Hackers Exploiting ClawHub Skills to Bypass VirusTotal Detections via Social Engineering

Threat actors have significantly evolved their attack strategies recently observed within the ClawHub ecosystem, moving away from easily detectable methods to more subtle techniques.

Rather than embedding malicious payloads directly into files, they now host these dangers on convincing external websites.

This strategic shift allows them to maintain a malicious campaign while hiding in plain sight, effectively bypassing many standard automated security checks that scan for known code signatures and putting developers at significant risk of supply chain compromise.

In previous iterations, malicious skills often contained obvious encoded strings or suspicious commands that security scanners could readily identify and block.

The new wave of attacks utilizes SKILL.md files that contain absolutely no malicious code whatsoever.

Since the files are technically benign text files, they scan as “clean” on platforms like VirusTotal, creating a dangerous false sense of security for the user who relies on these green checkmarks to validate safety before installation.

OpenSourceMalware analysts identified over 40 trojanized skills uploaded by the attackers using accounts such as thiagoruss0, masquerading as helpful tools for SEO, coding, or video transcription services. These entries serve solely as lures.

They exploit the trust users place in open-source repositories and legitimate hosting platforms to redirect them to a controlled environment where the actual infection occurs, leveraging social engineering rather than technical exploits to breach systems and steal sensitive data.

The External Hosting Infection Mechanism

The success of this campaign relies entirely on a “clean lure, dirty dependency” model identified in the report.

The documentation for these fake skills cleverly includes a mandatory prerequisite step in bold text, instructing the user that they must install a tool named “OpenClawCLI” before they can use the skill.

This link leads to a professional-grade website hosted on Vercel, complete with buzzwords like “Cross-platform” and “Open Source” to appear completely legitimate.

The site provides an installation command that appears standard to the eye but actually executes an obfuscated payload. The command uses Base64 encoding to hide the true destination, making casual inspection difficult for the average user.

When a user runs this command, it downloads a bash script from a remote IP address (91.92.242.30), immediately installing the malware onto the victim’s machine.

This method effectively bypasses the repository’s defenses by keeping the malicious component entirely separate from the ClawHub platform until the user manually invites it in.

To stay safe, never run installation commands from skill documentation without verifying the official project repository or the source code. Be suspicious of skills with random character suffixes in their names.

Security teams should proactively hunt for patterns involving the openclawcli domain and block the associated command-and-control IP addresses immediately to prevent data exfiltration. Report any suspicious findings to the platform administrators.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.