Palo Alto Networks’ Unit 42 found five malicious “skills” on ClawHub, OpenClaw’s official marketplace, delivering infostealers and fraudThreat actors bypassed VirusTotal/ClawScan checks with inflated file sizes and evasive techniques, showing persistent supply chain riskAll malicious skills were removed and accounts banned; researchers urge strict provenance validation and source code audits for published packages

ClawHub is the latest marketplace hackers are poisoning with malware, in an attempt to compromise software developers and other advanced users. Earlier this week, security researchers from Palo Alto Networks’ Unit 42 team disclosed finding, and reporting, five “skills” on that marketplace, that sought to infect their users with infostealer malware.

First a little context: OpenClaw (originally published as Clawd/Clawdbot) was released in November 2025. It is an open-source agent platform that performs actions on a computer, such as browsing the web, or managing files, instead of simply answering questions like a chatbot. To perform different actions, OpenClaw must first learn how to do them, which is done through “skills” – add-ons that extend the agent’s capabilities.

Soon after, ClawHub was born – the official marketplace and registry for OpenClaw skills and plugins, attracting not just the AI developer community, but cybercriminals, as well. Early reports, published in February this year, forced OpenClaw to integrate VirusTotal and ClawScan, to better protect the community and allow proactive screening of published skills.

Persistent and evasive malicious skills

However, Unit 42 says this didn’t stop threat actors, and that it has since discovered multiple “persistent and evasive malicious skills” on the platform.

In total, the researchers discovered five skills, including two that delivered the AMOS infostealer, one that came with an inflated file size to trick scanners, and two that were essentially commission fraud, abusing the fact that an AI agent can make decisions and perform actions on behalf of the user. Details on all five can be found on this link.

All five were since reported to ClawHub, and OpenClaw had them removed and the accounts behind them banned.

Unit 42 recommends organizations use a “rigorous supply chain verification framework” to remain secure: “We identified that skill execution occurs within the agent process. This necessitates active validation of publisher provenance and a line-by-line audit of package source files.”