Researchers found hundreds of fake crypto trading plugins in OpenClaw’s public repository delivering infostealers, exposing how unvetted open source AI skills can weaponise user-level access at scale.
An open source AI assistant ecosystem has been exploited in one of the first large-scale AI-agent supply-chain malware campaigns, after researchers discovered 386 malicious “skills” inside OpenClaw’s official ClawHub repository.
The add-ons, disguised as cryptocurrency trading automation tools, deliver information-stealing malware for macOS and Windows, harvesting exchange API keys, wallet private keys, SSH credentials and browser passwords. All samples share the same command-and-control infrastructure, 91.92.242.30, and rely on social engineering rather than software exploits. One uploader, hightower6eu, accounted for nearly 7000 downloads.
Vulnerability researcher Paul McCarty (aka 6mile) of OpenSourceMalware said the attack abuses trust in community-published plugins and weak review processes.
“no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process.”
“The bad guy is asking the victim to do something, which ends up installing the malware. This is essentially the ClawHub version of ‘ClickFix’. The targeting of cryptocurrency traders suggests financial motivation and careful selection of high-value victims,” McCarthy concluded.
OpenClaw runs locally, connects to models such as Anthropic’s Claude Code and can execute shell commands with user-level privileges, increasing blast radius. App firm Infinum warned its deep permissions make it “inherently risky without strong sandboxing or guardrails.”
Diana Kelley, AI expert and CISO at Noma Security, said the model “turns a familiar supply-chain problem, trusting and running third-party plugins, into a higher-impact threat: an AI-driven operator executing actions under the user’s permissions.”
Malicious skills remain publicly available, underscoring the growing risks of unvetted open source AI extensions.
