained wave of malicious packages targeting ClawHub, the third-party skill marketplace for the OpenClaw AI agent platform, revealing that evasion techniques allowed harmful content to persist even after the platform introduced automated scanning via VirusTotal and its own ClawScan tooling.

A New Kind of Supply Chain Risk

AI agent ecosystems differ meaningfully from traditional software distribution channels such as npm or PyPI. OpenClaw skills are markdown-driven packages that execute with broad access to local file systems, shells, and credential managers. Because skill logic runs inside the agent’s own authenticated session, a malicious skill does not require a conventional exploit to achieve significant impact. Instead, attackers exploit the agent’s natural language interpretation, a technique Unit 42 describes as semantic instruction hijacking, to direct the agent to perform unauthorized actions under its own identity.

Early Campaign Activity

The threat landscape on ClawHub emerged quickly after the platform launched. In early February 2026, Bitdefender Labs reported that roughly 17 percent of analyzed skills carried malicious payloads. Koi Security’s ClawHavoc disclosure catalogued 341 malicious skills, and Trend Micro separately confirmed skills distributing Atomic macOS Stealer (AMOS) malware. Observed techniques during this early period included:

  • Base64-encoded curl-pipe-bash droppers that instructed the agent to fetch and execute remote payloads from a known AMOS C2 server at 91.92.242[.]30.
  • Platform-specific delivery, routing macOS targets through paste-site intermediaries and Windows targets to password-protected executables on third-party hosts.
  • Persistence via cron jobs registered by auto-updater skills to maintain C2 access after skill removal.
  • Cryptocurrency key exfiltration through the Telegram Bot API, used by a cluster of related accounts to avoid shared dropper infrastructure.
  • Registry saturation, where a single publisher injected identical payloads across the majority of their skill catalog to maximize installation reach before detection.

Those findings prompted ClawHub to integrate VirusTotal scanning for all published skills. Despite this, the C2 server at 91.92.242[.]30 remained active more than three months after its first public disclosure.

Five Skills Evaded Detection Between February and May 2026

Unit 42’s continued monitoring identified five skills that bypassed ClawScan and VirusTotal screening. These fell into three categories:

  • Infostealers: Two skills delivered macOS infostealers with active C2 connections, indicating ongoing threat actor infrastructure rather than opportunistic one-off campaigns.
  • Evasion: One skill used file size inflation to exceed scanner thresholds, successfully bypassing both ClawScan and VirusTotal.
  • Agentic threats: Two skills demonstrated novel techniques. One used runtime agentic affiliate injection and the other used agentic front-running, both designed to generate unauthorized financial gain by manipulating the agent’s actions at runtime.

All five skills were reported to ClawHub. The platform banned the associated accounts and removed the skills.

Platform Response and Ongoing Gaps

ClawHub announced a partnership with NVIDIA on June 1, 2026, adding documentation analysis and NVIDIA’s own skill-screening tooling to its review pipeline. OpenClaw is also collaborating with NVIDIA to produce per-skill behavioral documentation. These additions represent a meaningful expansion of the screening surface, though the persistence of evasive skills through a multi-month window underscores the difficulty of securing a marketplace where packages interact directly with a privileged agent runtime.

Security teams deploying OpenClaw or similar agentic platforms should treat third-party skill installation with the same scrutiny applied to any privileged software dependency, and audit agent activity logs for anomalous shell or network behavior originating from skill execution.