Palo Alto Networks’ Unit 42 threat research team published analysis on June 23 identifying five malicious skills on OpenClaw’s ClawHub marketplace that evaded existing security scans between February and May 2026. Two of the five represent a category shift in agent threats: from data theft and system compromise to direct financial exploitation.

Three Threat Categories, Two of Them New

Unit 42 categorized the five skills into three distinct threat types:

Infostealers: Two skills delivered macOS infostealers with active command-and-control infrastructure, indicating persistent threat actor campaigns rather than one-off experiments.

Evasion: One skill used inflated file sizes to exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection. The technique is straightforward but effective against automated screening.

Agentic financial threats: Two skills exploited agent autonomy for financial gain through techniques Unit 42 classifies as novel. The first, agentic front-running, enables agents to act on market information before human competitors can process it. The second, affiliate injection, redirects financial transactions to attacker-controlled accounts during agent-mediated purchases or transfers.

The financial threat category matters because it represents agents being weaponized for economic gain rather than traditional malware objectives. Infostealers extract data. Front-running and affiliate injection extract money directly, using the agent’s speed and autonomy as the attack vector.

ClawHub’s Security Evolution

The findings follow ClawHub’s integration of VirusTotal and ClawScan screening earlier in 2026, prompted by initial malicious skill discoveries that Unit 42 published in February. The five newly identified skills all evaded those defenses.

OpenClaw responded by banning the associated accounts and deleting all five skills. The company is also collaborating with NVIDIA to document skill capabilities and run NVIDIA’s analysis tooling across the registry. This follows the scope-squatting campaign that Manifold Security discovered earlier in June, where 23 plugins were published under unauthorized @openclaw/ and @clawhub/ scopes.

Financial Agents as Attack Surface

The agentic front-running finding arrives as financial services firms increase agent deployments. Robinhood reported 50,000 agentic trading accounts opened in its first weeks of launch. RightCapital launched Iris, an AI agent for financial advisor workflows. Agents with access to market data, transaction execution, and financial account credentials represent a higher-value target than agents managing calendars or writing emails.

Unit 42’s analysis establishes that the threat is not theoretical. Skills that exploit agent speed for financial advantage have already appeared in the wild, been published to ClawHub, and operated without detection for months. The supply-chain trust model that makes agent skill marketplaces useful also makes them a distribution channel for financial attacks.