Between February and May 2026, Unit 42 researchers tracked a threat campaign that proves the OpenClaw AI agent ecosystem has a serious trust problem. Malicious actors are publishing skills on ClawHub—the official marketplace—that bypass integrated security scanners including VirusTotal and ClawScan, deploying infostealer malware like Atomic macOS Stealer (AMOS) and a newly identified variant called "cluw" onto victim machines.
How the Attack Chain Works
The attack exploits what Unit 42 calls the 'semantic gap' in AI agent security. The technique is elegant in its simplicity: attackers publish seemingly legitimate skills—tradingview-ai-indicator-assistant and omnicogg have been identified—that include prerequisite instructions directing users to an external paste-site (hxxps://rentry.co/openclaw-code). Users are then instructed to copy a Base64-encoded command and pipe it into their terminal. This classic 'curl-pipe-bash' attack technique bypasses automated scanners because the malicious code isn't in the skill package itself—it's hosted externally. The user's own AI agent interprets these instructions as legitimate requests, executing the attack using its system privileges. This circumvents traditional security boundaries that sandbox applications on platforms like npm or PyPI. Once executed, the shell command fetches a second-stage payload from known malicious infrastructure: 91.92.242[.]30 for AMOS campaigns and 2.26.75[.]16 for cluw infections.
Why Traditional Defenses Fail Here
This campaign builds directly on earlier ClawHavoc attacks from early 2026, which led to OpenClaw implementing enhanced scanning via VirusTotal and ClawScan. Threat actors adapted by shifting malicious content off-platform. The automated scanners analyze the skill package during upload—they never see the external redirect lure or the paste-site hosted payload. It's a classic supply chain attack refactored for the unique architecture of AI agent platforms where the 'trusted' component (the skill) acts as a trojan horse for user-directed execution. The lack of robust sandboxing and permission controls for third-party skills creates what security researchers call a 'trusted pathway' directly onto user systems. When an AI agent has access to your browser sessions, cryptocurrency wallets, or system credentials, a single compromised skill grants attackers comprehensive access.
Detecting and Responding to These Threats
Security teams need monitoring strategies that extend beyond initial skill installation. EDR rules should alert when OpenClaw spawns shell interpreters (bash, sh) that initiate network connections via curl or wget. SIEM alerts should flag patterns like 'curl | bash' or 'base64 --decode | bash'. Network proxies should block outbound traffic to the identified IOCs: 91.92.242[.]30, 2.26.75[.]16, and rentry.co domains. If compromise is suspected, immediately isolate the affected host, revoke stored credentials, and initiate forensic investigation. Application allowlisting can prevent unauthorized scripts from executing, while running AI agents with least-privilege permissions and containerization limits blast radius if infection occurs.
Key Takeaways
- The attack exploits user-assisted execution through social engineering, not software vulnerabilities
- Base64-encoded commands hosted on paste-sites bypass platform-level security scanning
- Traditional sandboxing approaches fail because AI agents execute instructions using their own system privileges
- Detection requires monitoring post-installation behavior: process chains, command-line arguments, and network traffic patterns
The Bottom Line
If you're running OpenClaw in production or building skills for ClawHub, treat third-party marketplace additions with the same skepticism you'd apply to downloading executables from forums. The security model hasn't caught up with the threat landscape yet—and until it does, your best defense is treating every 'prerequisite step' as potentially malicious.