Overview
- A Koi Security audit of 2,857 ClawHub entries identified 341 malicious skills, while OpenSourceMalware reported 386 to 400-plus uploads published from late January to early February.
- Attackers used polished documentation with fake prerequisites labeled AuthTool to trick users into running install commands on macOS and Windows hosts.
- macOS instructions pulled scripts from glot.io that fetched payloads from 91.92.242[.]30, delivering a Mach‑O binary consistent with Atomic Stealer, while Windows users were led to open a password‑protected archive named openclaw-agent.zip.
- Researchers also found reverse‑shell backdoors and exfiltration of bot credentials such as ~/.clawdbot/.env to webhook[.]site, with many skills themed around crypto tools, Polymarket bots, and YouTube utilities.
- OpenClaw introduced a user reporting system that auto‑hides skills after more than three unique reports, yet researchers say many malicious packages remain available, and Koi released a free skill‑URL scanner to help users assess risk.