Cyber: Researchers Find 341 Malicious Clawhub Skills Stealing Data From...

A security audit of 2,857 skills on ClawHub has found 341 malicious skills across multiple campaigns, according to new findings from Koi Security, exposing users to new supply chain risks.

ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills. It's an extension to the OpenClaw project, a self-hosted artificial intelligence (AI) assistant formerly known as both Clawdbot and Moltbot.

The analysis, which Koi conducted with the help of an OpenClaw bot named Alex, found that 335 skills use fake pre-requisites to install an Apple macOS stealer named Atomic Stealer (AMOS). This set has been codenamed ClawHavoc.

"You install what looks like a legitimate skill – maybe solana-wallet-tracker or youtube-summarize-pro," Koi researcher Oren Yomtov said. "The skill's documentation looks professional. But there's a 'Prerequisites' section that says you need to install something first."

This step involves instructions for both Windows and macOS systems: On Windows, users are asked to download a file called "openclaw-agent.zip" from a GitHub repository. On macOS, the documentation tells them to copy an installation script hosted at glot[.]io and paste it into the Terminal app. The targeting of macOS is no coincidence, as reports have emerged of people buying Mac Minis to run the AI assistant 24x7.

Present within the password-protected archive is a trojan with keylogging functionality to capture API keys, credentials, and other sensitive data on the machine, including those that the bot already has access to. On the other hand, the glot[.]io script contains obfuscated shell commands to fetch next-stage payloads from an attacker-controlled infrastructure.

This, in turn, entails reaching out to another IP address ("91.92.242[.]30") to retrieve another shell script, which is configured to contact the same server to obtain a universal Mach-O binary that exhibits traits consistent with Atomic Stealer, a commodity stealer available for $500-1000/month that can harvest data from macOS hosts.

According to Koi, the malicious skills masquerade as

In addition, the cybersecurity company said it identified skills that hide reverse shell backdoors inside functional code (e.g., better-polymarket and polymarket-all-in-one), or exfiltrate bot credentials present in "~/.clawdbot/.env" to a webhook[.]site (e.g., rankaj).

The development coincides with a report from OpenSourceMalware, which also flagged the same ClawHavoc campaign t

Source: The Hacker News