OpenClaw: 5 Malicious Skills Evade AI Scanners for Months

Palo Alto Networks' Unit 42 identified five persistent malicious skills on the ClawHub platform between February and May 2026, all remaining active despite the integration of VirusTotal and ClawScan in March of the same year. The case confirms that the AI agent permission model — where installing a skill equates to surrendering its complete digital identity — creates a supply-chain attack surface lacking controls equivalent to those of established app stores or package managers.

How a TradingView Skill Becomes a macOS Infostealer

The "tradingview-ai-indicator-assistant" skill illustrates the attack pattern. It ostensibly offers assistance with market indicators. In reality, according to the Unit 42 report, its README.md contains a prerequisite that redirects to rentry[.]co/openclaw-code. From there the payload is downloaded from IP 2.26.75[.]16, path /Xuvewuyur.

The payload, SHA256 hash 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7, is classified as a macOS infostealer distinct from Atomic macOS Stealer (AMOS). The skill itself has SHA256 hash b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007.

The mechanism requires no exploitation of software vulnerabilities in the conventional sense. Unit 42 documents that malicious skills "use semantic instruction hijacking to bypass technical constraints": they abuse the agent's natural language interpretation to achieve execution in its privileged context, including file system, shell, and credential manager.

The 22 MB Padding That Fools VirusTotal

The "omnicogg" skill represents the evasive variant. The AMOS payload is placed at the beginning of the README.md file, followed by 22 MB of padding that pushes the file beyond automated scanner analysis thresholds. JFrog Security Research disclosed this technique in March 2026. The result: a clean verdict from VirusTotal, "in review" status from ClawScan as of mid-May.

The skill's SHA256 hash is b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2. The persistence of the AMOS C2 infrastructure at IP 91.92.242[.]30 — active more than three months after first disclosure — indicates operators have not divested the campaign despite public exposure.

The Systemic Data: 4 Out of 5 Skills Don't Do What They Declare

Unit 42's correlated research on Behavioral Integrity Verification (BIV) provides the systemic dimension of the problem. Analyzing 49,943 skills, 250,706 total behavioral deviations were detected. 80.0% of skills — 39,933 — present at least one mismatch between declaration and actual behavior.

18.9% of classified deviations are attributable to adversarial intent, not documentation error. Of these, 60% concentrate on credential theft and espionage, followed by payload/infrastructure and agent hijacking. Financial, destructive, or social engineering threats represent less than 1%.

A specific operational data point: 5.0% of the registry, or 2,490 skills, carry multi-stage attack chains requiring mandatory security review. Of these, 88% fall into two patterns: silent credential exfiltration and instruction-override hijacking.

"The agent-skill ecosystem now stands where mobile applications and browser extensions were a decade ago. Extensibility has outpaced the supply-chain audit primitives that should gate it" — Unit 42, Palo Alto Networks

"Agentic" Threats That Manipulate the Decision Loop

Of the five malicious skills identified by Unit 42, two represent categories the report defines as "emerging financial agentic threats": runtime agentic affiliate injection and agentic front-running. Both exploit the agent's autonomous decision loop for financial manipulation.

The source does not specify whether these techniques have generated actual profits for operators. The dossier also does not document how many users or organizations installed the identified malicious skills, nor whether the 5 skills represent the entire universe of active threats in the February–May 2026 period or a sample of a broader phenomenon.

The collaboration between OpenClaw and NVIDIA, announced June 1, 2026, concerns skill documentation and automated analysis. The dossier does not specify whether this partnership has already produced concrete results in reducing malicious skills.

What to Do Now

For organizations using OpenClaw, Unit 42 indicates three priority actions based on documented patterns.

First: verify whether installed skills fall within the 5.0% of the registry with multi-stage chains. The 2,490 skills with critical deviations concentrate in two identifiable patterns — silent credential exfiltration and instruction-override hijacking — that can be flagged by auditing declared capabilities against actual behavior.

Second: treat skills with "in review" verdict from ClawScan as untrustworthy. The "omnicogg" skill demonstrated that this status does not prevent distribution: VirusTotal returned a clean verdict despite the AMOS payload present in the file.

Third: monitor traffic to IPs 91.92.242[.]30 and 2.26.75[.]16. The AMOS C2 infrastructure remained active more than three months after disclosure, with new skills continuing to use it. The presence of connections to these addresses indicates installation of payloads documented in the report.

The initial volume context provides the scale of the problem: 17% of skills with malicious payloads detected by Bitdefender Labs in the first weeks after release, and 341 malicious skills in the ClawHavoc campaign documented by Koi Security. Trend Micro confirmed skills distributing AMOS malware.

Why It Matters

The Unit 42 brief does not document specific remedial measures by OpenClaw beyond the VirusTotal and ClawScan integration already proven insufficient. The existence of cryptographic signing or provenance mechanisms for ClawHub skills is not reported.

The source does not specify whether malicious skills remain available at the time of the report; Unit 42 reports takedowns, but C2 infrastructures remain active. It is also unclear whether the BIV analysis of the 5% multi-stage skills includes or excludes the 5 skills documented in the incident report.

The methodological limit is evident: scanners designed for conventional malware — which seek binary patterns, code signatures, executable format anomalies — do not detect semantic instructions that manipulate the AI itself through natural language. "Semantic instruction hijacking" leaves no trace in the format traditional tools are built to examine.

What Remains to Be Verified

The absence of CVEs for these threats — no ZDI/GHSL advisory is detected in the dossier — reflects the nature of the problem: these are not patchable software vulnerabilities, but an architectural model where separation between skill logic and agent authority does not exist by design. "The lack of isolation between skill logic and agent authority means that installation results in complete control over the agent's identity," writes Unit 42.

The question the dossier raises but does not resolve is how far this pattern extends beyond OpenClaw. If 80% of skills present behavioral deviations in the most analyzed marketplace, the data is a warning bell for every agentic ecosystem replicating the same permission model.

The Unit 42 report does not document whether specific actors are attributable to the described campaigns. No infrastructure overlaps emerge linking the five skills to a single operator at present.

Information is based on the cited source and current as of publication.

Sources

• https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/
• https://unit42.paloaltonetworks.com/ai-agent-supply-chain-risks/
• https://blog.talosintelligence.com/a-deep-dive-into-lokibot-infection-chain/