What is Atomic Stealer and how does it affect ClawHub users?

Atomic Stealer (AMOS) is a macOS and Windows malware that was found embedded in multiple ClawHub skills. It steals passwords, browser cookies, cryptocurrency wallets, and keychain data. Malicious ClawHub skills disguised as legitimate automation tools would download and execute Atomic Stealer payloads when installed. Both self-hosted OpenClaw and Kimi Claw users are affected since both use ClawHub as their skill marketplace.

Does ClawHub scan skills for malware?

Yes, ClawHub now integrates VirusTotal scanning for newly submitted skills. This was added after the initial wave of malicious skills was discovered. Additionally, Peter Steinberger added a skill reporting feature that allows community members to flag suspicious skills for review. However, not all existing skills have been retroactively scanned, so manual verification is still recommended.

Are Kimi Claw users also affected by malicious ClawHub skills?

Yes. Both self-hosted OpenClaw and Kimi Claw (the managed version by Moonshot AI) use ClawHub as their skill marketplace. Any malicious skill on ClawHub can affect users of either platform. The attack surface is identical because skills run with the same permissions regardless of which client loads them.

How can I protect myself from malicious ClawHub skills?

Protect yourself by: (1) only installing skills from verified publishers with a blue checkmark, (2) reviewing source code before installation, (3) checking community ratings and download counts, (4) running new skills in an isolated Docker environment first, (5) avoiding skills with obfuscated code or encoded payloads, and (6) using our workshop's curated list of 25+ verified safe skills.

What did Cisco's AI security team find about ClawHub?

Cisco's AI security research team confirmed active data exfiltration from malicious ClawHub skills. Their analysis found skills silently sending user data — including API keys, conversation logs, and environment variables — to attacker-controlled servers. The exfiltration used obfuscated HTTP requests disguised as legitimate API calls, making detection difficult without deep packet inspection.

What is the verified safe skills list?

Our workshop includes a curated list of 25+ ClawHub skills that have been code-reviewed, tested in isolated environments, and verified safe. Each skill on the list has been inspected for malicious patterns, obfuscated code, and unnecessary permissions. The list covers core business use cases including messaging, CRM, scheduling, email, and data integrations.

ClawHub Malicious Skills Report: 824 Dangerous Skills Found

Q: How many malicious skills have been found on ClawHub?

As of February 2026, security researchers have identified 824 malicious skills on ClawHub out of 10,700+ total skills. The number originally started at 341 in early analyses but grew as the marketplace expanded and more skills were audited. These malicious skills include credential stealers, Atomic Stealer malware, data exfiltration tools, and prompt injection attacks.

Quick Answer: Security researchers have identified 824 malicious skills on ClawHub, OpenClaw's community skill marketplace. The number originally stood at 341 in early analyses but grew as the marketplace expanded to 10,700+ total skills. Threats include Atomic Stealer malware targeting macOS and Windows, credential theft, data exfiltration (confirmed by Cisco's AI security team), and prompt injection attacks. Both self-hosted OpenClaw and Kimi Claw users are affected since both platforms use ClawHub.

ClawHub has responded with VirusTotal scanning integration and a skill reporting feature added by Peter Steinberger. This report covers every threat category, how they work technically, and exactly how to protect yourself.

What Does the Executive Summary Reveal?

The ClawHub marketplace has become a target for malware distributors. Here is the scale of the problem as of February 2026.

824

Malicious Skills Found

Originally 341 in early analysis. The number grew to 824 as the marketplace expanded from ~3,000 to 10,700+ skills and more were audited.

10,700+

Total Skills on ClawHub

ClawHub's open marketplace allows anyone to publish skills. Approximately 8% of analyzed skills contained malicious code.

Major Threat Categories

Atomic Stealer malware, credential theft, data exfiltration, and prompt injection are the four primary categories of malicious skills found.

What Types of Malicious Skills Were Found on ClawHub?

The 824 malicious skills fall into four primary categories. Each represents a distinct attack vector with different levels of severity and impact on your system.

Atomic Stealer (AMOS) Payloads

31%Critical

Malicious skills that download and execute Atomic Stealer malware on macOS and Windows. AMOS steals passwords from the system keychain, browser session cookies, saved credit card data, and cryptocurrency wallet files. These skills disguise themselves as productivity or developer tools with legitimate-sounding names.

Credential Theft

28%Critical

Skills that silently capture and exfiltrate API keys, login credentials, environment variables, and authentication tokens. They hook into OpenClaw's credential storage system and forward copies to attacker-controlled servers. Some variants modify the openclaw.json config to route API traffic through proxy servers.

Data Exfiltration

24%High

Confirmed by Cisco's AI security team, these skills quietly copy conversation data, automation configurations, connected service credentials, and user files to external endpoints. They use obfuscated HTTP requests disguised as legitimate API calls, making detection difficult without deep packet inspection.

Prompt Injection Attacks

17%High

Skills that inject hidden instructions into the AI agent's context window. These injections can override SOUL.md safety rules, cause the agent to execute unauthorized commands, leak sensitive data through conversation outputs, or redirect the agent to interact with attacker-controlled services.

