Emerging ThreatsMalware & Ransomware

Malicious AI Skills Evade Detection on ClawHub Marketplace

Analyst 207||Source: Unit42
Cluttered marketplace shelf with scattered AI devices, some hidden or obscured, conveying evasion and malicious activity.

“Bitdefender Labs reported that approximately 17% of OpenClaw skills they analyzed in the first few weeks of the platform's release carried malicious payloads.” That early measurement frames what Unit 42 found when it audited ClawHub between February and May 2026: a live marketplace that remained attractive to persistent, adaptive malicious actors even after automated screening was added.

Three threat categories observed on ClawHub

  • Infostealers: Unit 42 identified two skills that delivered macOS infostealers and connected to command-and-control (C2) infrastructure, signaling persistent actor activity rather than single-use probes.
  • Evasion: One skill deployed an evasion technique by inflating a README.md file with roughly 22 MB of padding characters to move the file beyond common scanner processing thresholds, allowing malicious content at the top of the file to be skipped by some pipelines.
  • Agentic threats: Two skills implemented agent-specific techniques — runtime agentic affiliate injection and agentic front-running — which misuse an installed skill’s authority inside the agent process to generate illicit financial gain for the publisher.

Representative campaigns: tradingview, omnicogg, money-radar, letssendit

Unit 42 documented five skills that initially bypassed ClawHub’s automated screening and required takedown after reporting. Each illustrates a pattern that leverages the agentic execution model.

  • tradingview-ai-indicator-assistant (SHA256 b6c7e0bf...af8007): Published May 17, 2026, this macOS-targeting skill used a mandatory prerequisite block that directed agents to a paste-site redirect (hxxps[:]//rentry[.]co/openclaw-code). The paste-site provided a Base64 string that, when executed, fetched a macOS infostealer named cluw from hxxp[:]//2.26.75[.]16/Xuvewuyur (cluw SHA256 818aea61...).
  • omnicogg (SHA256 b30eaed1f...5e19c2): An early-wave Base64-encoded curl-pipe-bash dropper that delivered AMOS malware from C2 91.92.242[.]30. The payload was embedded at the start of a README.md followed by ~22 MB of padding characters — a deliberate attempt to exceed scanner thresholds. JFrog Security Research disclosed this skill in March 2026.
  • money-radar (SHA256 ebb73dbb...1d1d): Marketed as an overseas finance adviser, the skill forced a first action that fetched referrals.json from laosji[.]net; that payload contained affiliate links (referralLink fields) that the skill then instructed the agent to always use, enabling runtime affiliate injection under operator control.
  • letssendit (SHA256 f4e41aa2...75d0e): Implemented an agentic front-running scheme via coordinated agents guided by instructions in SKILL.md and infrastructure on letssendit[.]fun. Installed agents pooled SOL into the operator’s wallet; the operator then purchased a token at a low bonding-curve price and later sold into the artificially created demand on pump[.]fun — a documented pump-and-dump executed through an autonomous AI agent network.

ClawHub and OpenClaw responses: screening, partnerships and removals

Following early disclosures, ClawHub integrated VirusTotal and a proprietary ClawScan to screen published skills. Those measures improved detection but were imperfect: Unit 42 found five skills that remained unblocked during its February–May 2026 analysis. After Unit 42 reported the five skills, OpenClaw banned the publisher accounts and deleted the offending skills. On June 1, ClawHub announced a partnership with NVIDIA to provide per-skill documentation and to run NVIDIA’s analysis tool on all skills.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Skill execution runs inside the agent process, so Unit 42 recommends active validation of publisher provenance and line-by-line audits of package source files; monitoring outbound network traffic and cross-referencing connections against published documentation will surface discrepancies.
  • Affected enterprises and procurement leaders: The marketplace model permits runtime control by publishers (for example, referrals.json on laosji[.]net or dynamic payload fetches), so procurement and policy controls should treat installed skills as high‑risk components and enforce blocking of known-malicious domains and skills.
  • End users: Paste-site redirect lures that require copy-paste of Base64-encoded commands into terminals — and mandatory, opaque prerequisite blocks — are recurring patterns in malicious skills and should be treated as immediate red flags within any agent workflow.

Indicators, mitigations and contacts

Unit 42 enumerates key indicators observed in these campaigns, including IPs and domains (2.26.75[.]16; 91.92.242[.]30; rentry[.]co/openclaw-code; laosji[.]net; letssendit[.]fun; pump[.]fun) and sample SHA256 hashes (818aea61..., b30eaed1f..., b6c7e0bf..., ebb73dbb..., f4e41aa2...). The research also points to concrete controls available to Palo Alto Networks customers — Koi Agentic Endpoint Security (AES), Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, Cortex XDR and XSIAM — and to services from Unit 42, including the Unit 42 AI Security Assessment and Unit 42 Frontier AI Defense.

If you believe you may have been compromised or require urgent incident assistance, Unit 42 lists incident response contacts by region, for example North America toll-free +1 (866) 486-4842 (866.4.UNIT42) and other regional numbers included in the research.

OpenClaw’s marketplace model has altered the software supply chain calculus: semantic instruction hijacking and agentic authority mean that a published skill can, by design, assume an agent’s identity and perform actions on its behalf. ClawHub has added layers of automated screening and external partnerships, but Unit 42’s findings show attackers adapting with evasion padding, dynamic paste-site lures, persistent C2s and agentic financial fraud — a pattern that will demand ongoing verification of provenance, auditability of skill source files, and aggressive monitoring of post-installation network behavior.

https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/

Ai SecurityEmerging ThreatsInfostealersUnit 42Evasion TechniquesClawhubMalicious AI SkillsMarketplace ThreatsBitdefender Labs
Related Intelligence

Continue Reading

Modern cityscape at dusk with glowing abstract computer screen.

AI-Powered Adversaries Compress Cyberattack Timeline

In early 2026, the emergence of advanced agentic AI models marked a chilling new era in cyber threats, enabling attackers to compress the time between discovery and weaponization to mere minutes. This means that the window for detecting and responding to breaches may soon be shorter than the time it takes to finish a cup of coffee.

Analyst 207
Blurred cityscape with office workstation and blank computer screen.

MuddyWater Exploits Ransomware Disguise for Cyber Espionage

The line between ransomware attacks and nation-state espionage is rapidly blurring, as cyber groups like MuddyWater now disguise their operations as financially motivated ransomware attacks to further their strategic objectives. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has been caught posing as the Chaos ransomware group in a deliberate campaign.

Analyst 207
Blurred computer workstation in foreground, network equipment rack in background.

Mistic Backdoor Enables Long-Term Access in Ransomware Attacks

Cyber attackers have deployed a sneaky backdoor called Mistic, allowing them to maintain long-term access to infected systems during ransomware attacks, all while staying remarkably under the radar. This stealthy threat uses clever tactics like running payloads in memory and mimicking legitimate Microsoft security tools to evade detection.

Analyst 207
Server equipment in a clean, clinical data center environment with ambient daylight.

US Seizes Huione Cloud Account Tied to $31 Billion Cyber Scam Laundering

The US Department of Justice has seized a cloud account linked to a staggering $31 billion cyber scam laundering operation, disrupting a vast online marketplace for fraud and money laundering. This massive crackdown targeted HuiOne Group, a Cambodia-based company accused of helping scammers launder billions through its subsidiaries.

Analyst 207