OpenClaw's skill marketplace, ClawHub, is still serving malicious add-ons that hijack AI agents, more than three months after the platform bolted on automated malware scanning, researchers at Palo Alto Networks' Unit 42 reported on June 23. Some of the newer skills do something the earlier wave did not: they turn the AI agent itself into an instrument of financial fraud.
OpenClaw is an AI agent that runs third-party "skills," markdown-driven packages that come with broad access to a user's files, shell, and stored credentials. That access is the problem. Because a skill is just instructions the agent trusts, a malicious one does not need a software exploit. It simply tells the agent what to do, a technique Unit 42 calls semantic instruction hijacking, and the agent carries it out using its own authenticated sessions.
Why scanning did not stop it
After an early surge of abuse (Koi Security counted 341 malicious packages in its ClawHavoc disclosure, and Trend Micro and Bitdefender Labs separately found skills pushing the Atomic macOS Stealer), ClawHub wired in VirusTotal and its own ClawScan to vet published skills. Unit 42 says it still found five malicious skills that slipped through between February and May 2026, and reported all five for takedown. OpenClaw banned the accounts and removed the skills, and on June 1 added screening help from NVIDIA.
How the attacks work
Two skills posed as macOS trading assistants. Each carried a fake "prerequisite" step that sent the agent to a paste-site lure at hxxps://rentry[.]co/openclaw-code, which handed back a Base64 command that fetched a macOS infostealer from a fresh command-and-control server. A third skill, omnicogg, hid an Atomic stealer dropper at the top of its README file, then padded the file with about 22 MB of junk so that size-limited scanners skipped it entirely (an evasion trick first documented by JFrog Security Research). That dropper still beacons to the same C2 used in the original campaign.
The two most novel cases weaponize the agent's advice itself. A skill called money-radar presented as an overseas financial advisor, but on every run it pulled a referral list from a known-malicious domain and forced the agent to route all of its recommendations through the attacker's affiliate links, which the operator could swap out at any time after install. A second, letssendit, coordinated many victims' agents into pooling Solana cryptocurrency, then let the operator front-run a meme-coin launch and dump the token on unsuspecting buyers, a classic pump-and-dump run by an autonomous AI botnet.
What defenders should do
Unit 42 stresses that a skill executes inside the agent's own process, so list-based blocking is not enough. The team recommends validating publisher provenance, auditing skill source files line by line, and monitoring outbound traffic for connections to endpoints a skill never documented, treating any such call as an indicator of risk. Enterprises should block the named skills across their AI tooling.
Indicators
Defanged indicators from the report: C2 servers 91[.]92[.]242[.]30 and 2[.]26[.]75[.]16; the paste-site lure hxxps://rentry[.]co/openclaw-code; the affiliate-injection domain laosji[.]net; and the front-running infrastructure letssendit[.]fun. Read the original Unit 42 report for the full skill list and file hashes.
Related coverage: Hackers hijack exposed Langflow AI servers to mine cryptocurrency.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.