How Do Malicious ClawHub Skills Work Technically?

Understanding the attack mechanisms helps you identify threats. Here is how the malicious skills operate at a technical level.

Obfuscated Payload Delivery

Malicious skills use base64-encoded strings, multi-layer obfuscation, and dynamically constructed URLs to download payloads. The initial skill code passes VirusTotal scans because the malicious payload is fetched at runtime from a separate server, not embedded in the skill package itself.

Environment Variable Harvesting

Skills access process.env and OpenClaw's credential store to collect API keys for Anthropic, OpenAI, Google, Stripe, and other services. Harvested credentials are bundled and sent via HTTPS POST requests to domains that rotate every 24-48 hours to evade blocklists.

Persistence Mechanisms

Some skills install cron jobs, launchd agents (macOS), or scheduled tasks (Windows) that survive OpenClaw restarts and skill uninstallation. These persistence mechanisms continue exfiltrating data even after the malicious skill is removed.

Typosquatting Strategy

Attackers create skills with names nearly identical to popular ones (e.g., 'WhatsAp-Connector' instead of 'WhatsApp-Connector'). They copy the README and description of the legitimate skill but inject malicious code into the implementation. Over 120 typosquatted skill names were identified.

How Has ClawHub Responded to the Malicious Skills Problem?

The OpenClaw team and community have taken steps to address the malicious skills problem. Here is what has been done so far.

VirusTotal Integration

ClawHub now integrates VirusTotal scanning for newly submitted skills. Each skill package is scanned against 70+ antivirus engines before being published. However, this does not catch all threats — especially runtime-fetched payloads and prompt injection attacks that do not contain traditional malware signatures.

Skill Reporting Feature

Peter Steinberger added a community reporting feature that allows users to flag suspicious skills for review. Reported skills are queued for manual audit by the OpenClaw security team. This crowdsourced approach has helped identify dozens of malicious skills that passed automated scans.

Publisher Verification

ClawHub introduced a verified publisher program with a blue checkmark badge. Verified publishers have confirmed identities and their skills receive additional scrutiny. However, verification is voluntary and the majority of publishers remain unverified.

Permission Scoping

New skills must declare their required permissions upfront. Users can review what a skill requests access to before installation. This helps identify skills that request suspicious permissions — like a calendar tool asking for filesystem access.

How to Protect Yourself

Follow this checklist before installing any ClawHub skill. Every item addresses a real attack vector found in the 824 malicious skills.

Only install skills from verified publishers with a blue checkmark on ClawHub

Review the skill's source code repository before installation

Check community ratings, download counts, and user comments

Avoid skills with obfuscated code, base64-encoded strings, or eval() calls

Test new skills in an isolated Docker container with no real API keys

Monitor network traffic after installing any new skill

Use the ClawHub reporting feature to flag suspicious skills

Keep OpenClaw updated to get the latest VirusTotal scanning protections

Run OpenClaw with --security-opt=no-new-privileges in Docker

Rotate all API keys after removing any suspected malicious skill

Subscribe to OpenClaw security advisories for new threat alerts

Use our workshop's curated list of 25+ verified safe skills

What Is on the Verified Safe Skills List?

Our workshop includes a curated list of 25+ ClawHub skills that have been code-reviewed, tested in isolated environments, and verified safe. Here are the categories covered.

Messaging Integrations

WhatsApp Business Connector
Telegram Bot Manager
Slack Workflow Connector
Discord Server Manager

CRM & Business

HubSpot Contact Sync
Salesforce Lead Router
Google Workspace Integration
Calendar Scheduler

Developer Tools

GitHub PR Reviewer
Docker Deploy Manager
API Endpoint Tester
Code Documentation Generator

Data & Productivity

Google Sheets Sync
PostgreSQL Query Runner
Email Inbox Sorter
PDF Report Generator

Cisco AI Security Team Findings

Cisco's AI security research team independently confirmed active data exfiltration from malicious ClawHub skills. Their analysis revealed several key findings:

Skills silently sending API keys, conversation logs, and environment variables to attacker-controlled servers
Exfiltration disguised as legitimate API calls using obfuscated HTTP requests
Domain rotation every 24-48 hours to evade detection and blocklists
Data bundled and compressed before transmission to minimize network footprint
Some skills establishing persistent C2 (command and control) channels for ongoing access

These findings underscore that malicious ClawHub skills are not theoretical risks — they are actively exploiting users. Both self-hosted OpenClaw and Kimi Claw users are affected since both platforms share the ClawHub marketplace.

Frequently Asked Questions

Your Competitors Are Already Automating. Are You?

Every week we send one automation that saves 10+ hours of manual work — the same playbooks our clients use to run their businesses on autopilot. Miss a week, miss the edge.

Save 10+ hours/week Cut AI costs by 97% Deploy in under 20 min

Get the Automation Playbook (Free)

One deploy-ready automation every week. Same strategies our clients pay thousands for. 400+ business owners already inside.

Need it done for you?

Book a Free Strategy Call See what we've built for real businesses →

Custom Build (via clawrevops.ai) Done-For-You Secure Builds