Unit 42 Finds Evasive Malicious Skills on OpenClaw's ClawHub Marketplace Targeting AI Supply Chain
Palo Alto Networks' Unit 42 discovered five malicious skills on OpenClaw's ClawHub marketplace that bypassed automated scanners to deploy infostealers and execute agentic financial fraud, revealing persistent AI supply chain risks.
Palo Alto Networks' Unit 42 has uncovered a new wave of malicious AI agent skills on OpenClaw's ClawHub marketplace that evaded both VirusTotal and ClawScan detection, highlighting an emerging threat in the AI software supply chain. Between February and May 2026, researchers identified five unblocked skills that deployed macOS infostealers, used evasion techniques like inflated file sizes to bypass scanner thresholds, and introduced novel agentic threats including runtime affiliate injection and front-running for financial gain. The findings, published on June 23, 2026, underscore how AI agent ecosystems create a fundamentally different attack surface compared to traditional package registries like npm or PyPI.
OpenClaw is an AI agent that executes third-party skills from ClawHub, its dedicated marketplace. Skills are markdown-driven packages with broad local system access, making ClawHub a critical link in the agentic software supply chain. Unlike conventional malware that faces limitations from language runtimes or containers, malicious skills use semantic instruction hijacking to exploit the agent's operational context, including file systems, shells, and credential managers, without requiring a conventional exploit. The lack of isolation between skill logic and agent authority means installation results in complete control over the agent's identity, allowing unauthorized actions through the agent's own authenticated sessions.
The five malicious skills represent three distinct threat categories. Two skills delivered macOS infostealers that connected to command-and-control infrastructure, indicating persistent threat actor activity. One skill employed an inflated file size to exceed scanner thresholds, bypassing both ClawScan and VirusTotal detection. Two skills represented agentic threats: runtime agentic affiliate injection and agentic front-running, both novel techniques used by the skill authors for financial gain. Unit 42 reported all five skills to ClawHub for takedown, and OpenClaw banned the associated accounts and deleted the skills.
This discovery follows earlier campaigns documented in February 2026, when Bitdefender Labs reported that approximately 17% of OpenClaw skills analyzed in the first few weeks of the platform's release carried malicious payloads. Koi Security's ClawHavoc disclosure documented 341 malicious skills, and Trend Micro separately confirmed skills distributing Atomic macOS stealer (AMOS) malware across the marketplace. Those early findings prompted ClawHub to integrate VirusTotal and ClawScan for proactive screening. However, Unit 42's analysis shows that these measures have not been sufficient to stop determined attackers.
Notably, the AMOS dropper infrastructure from earlier campaigns remains active more than three months after first public disclosure, with the C2 server at 91.92.242[.]30 continuing to receive new skill deliveries. The early campaigns featured techniques such as Base64-encoded curl-pipe-bash droppers, platform-specific delivery via paste-site redirects, persistence through auto-updaters with cron job registration, alternative exfiltration channels using the Telegram Bot API for cryptocurrency private keys, and registry saturation by a single publisher account.
In response to the ongoing threat, OpenClaw has announced a partnership with NVIDIA to provide documentation of what each skill does and to run NVIDIA's analysis tool on all skills. This collaboration, announced on June 1, 2026, aims to strengthen the vetting process for the marketplace. Palo Alto Networks customers are protected through products including Koi Agentic Endpoint Security, Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, and Cortex XDR and XSIAM.
The findings from Unit 42 underscore a critical gap in AI agent supply chain security. While traditional software supply chain attacks rely on compromising distribution vectors or spoofing dependencies, AI agent ecosystems alter this paradigm by allowing attackers to weaponize the agent's own natural language interpretation capabilities. As AI agents become more integrated into enterprise workflows, the security community must develop new detection and prevention mechanisms that address the unique risks posed by agentic AI systems, including semantic instruction hijacking and the lack of isolation between skill logic and agent authority.