OpenClaw ClawHub Malicious Skills Supply Chain Attack

Key Takeaways

• Researchers reported hundreds of malicious ClawHub skills used to steal credentials and deploy malware.
• A wave of malicious skills disguised as crypto tools appeared on ClawHub, increasing exposure risk through social engineering and local execution.
• Attackers also pushed fake Moltbot or OpenClaw developer tooling via the VS Code Marketplace to drop malware.
• The incidents show systemic supply chain risk in agent ecosystems where third-party “skills” run with real local access.
• These threats extend the risk story beyond the previously documented Clawdbot MCP exposure incident.

Malicious Skills Turned Agent Extensibility Into a Malware Channel

OpenClaw’s skills ecosystem became a supply chain attack surface after researchers identified large numbers of malicious ClawHub skills and impersonation-based tooling that distributed malware and stole credentials. The attacks targeted users extending OpenClaw with third-party capabilities, where installed skills can interact with local files, the network, and sensitive tokens used in automated workflows. (The Hacker News)

What We Know

On February 2, 2026, reporting described a security audit of ClawHub skills that found hundreds of malicious skills tied to multiple campaigns, with the skills used to steal credentials and deploy malware on macOS and Windows.

Separate reporting in late January 2026 described at least a set of malicious skills uploaded to ClawHub that were disguised as crypto trading or wallet automation tools. These skills relied on social engineering and describes behavior consistent with pulling remote scripts or stealing sensitive user data after installation and execution. (Tom's Hardware)

In parallel, researchers flagged a fake “Moltbot” coding assistant distributed as a Visual Studio Code Marketplace extension. The extension presented itself as an AI coding assistant but dropped malware, showing how brand confusion and agent popularity can be exploited to distribute malicious developer tooling. (TechRadar)

How the Breach Happened

This incident is best understood as an ecosystem supply chain failure across two related channels:

1. Malicious skills in a public registry
   ClawHub made it easy for users to add capabilities quickly, but that same ease enabled attackers to publish skills that appeared legitimate and then executed untrusted logic on the host. In several reports, the “skill” workflow included instructions that nudged users into executing additional commands or accepting risky actions, turning installation into a malware delivery path.
2. Impersonation-based tooling distribution
   Attackers used the VS Code Marketplace to distribute a fake extension impersonating Moltbot or OpenClaw functionality, dropping a malicious payload on systems where developers expected an AI assistant plugin. This highlights a classic software supply chain tactic adapted to agent ecosystems: exploit demand, then ship a lookalike. 

Why It Matters

Agent ecosystems change the supply chain risk equation. “Skills” are not just libraries. They can become operational components that access files, credentials, APIs, and business data. When malicious skills propagate through a public registry, the blast radius can include credential theft, lateral movement through connected services, and compromise of developer workstations.

This matters even more for OpenClaw-style agents because agent workflows often centralize high-value secrets, such as API keys, tokens, and integration credentials. That makes the skills layer a high-leverage attacker target and turns skills marketplaces into a priority monitoring zone for defenders. (Dark Reading)

PointGuard AI Perspective

This incident highlights why securing AI agents requires securing the ecosystems they depend on, especially extensions and skills that expand an agent’s capabilities.

PointGuard AI helps teams reduce this risk by providing runtime visibility into how AI applications and agents use tools, credentials, and external integrations, making it easier to identify suspicious behavior such as unexpected data access, anomalous outbound connections, or risky tool invocation patterns.

It also helps organizations build guardrails around agent workflows so that high-risk actions, data access, and credential use can be governed with policy, rather than relying on users to manually inspect third-party skills.

Source: AI Runtime Defense
Source: AI Supply Chain Security
Source: AI Security Incident Tracker

Incident Scorecard Details

Total AISSI Score: 8.4/10

Criticality = 8.5, Malware distribution and credential theft via trusted ecosystem, AISSI weighting: 25%
Propagation = 8.0, Public registry and marketplace distribution channels, AISSI weighting: 20%
Exploitability = 8.0, Low friction installation and social engineering patterns, AISSI weighting: 15%
Supply Chain = 9.0, Direct compromise of agent extension ecosystem, AISSI weighting: 15%
Business Impact = 8.5, Confirmed malicious activity and theft potential, AISSI weighting: 25%

Sources

• The Hacker News, report on hundreds of malicious ClawHub skills and credential theft campaigns (Feb 2, 2026) (The Hacker News)
• Tom’s Hardware, report on malicious OpenClaw skills targeting crypto users via ClawHub (late Jan 2026) (Tom's Hardware)
• TechRadar, report on a fake Moltbot AI assistant VS Code extension dropping malware (late Jan 2026) (TechRadar)
• The Hacker News, report on the fake Moltbot VS Code Marketplace extension (Jan 28, 2026) (The Hacker News)
• Dark Reading, context on OpenClaw’s rapid adoption and enterprise exposure risk (Jan 30, 2026) (Dark Reading)