February 5, 2026 A security researcher at Koi named Oren Yomtov has uncovered a widespread malware operation embedded inside an AI bot skill marketplace. He revealed how attackers are exploiting trust in emerging agent ecosystems to steal credentials and gain full system access.
The findings come after concerns were raised about the safety of third-party “skills” distributed through ClawHub, a popular repository for extensions used by OpenClaw-based AI bots.
After auditing all 2,857 skills listed on the platform, the researchers identified 341 malicious entries. Of those, 335 were linked to what appears to be a single coordinated campaign, which the team has named ClawHavoc. The remaining six used distinct techniques but achieved similar outcomes: credential theft, remote access or persistent compromise.
ClawHub had grown rapidly, attracting thousands of skills that promise everything from crypto wallet tracking to YouTube summaries and Google Workspace integrations. The investigation found attackers took advantage of that growth, using professional-looking documentation and familiar tool names to disguise malware.
In most cases, the malicious skills did not contain obvious harmful code. Instead, they instructed users to install “prerequisites,” often via password-protected ZIP files on Windows or obfuscated shell scripts on macOS. Those files delivered trojans designed to evade antivirus scanning and execute once users followed the instructions.
On macOS, Yomtov traced the attack chain to payloads matching Atomic macOS Stealer, a commercial malware-as-a-service tool sold on Telegram. Once installed, the malware can harvest browser data, keychain passwords, cryptocurrency wallets, SSH keys and personal files, then quietly exfiltrate the data to attacker-controlled servers.
Other skills used even simpler tactics. In two cases, a hidden backdoor was buried deep inside otherwise functional code, triggering a reverse shell during normal use. Another skill, disguised as a weather tool, simply read the bot’s configuration file and sent its contents to a public webhook service.
Yomtov said crypto users were the primary targets. More than 100 malicious skills focused on Solana, Ethereum gas tracking, Phantom wallets and prediction markets such as Polymarket. But the campaign also expanded into productivity tools, including fake integrations for Gmail, Google Drive and calendars, increasing the risk of corporate data exposure.
What makes the incident especially concerning, the researcher said, is the level of access granted to AI bots. Users routinely connect OpenClaw bots to email, messaging apps, documents and financial accounts. A compromised skill does not just leak data — it can act on it.
The findings echo patterns seen in other developer ecosystems such as npm, PyPI and browser extension stores, where attackers rely on typosquatting, social engineering and scale rather than sophisticated exploits. In this case, the attack surface is larger, as AI agents often have broader permissions than traditional extensions.
The Koi team reported the malicious skills to ClawHub’s security team and shared a full removal list. They also released a defensive tool called Clawdex, designed to scan skills before and after installation and flag those linked to known campaigns.
