Home/ Blog/ Security news/ Article
Blog · Security news

Add-ons for the OpenClaw AI assistant are stealing logins and running crypto scams

Malicious OpenClaw skills on the ClawHub marketplace steal credentials and hijack AI agents for crypto fraud, and some slip past the store's own scanner.

Isometric shelf of identical blocks, a few hollowed out and leaking threads
By Noam Alum · ·Security news · 5 min read Mitigate now

The threat to an AI agent platform is no longer just a bad file. It is a trusted add-on that waits until after it passes review, then turns the agent's own autonomy against its owner. That is the through-line of new research Palo Alto Networks' Unit 42 published on June 23, 2026 on ClawHub, the public skill marketplace for the OpenClaw AI assistant. Months after a February cleanup removed hundreds of malicious skills, Unit 42 says some are still live, and the newest ones do something a credential stealer never did: they co-opt the agent to commit financial fraud on the user's behalf.

If you run OpenClaw, this is your week to inventory what you installed.

What OpenClaw and ClawHub are

OpenClaw is a self-hosted AI assistant that runs continuously on a machine and acts through messaging apps and scheduled jobs, rather than waiting to be prompted. It extends itself through skills, small packaged capabilities you install from a marketplace, the way a developer pulls a package from a registry. ClawHub is the official public registry for those skills, often described as an app store for AI agents. That model is the problem. A marketplace of thousands of third-party extensions, each able to read local files and run commands on an always-on machine, is the same software supply-chain exposure that has burned npm package registries and code-editor plugin stores, now pointed at an agent that can act on its own.

The new twist: skills that beat the marketplace scanner

ClawHub scans submitted skills, including a pass through VirusTotal. Unit 42 documented five skills that stayed unblocked and active between February and May 2026 by defeating that scan rather than hiding from it. One inflated its README file to roughly 22 megabytes of padding so it would exceed the scanner's size threshold and get skipped entirely. Others kept their packaged code clean and pulled the actual payload at runtime from paste sites such as glot.io and rentry.co, so whatever the scanner saw at submission was never the code that ran.

This is the failure mode of every submission-time security gate, and it is worth saying plainly: a scan is a snapshot. A skill that downloads its real behavior after approval defeats any one-time check by design, the same pattern behind backdoors that only fire under the right conditions and packages that turn hostile a day after they pass inspection. A green badge from ClawHub tells you the skill looked safe when it was submitted, not that it is safe when it runs.

The newer twist: the agent becomes the fraud operator

The detail that makes this research matter beyond OpenClaw is what Unit 42 calls agentic financial fraud. Two of the skills did not steal anything in the classic sense. They used the agent's authority to act.

One, a money-radar skill, pulled product data from an attacker-controlled domain and injected affiliate links into the recommendations the agent gave its user, so the operator could quietly steer financial advice after install. Another, letssendit, coordinated AI agents to pool the Solana cryptocurrency into the operator's wallet and run a pump-and-dump on meme tokens. The victim's own agent placed the trades.

That is a different category from a stealer, and defenders should treat it as one. The trust boundary moves from "is this file malicious" to "is this instruction, handed to my own agent, actually in my interest." When the agent is the actor, the question a detection program has to answer is no longer what got installed, but what the agent is doing and who it is talking to.

The original campaign is the context

None of this came from nowhere. In early February 2026, Koi Security audited ClawHub and found 341 malicious skills among the 2,857 then available, and pinned 335 of them on one operator it named ClawHavoc. Those skills disguised themselves as crypto wallets, trading bots, and video utilities, used typosquatted names, and tricked users into running a "prerequisite" step, a password-protected archive on Windows or a shell command on macOS, that delivered Atomic macOS Stealer and similar credential thieves. The campaign leaned on always-on machines, including the Mac minis people use to host agents, which is exactly where OpenClaw lives. Unit 42's June findings show the same operators adapting after the cleanup, and macOS infostealer payloads, the cluw and AMOS families, are still in the mix, the same class of macOS credential stealers aimed at AI hosts we have tracked elsewhere.

