17% of 3rd-Party Add-Ons for OpenClaw Used in Crypto Theft and macOS Malware
Summary:
Bitdefender Labs has uncovered a coordinated supply chain campaign, dubbed ClawHavoc, targeting the OpenClaw (formerly Moltbot/Clawdbot) AI agent framework. OpenClaw has seen explosive growth, surpassing 160,000 GitHub stars, but this popularity has made its community registry, ClawHub, a prime target for threat actors. As of February 2026, approximately 17% to 20% of the skills hosted on ClawHub were found to be malicious. These "poisoned" skills mimic legitimate automation tools—ranging from crypto-traders to Google Workspace integrations, to execute shell commands via Base64-encoded scripts. The campaign primarily distributes the Atomic Stealer (AMOS) for macOS and custom Windows trojans, specifically targeting cryptocurrency private keys, SSH keys, and browser-stored credentials. Notably, one threat actor, sakaen736jih, was linked to nearly 200 malicious skills all pointing to a single recurring command-and-control (C2) infrastructure at 91[.]92[.]242[.]30.
The Bitdefender research further breaks down the lures by category, revealing that crypto-related skills dominate the ecosystem, accounting for 54% of all malicious samples. These lures target specific high-value platforms such as Polymarket, Solana, and Phantom wallets by offering "convenience" tools like gas trackers or arbitrage bots. Beyond crypto, social media automation tools (24%) and "Auto-Updater" maintenance utilities (17%) serve as the secondary vehicles for infection. These skills often use a repeatable attack chain: once a user installs a skill, it triggers a background process that reaches out to external infrastructure like glot.io or malicious GitHub clones to pull down secondary payloads. By masquerading as necessary prerequisites or system optimizations, these skills successfully trick users into manually bypassing security prompts and granting the malware persistent access.
Security Officer Comments:
This research highlights a critical evolution in how AI-driven automation creates enterprise risk. The primary danger lies in the high-privilege execution environment required by AI agents. Unlike a standard browser extension, an OpenClaw "Skill" often demands terminal access to be effective, meaning a malicious script inherits the user's full shell permissions.
The data exfiltration techniques observed are particularly surgical: researchers found skills that perform silent background "syncs" of .mykey files and Solana private keypaths (SOLANA_KEYPAIR_PATH). This indicates that attackers are specifically mapping the technical environment of AI power users—developers, DevOps engineers, and crypto-asset managers. For organizations in the financial and energy sectors, the risk is not just "infostealing" in the traditional sense, but the potential for an attacker to hijack active sessions and API-driven automation pipelines. If a developer uses an OpenClaw agent to manage cloud deployments, a compromised skill could exfiltrate the cloud provider's API secrets or SSH keys, leading to a full-scale cloud environment breach.
Suggested Corrections:
Researchers at Bitdefender have published the following recomendations:
Treat skills like software installs, not plug-ins: If a skill runs shell commands, downloads files, or asks you to install extra tools, assume it carries real-world risk.
Be cautious with “crypto convenience” tools: Auto-traders, gas optimizers, wallet helpers, and arbitrage bots are prime targets for abuse.
Avoid skills that ask you to run external binaries: Instructions to download .exe files, run macOS install commands, or “authenticate” using separate tools should be considered red flags.
Limit where secrets live: Private keys, API tokens, and wallet credentials stored in plain text or exposed via environment variables are easy to steal once malicious code runs.
Assume public repositories can be impersonated: A familiar name, a GitHub repo, or a large number of similar skills does not guarantee legitimacy.
Isolate crypto tooling when possible: Running wallet and trading automation in separate environments reduces the impact if something goes wrong.
If a skill feels urgent or “critical,” slow down: Attackers often exploit a sense of urgency to prompt users to skip basic checks.
Link(s):
https://hackread.com/openclaw-add-ons-crypto-theft-macos-malware/
Bitdefender Labs has uncovered a coordinated supply chain campaign, dubbed ClawHavoc, targeting the OpenClaw (formerly Moltbot/Clawdbot) AI agent framework. OpenClaw has seen explosive growth, surpassing 160,000 GitHub stars, but this popularity has made its community registry, ClawHub, a prime target for threat actors. As of February 2026, approximately 17% to 20% of the skills hosted on ClawHub were found to be malicious. These "poisoned" skills mimic legitimate automation tools—ranging from crypto-traders to Google Workspace integrations, to execute shell commands via Base64-encoded scripts. The campaign primarily distributes the Atomic Stealer (AMOS) for macOS and custom Windows trojans, specifically targeting cryptocurrency private keys, SSH keys, and browser-stored credentials. Notably, one threat actor, sakaen736jih, was linked to nearly 200 malicious skills all pointing to a single recurring command-and-control (C2) infrastructure at 91[.]92[.]242[.]30.
The Bitdefender research further breaks down the lures by category, revealing that crypto-related skills dominate the ecosystem, accounting for 54% of all malicious samples. These lures target specific high-value platforms such as Polymarket, Solana, and Phantom wallets by offering "convenience" tools like gas trackers or arbitrage bots. Beyond crypto, social media automation tools (24%) and "Auto-Updater" maintenance utilities (17%) serve as the secondary vehicles for infection. These skills often use a repeatable attack chain: once a user installs a skill, it triggers a background process that reaches out to external infrastructure like glot.io or malicious GitHub clones to pull down secondary payloads. By masquerading as necessary prerequisites or system optimizations, these skills successfully trick users into manually bypassing security prompts and granting the malware persistent access.
Security Officer Comments:
This research highlights a critical evolution in how AI-driven automation creates enterprise risk. The primary danger lies in the high-privilege execution environment required by AI agents. Unlike a standard browser extension, an OpenClaw "Skill" often demands terminal access to be effective, meaning a malicious script inherits the user's full shell permissions.
The data exfiltration techniques observed are particularly surgical: researchers found skills that perform silent background "syncs" of .mykey files and Solana private keypaths (SOLANA_KEYPAIR_PATH). This indicates that attackers are specifically mapping the technical environment of AI power users—developers, DevOps engineers, and crypto-asset managers. For organizations in the financial and energy sectors, the risk is not just "infostealing" in the traditional sense, but the potential for an attacker to hijack active sessions and API-driven automation pipelines. If a developer uses an OpenClaw agent to manage cloud deployments, a compromised skill could exfiltrate the cloud provider's API secrets or SSH keys, leading to a full-scale cloud environment breach.
Suggested Corrections:
Researchers at Bitdefender have published the following recomendations:
Treat skills like software installs, not plug-ins: If a skill runs shell commands, downloads files, or asks you to install extra tools, assume it carries real-world risk.
Be cautious with “crypto convenience” tools: Auto-traders, gas optimizers, wallet helpers, and arbitrage bots are prime targets for abuse.
Avoid skills that ask you to run external binaries: Instructions to download .exe files, run macOS install commands, or “authenticate” using separate tools should be considered red flags.
Limit where secrets live: Private keys, API tokens, and wallet credentials stored in plain text or exposed via environment variables are easy to steal once malicious code runs.
Assume public repositories can be impersonated: A familiar name, a GitHub repo, or a large number of similar skills does not guarantee legitimacy.
Isolate crypto tooling when possible: Running wallet and trading automation in separate environments reduces the impact if something goes wrong.
If a skill feels urgent or “critical,” slow down: Attackers often exploit a sense of urgency to prompt users to skip basic checks.
Link(s):
https://hackread.com/openclaw-add-ons-crypto-theft-macos-malware/