Malicious OpenClaw Skills Distribute New Atomic macOS Stealer Variant via AI Agent Manipulation
Trend Micro researchers uncovered a campaign using malicious OpenClaw skills to trick AI agents into installing a new variant of the Atomic macOS Stealer (AMOS), marking a shift from human-focused social engineering to AI agent manipulation.
Trend Micro researchers have identified a sophisticated campaign that leverages malicious OpenClaw skills to distribute a new variant of the Atomic macOS Stealer (AMOS). This marks a critical evolution in supply chain attacks: instead of deceiving humans directly, attackers now manipulate AI agentic workflows to install the first stage of the malware. The campaign, detailed in a February 23, 2026 report, uses AI agents as trusted intermediaries to trick users into executing malicious commands.
The infection chain begins with a seemingly harmless SKILL.md file that instructs the AI agent to install a fake prerequisite tool called "OpenClawCLI." The skill directs the agent to a website at openclawcli[.]vercel[.]app, which contains a Base64-encoded command that downloads and executes a Mach-O universal binary. This binary, detected as Trojan.MacOS.Amos, can run on both Intel-based and Apple Silicon Macs and is signed with an ad-hoc signature.
Once executed, the AMOS variant steals a wide array of sensitive data, including credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from Desktop, Documents, and Downloads folders. Notably, this variant also targets Apple and KeePass keychains, expanding its data exfiltration capabilities. The malware lacks system persistence and ignores .env files, focusing instead on immediate data theft.
The campaign spans multiple repositories, with threat actors uploading hundreds of malicious skills to platforms like ClawHub, SkillsMP.com, and skills.sh. Trend Micro identified 39 distinct malicious skills on ClawHub alone, which have since been taken down, though the code remains in ClawHub's GitHub repository. The skills overlap with the 341 ClawHavoc skills identified by Koi research but represent a distinct departure from established AMOS tactics.
The attack exploits differences in AI model behavior. While advanced models like Claude Opus 4.5 can identify the malicious instructions and refuse to execute them, models like GPT-4o may silently install the skill or repeatedly prompt the user to manually install the fake "driver." This human-in-the-loop dialogue box tricks users into entering their password, facilitating the infection.
Trend Micro reports that all TrendAI Managed Detection and Response (MDR) customers remain protected, and all AMOS-related domains are categorized and blocked by TrendAI Web Reputation Service. The malicious binary has 26 detections on VirusTotal and is already blocked by Trend Micro products. This campaign represents a significant shift in malware distribution, using AI agents as unwitting accomplices in social engineering attacks.
The evolution of AMOS from being distributed via cracked software to manipulating AI agentic workflows highlights the growing sophistication of supply chain attacks. As AI tools become more integrated into daily workflows, attackers are likely to continue exploiting these platforms to reach unsuspecting users. This campaign serves as a warning for both AI platform providers and users to remain vigilant against malicious skills and instructions.