Palo Alto Networks found five malicious skills for the OpenClaw AI agent on ClawHub

Palo Alto Networks' Unit 42 team identified five malicious skills on the ClawHub platform — the official marketplace for the OpenClaw AI agent. Using these skills, attackers infected user devices with stealers — malware specialized in stealing passwords, session tokens, and cryptocurrency wallet data.

What is OpenClaw and ClawHub

OpenClaw is an AI agent with an open ecosystem of add-ons: developers create skills — modular components that extend agent functionality — and publish them on ClawHub for public access. In principle, this resembles Chrome Web Store or IDE plugin stores: you select the necessary tool, install it with one click, and use it. This exact model turned out to be vulnerable. Users relying on the official marketplace typically don't manually review the code of each skill — they expect the platform to have already verified the published components. Attackers exploited precisely this trust. ClawHub positions itself as a secure catalog of verified extensions — which makes what happened particularly alarming for the entire agent audience.

How the Attack Worked

Five malicious skills appeared externally as ordinary productivity tools. In their ClawHub descriptions, they mimicked utilities for task automation, file handling, and integration with external services — a typical set for those wanting to extend agent capabilities. After installation, the skill activated hidden code that ran in parallel with standard functions. Unit 42's analysis documented the following stealer capabilities:

• stealing passwords saved in browsers (Chrome, Firefox, Edge)
• extracting cryptocurrency wallet data and seed phrases
• intercepting cookies and active session tokens
• collecting autofill form data
• transmitting all collected information to attacker servers

The malware disguised itself as standard background processes of the agent — which is why standard antivirus tools had difficulty detecting it. Without specialized behavioral analysis, a user could go unnoticed for weeks.

Palo Alto Networks did not disclose the names of the compromised skills, but confirmed: all five were uploaded through the official ClawHub interface.

A New Threat Vector

Most security discussions about AI systems focus on vulnerabilities in the models themselves — jailbreaks, prompt injections, content filter bypasses. An attack through the skills ecosystem is fundamentally different: in nature it is closer to a supply chain attack on a software stack than to LLM manipulation. AI agent extension marketplaces are experiencing rapid growth with immature security mechanisms — much like browser plugin stores in the early 2010s or the npm registry before the first high-profile malicious package incidents. Attackers know how to find exactly such vulnerability windows and exploit them before the industry manages to develop protection standards.

"Users are accustomed to trusting official extension stores.

Attackers exploit this trust directly," — note Unit 42 analysts.

The fact that malicious skills passed upload to ClawHub indicates either the absence of automatic code verification or its successful bypass. This raises for the entire industry the question about verification standards for AI agent components.

What This Means

As the popularity of open AI skill ecosystems grows, the security of their marketplaces becomes a critical task — on par with the security of package registries in traditional programming. Threats to AI systems are increasingly less related to the models themselves and increasingly more related to their environment: plugins, integrations, ecosystems. OpenClaw users are advised to check the list of installed extensions and remove anything whose origin or behavior raises concerns.