Five Malicious OpenClaw Skills Found on ClawHub, Including Two macOS Infostealers Distributing AMOS

Five malicious skills were discovered on ClawHub, OpenClaw’s official skill marketplace, according to TechRadar’s security reporting. The skills used three distinct attack methods: malware distribution targeting macOS, file-size inflation to evade automated scanning, and agent-level commission fraud. All five have been removed from ClawHub, and the accounts that published them have been banned.

Three Attack Categories, One Marketplace

The five skills broke down into three categories. Two distributed AMOS, a well-known macOS infostealer that harvests credentials, browser data, and cryptocurrency wallet information from Apple devices. Unlike traditional malware distribution through phishing emails or fake download pages, these skills were listed on ClawHub’s verified marketplace, giving them an implicit layer of trust that standalone downloads would not carry.

A third malicious skill used inflated file sizes to evade security scanners. Many automated scanning tools skip files above certain size thresholds to avoid performance bottlenecks, and the skill exploited that limitation to avoid detection during ClawHub’s review process.

The remaining two skills exploited agent autonomy for financial gain. They redirected financial transactions to attacker-controlled accounts through commission fraud, taking advantage of the fact that OpenClaw agents can interact with payment systems, APIs, and financial services on behalf of users. Dark Reading’s coverage characterized these attacks as a threat to the broader AI supply chain.

Why Agent Marketplaces Carry Higher Risk

The discovery highlights a security problem specific to agent skill marketplaces that differs from traditional software package registries. When a developer installs a malicious npm package, the package runs inside a sandboxed build environment with limited system access by default. When a user installs a malicious OpenClaw skill, that skill potentially gains access to the local file system, stored credentials, active API sessions, and the ability to execute code on the host machine, depending on the agent’s configuration.

That access surface makes agent skill marketplaces a higher-value target for attackers. A single compromised skill can harvest credentials from every system the agent is connected to, not just the application the user intended to interact with.

Third ClawHub Security Incident This Month

This is the third distinct security incident involving ClawHub in June 2026. On June 23, Manifold Security disclosed 23 plugins published under unauthorized @openclaw/ and @clawhub/ scopes that exploited namespace trust. The following day, Palo Alto Networks’ Unit 42 identified two novel financial attack classes specific to ClawHub, including agentic front-running and affiliate injection.

Each incident involved a different attack vector, but the pattern is consistent: ClawHub’s review and verification processes have not kept pace with the volume and sophistication of submissions to the marketplace.

Response and Remediation

ClawHub removed all five malicious skills and banned the accounts responsible after TechRadar reported the findings. The speed of removal indicates that ClawHub’s response process works once threats are flagged. The open question is detection: all five skills were identified by external security researchers, not by ClawHub’s internal scanning or review systems.

For users running OpenClaw with ClawHub skills, the immediate action is to audit installed skills against known-good publishers and review agent permissions, particularly file system access and financial service connections. The AMOS infostealer targets macOS specifically, so users on Apple devices who installed unverified skills in recent weeks should check for credential compromise.