OpenClaw Skill Marketplace Revealed to Contain Over 1,000 Malicious Plugins Designed to Steal SSH Keys and Wallet Private Keys
The “Trust Default” in AI Tool Ecosystems Is Becoming the Most Underestimated Attack Surface in Web3
(Background: Bloomberg: Why is a16z a Key Player Behind U.S. AI Policy?)
(Additional context: Arthur Hayes’ latest article: AI Will Trigger a Credit Collapse, and the Fed Will Ultimately “Print Unlimited” to Ignite Bitcoin)
Table of Contents
- Text Is No Longer Just Text, It’s Commands
- Moonwell’s $1.78 Million Lesson
- The Wrong Trust Default
Earlier, Cosine, founder of SlowMist, issued a warning on X: In the OpenClaw ClawHub skill marketplace, approximately 1,184 malicious skill plugins can steal users’ SSH keys, crypto wallet private keys, browser passwords, and even establish reverse shell backdoors. The top malicious skills contain 9 vulnerabilities, with thousands of downloads.
Reminder: Text is no longer just text, it’s commands. When using AI tools, always operate in an isolated environment…
Skills are very dangerous⚠️
Skills are very dangerous⚠️
Skills are very dangerous⚠️ https://t.co/GZ3hhathkE
— Cos(余弦)😶🌫️ (@evilcos) February 20, 2026
ClawHub is the official marketplace for OpenClaw (formerly clawbot), which recently gained popularity. Users install third-party extensions to enable AI agents to perform various tasks, from code deployment to wallet management.
Koi Security first exposed this attack campaign named “ClawHavoc” at the end of January, initially identifying 341 malicious skills. Later, independent security researchers and Antiy CERT expanded the scope to 1,184, involving 12 publisher accounts. One attacker, alias hightower6eu, uploaded 677 packages alone, accounting for over half of the total.
In other words, a single individual contaminated more than half of the marketplace’s malicious content, and the platform’s review mechanisms failed to stop it.
Text Is No Longer Just Text, It’s Commands
These malicious skills are not crude. They disguise themselves as crypto trading bots, Solana wallet trackers, Polymarket strategy tools, YouTube summarizers, complete with professional documentation. The real malicious payload is hidden in the “Prerequisites” section of the SKILL.md file: guiding users to copy a obfuscated shell script from an external website and paste it into their terminal.
This script downloads Atomic Stealer (AMOS), a macOS info-stealing tool costing $500 to $1,000 per month, from a command-and-control (C2) server.
AMOS scans include browser passwords, SSH keys, Telegram chat logs, Phantom wallet private keys, exchange API keys, and all files in desktop and document folders. Attackers even registered multiple variants of ClawHub domains (clawhub1, clawhubb, cllawhub) for domain impersonation, with two Polymarket-themed skills containing reverse shell backdoors.
The malicious skills’ files also embed AI prompt instructions designed to deceive the OpenClaw agent itself, causing the AI to “recommend” malicious commands to users. Cosine summarized sharply: “Text is no longer just text, it’s commands.” When using AI tools, operate in an isolated environment.
This is the core issue. When users trust AI’s suggestions, and the AI’s source is compromised, the entire trust chain breaks.
Moonwell’s $1.78 Million Lesson
In the same warning, Cosine highlighted another incident: on February 15, DeFi lending protocol Moonwell incurred $1.78 million in bad debt due to a price oracle error.
The problem stemmed from a piece of code calculating the USD price of cbETH, which forgot to multiply the cbETH/ETH exchange rate by ETH/USD, causing cbETH to be priced at about $1.12 instead of the actual $2,200. Liquidation bots swept through all positions collateralized with cbETH, resulting in approximately 2.68 million USD in losses for 181 borrowers.
Blockchain security auditor Krum Pashov traced the code’s GitHub commit, which was labeled “Co-Authored-By: Claude Opus 4.6.” NeuralTrust’s analysis precisely described the trap: “The code looks correct, compiles, and passes basic unit tests, but fails completely in the adversarial DeFi environment.”
Even more concerning, manual review, GitHub Copilot, and OpenZeppelin Code Inspector all failed to detect the missing multiplication step.
The community dubbed this incident a “Major Security Breach in the Vibe Coding Era.” Cosine’s takeaway is clear: security threats in Web3 are no longer limited to smart contracts; AI tools are becoming a new attack vector.
The Wrong Trust Default
OpenClaw founder Peter Steinberger has implemented a community reporting system, automatically hiding suspicious skills after three reports. Koi Security also released a scanning tool, Clawdex, but these are just band-aids.
The fundamental problem is that the AI ecosystem’s default setting is “trust”: trusting uploaded skills as safe, trusting AI recommendations as correct, trusting generated code as reliable. When this ecosystem manages crypto wallets and DeFi protocols, a wrong default can cost real money.
Note: VanEck’s data shows that by the end of 2025, there will be over 10,000 AI agents in crypto, expected to surpass 1 million in 2026.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
