Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

In February 2026, cybersecurity researchers at Bitdefender Labs discovered that approximately 17% of OpenClaw AI skills analyzed contained malicious behavior. OpenClaw is an open-source AI execution engine with over 160,000 GitHub stars that uses modular 'skills' (small code pieces) to automate workflows and interact with online services on behalf of users. Malicious actors created fake skills that impersonated legitimate crypto trading tools, wallet helpers, social media utilities, and productivity applications. These malicious skills used techniques like Base64 encoding to hide shell commands that downloaded additional malware payloads from external servers, particularly from IP address 91.92.242.30. The attacks specifically targeted crypto-focused workflows, with 54% of malicious skills being crypto-related, including Solana, Binance, Phantom wallet, and Polymarket tools. Some skills delivered AMOS Stealer malware on macOS systems, while others functioned as credential exfiltration tools that scanned for private keys in .mykey files and transmitted them to attacker-controlled endpoints. The malicious skills were distributed at scale through cloning and republishing under slight name variations, with one user 'sakaen736jih' associated with 199 malicious skills. Bitdefender reported that hundreds of cases have been detected in corporate environments, expanding beyond consumer impact.