OpenClaw Skills Bypass AI Scanners, Hit Supply Chain

What Exactly Happened With These OpenClaw Skills?

Researchers at Palo Alto Networks Unit 42 identified five ClawHub skills that slipped through automated security screening between February and May 2026. All five were reported to ClawHub for takedown. OpenClaw banned the accounts behind them and deleted the skills, but the exposure window spanned several months.

We reproduced the hash-verification step at navanem.com using openclaw skill verify --hash on a sandboxed macOS 14 instance and confirmed that no warning surfaces for a skill whose hash matches an already-removed listing - the CLI returns a clean result against a stale local cache.

The five skills split into three distinct threat categories:

• Two macOS infostealers linked to active command-and-control infrastructure.
• One file-padding bypass that used a 22 MB bloated file to exceed ClawScan and VirusTotal scanner thresholds.
• Two agentic financial threats - runtime affiliate injection and front-running - representing a newer class of attack targeting AI agent workflows directly.

How Bad Is the Broader ClawHub Problem?

Koi Security audited all 2,857 skills on ClawHub and found 341 malicious entries - approximately 12% of the full registry. At that contamination rate, this is a systemic supply-chain failure, not an edge case. Of those 341, some 335 traced back to a single coordinated campaign called ClawHavoc, which primarily delivered Atomic macOS Stealer (AMOS), according to Conscia.

Trend Micro found more than 2,200 malicious OpenClaw skills on GitHub as of February 23, 2026. Researchers also observed 39 distinct ClawHub skills manipulating OpenClaw into installing a fake CLI tool.

That fake tool dropped an AMOS variant that exfiltrates Apple and KeePass keychains alongside user documents. For broader context on how macOS credential theft campaigns operate, see our coverage of macOS ClickFix attacks that silently drop infostealers via Terminal commands.

The supply-chain dimension here fits a well-documented trend. The 2025 Verizon Data Breach Investigations Report found third-party involvement in breaches doubled year-over-year, rising from 15% to 30% across 22,052 incidents analyzed. Meanwhile, IBM's 2026 X-Force Threat Intelligence Index found large supply-chain and third-party compromises have nearly quadrupled since 2020.

Who Is at Risk?

Any organization running OpenClaw agents that install skills from ClawHub faces exposure. The threat profile skews toward macOS users given the AMOS focus, but the agentic financial threats - affiliate injection and front-running - target the agent runtime itself regardless of operating system. If your agents execute financial transactions or interact with third-party services, those two categories deserve immediate attention.

Enterprise teams that allow employees to install skills without vetting face the widest attack surface. Home users running OpenClaw on personal Macs face credential theft risk directly. This risk mirrors patterns seen in compromised CI/CD pipelines - for a comparable supply-chain scenario, read our report on Cordyceps: GitHub Actions flaws putting millions of repos at risk of hijacking.

Palo Alto Networks Unit 42 telemetry detected a 101% increase in macOS infostealers between the last two quarters of 2024, with AMOS, Poseidon, and Cthulhu Stealer among the most prevalent families. That trajectory makes the ClawHub infection rate predictable in hindsight.

What Made These OpenClaw Skills So Hard to Detect?

File padding is the clearest example of deliberate evasion. One skill used a 22 MB padding technique to push the package above what ClawScan and VirusTotal will fully analyze. Scanners often skip or truncate inspection of oversized files. The attackers knew the threshold and engineered around it.

According to JFrog's Software Supply Chain Security State of the Union 2026, malicious package activity across public registries surged 451% in 2025, reaching more than 171,000 unique malicious packages. Nearly 500 malicious AI models were found capable of credential theft and remote code execution. File-size evasion is one technique in a much larger, faster-moving toolkit.

The ranking-manipulation angle compounds the detection problem. Silverfort researchers disclosed a critical ClawHub vulnerability on March 16, 2026. A proof-of-concept skill reached the number-one download position and recorded 3,900 skill executions across 50+ cities worldwide in just six days. High rankings build false trust fast, and popularity metrics become a weapon rather than a safety signal.

What Has ClawHub Done to Respond?

The response has been incremental. After the first wave of malicious skill disclosures in February 2026, ClawHub integrated VirusTotal and ClawScan into its publishing pipeline. On June 1, 2026, ClawHub announced a partnership with NVIDIA to help screen published skills, as documented in the Unit 42 report. Account bans and takedowns for the five evasive skills followed standard disclosure procedures.

None of that stopped those five skills from circulating for months. Scanner integration is a floor, not a ceiling. Cisco's State of AI Security 2026 report found that only 29% of organizations deploying agentic AI felt truly ready to do so securely - a readiness gap that shows up directly in incidents like this one.

For teams thinking about how software supply-chain takedowns play out at scale, our piece on Operation Endgame 2026 disrupting Amadey and StealC malware shows what coordinated action looks like when it works.

How Do I Protect My OpenClaw Environment Right Now?

Start with an inventory. Run the command below to list every installed skill before cross-referencing against the Unit 42 indicators of compromise:

openclaw skill list --installed

Then apply the following controls in order of priority:

1. Block unverified publishers by setting skill_trust_policy: verified_only in your agent configuration file.
2. Enable runtime sandboxing if your OpenClaw version supports the --sandbox-mode flag to limit filesystem access.
3. Hash-verify packages using openclaw skill verify --hash and compare output against published IOC lists.
4. Monitor outbound connections from OpenClaw agent processes - flag any connection to a domain not on your approved list.
5. Check keychain access logs on macOS endpoints for anomalous reads by non-native processes targeting Apple Keychain or KeePass vaults.
6. Discard popularity as a trust signal - the ranking-manipulation finding means a number-one download badge is no safer than an unknown skill.

Darktrace's State of AI Cybersecurity 2026 report found that 92% of security professionals are concerned about AI agents acting with broad permissions across sensitive data, APIs, and IT tools. Scoping skill permissions tightly is the highest-leverage single control available right now.

Frequently Asked Questions

Does uninstalling a malicious skill remove the threat?

Not necessarily. If an infostealer skill already executed, credentials and keychain data may already have been exfiltrated. Uninstalling stops future execution but does not recover stolen data. Rotate any credentials the affected machine could have exposed, including API keys stored in config files.

Are Windows users affected by the AMOS stealer found in ClawHub?

AMOS targets macOS specifically. However, the agentic financial threats - runtime affiliate injection and front-running - are not OS-specific. Windows and Linux users running OpenClaw agents that handle financial workflows or affiliate links should still review installed skills carefully.

How do I know if a skill bypassed scanners before I installed it?

You largely cannot tell from the listing alone. Cross-check the skill package hash against the Unit 42 indicators of compromise, and use openclaw skill verify --hash if your version supports it. When in doubt, remove the skill and reinstall from a verified publisher.

Is ClawHub safe to use now?

ClawHub has added scanner integrations and an NVIDIA partnership, but the 12% malicious-skill finding from Koi Security and the months-long evasion window suggest the vetting pipeline still has gaps. Use a strict allowlist policy rather than open skill installation until a more complete audit process is confirmed.