What to do if you run OpenClaw

Treat installed skills the way you treat npm dependencies or browser extensions, because that is what they are: third-party code with local access. Concretely:

  • Inventory and prune. List every skill installed on every agent host, remove anything you did not deliberately choose, and pin the versions of what stays. A skill you forgot you installed is the one that updates into a payload.

  • Stop trusting the store badge. A passing ClawHub or VirusTotal scan is not proof of safety. The padding trick beat both. Review what each skill can read and run before you keep it.

  • Watch egress, not just installs. Alert when an agent host reaches unknown webhooks or paste sites like glot.io and rentry.co, and block the command-and-control address Unit 42 named, 91.92.242[.]30. Runtime network behavior is where a post-approval payload shows itself.

  • Protect the agent's secrets. Skills reaching for the bot's stored credentials and environment file, then sending data outbound, is the credential-theft pattern. Restrict what skills can read and monitor access to those files. This is the same lesson as plugins that quietly steal AI API keys: the extension you trusted is the one reading your tokens.

  • Question the agent's actions. Because an agent acts with real authority on your machine, an agent that starts placing trades, editing recommendations, or moving funds is an alert in its own right, regardless of which skill is behind it.

The marketplace scanner was never going to be enough. Once your defense covers what the agent does at runtime instead of only what it installed, the agentic-fraud skill and the next padding trick both lose their cover.

Topics
AI & LLM securitySupply-chain attacksMalware & C2

Frequently asked questions

What is OpenClaw and ClawHub?

OpenClaw is a self-hosted AI assistant that runs continuously and acts through messaging apps and scheduled jobs. ClawHub is its official public marketplace of installable skills, the add-ons that extend what the agent can do, often described as an app store for AI agents.

What did Unit 42 find on June 23, 2026?

Unit 42 reported that malicious skills are still active on ClawHub months after a February cleanup. Five evaded the store scanner, stole credentials, delivered macOS infostealers, and in two cases hijacked the AI agent itself to run cryptocurrency fraud.

How did the malicious skills evade ClawHub's scanner?

One skill padded its README file to about 22 megabytes so it exceeded the scanner's size threshold and was skipped. Others kept clean packaged code and downloaded the real payload at runtime from paste sites, so the scanner never saw the malicious code.

What is agentic financial fraud in this case?

It means the skill used the agent's own authority to act, rather than just stealing data. One skill injected affiliate links into the agent's recommendations; another coordinated agents to pool Solana cryptocurrency into the operator's wallet and run a pump-and-dump on meme tokens.

What should OpenClaw users do now?

Inventory every installed skill, remove anything you did not deliberately choose, and pin versions. Do not treat a passing store scan as proof of safety. Monitor outbound network traffic from agent hosts, and protect the bot's stored credentials and environment files.

Are macOS or Windows users affected?

Both. The earlier ClawHavoc campaign delivered malware on Windows through password-protected archives and on macOS through shell commands, including the Atomic macOS Stealer. Unit 42 reports macOS infostealer payloads, the cluw and AMOS families, are still involved in the current activity.

Keep reading
Security news

A new flaw lets attackers take over Quest NetVault backup servers, login or not

CVE-2026-7570 is a SQL-injection-to-remote-code-execution flaw in Quest NetVault Backup, rated 8.8. The login can be bypassed. Quest fixed it in 14.0.2.

Noam Alum · Jun 24, 2026
Security news

Police seized the malware that stole 27 million passwords. The passwords still work.

Operation Endgame seized the servers behind the Amadey and StealC malware, but the 27 million credentials they already stole stay valid until you rotate them.

Suriq's Jack · Jun 24, 2026
Security news

The free plugin was clean. The paid update is what backdoored these WordPress sites.

Backdoored ShapedPlugin Pro updates stole admin logins and 2FA seeds from WordPress sites between April and June 2026. A password reset alone will not clear it.

Noam Alum · Jun 24, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan