Five malicious add-ons on ClawHub, OpenClaw's official skill marketplace, were caught delivering infostealer malware and running commission fraud — months after the platform added automated scanning.
Palo Alto Networks' Unit 42 disclosed this week that it found and reported five malicious "skills" on ClawHub, the registry for OpenClaw, an open-source AI agent platform released in late 2025. Two of the five skills delivered AMOS, a macOS infostealer. A third used an artificially inflated file size to confuse scanners. The remaining two abused OpenClaw's ability to act autonomously on a user's behalf to commit commission fraud. All five have since been removed and the associated accounts banned.
The finding matters because ClawHub added VirusTotal and ClawScan integration back in February, specifically in response to earlier reports of abuse — meaning attackers adapted within months. OpenClaw skills run inside the agent process itself, which gives malicious code direct access to the host system; that's a larger blast radius than a typical browser extension or package dependency. Unit 42 is recommending organizations validate publisher provenance and audit skill source code line by line before installing anything.
The playbook here is familiar: a new, fast-growing developer ecosystem opens a public marketplace, attracts bad actors, bolts on scanning after the first incident, and then watches attackers route around it. npm, PyPI, and VS Code extensions have all cycled through this pattern. ClawHub is just the newest name on the list.