OpenClaw Skill Marketplace Revealed to Contain Over 1,000 Malicious Plugins Designed to Steal SSH Keys and Wallet Private Keys
The “Trust Default” in AI Tool Ecosystems Is Becoming the Most Underestimated Attack Surface in Web3
(Background: Bloomberg: Why is a16z a Key Player Behind U.S. AI Policy?)
(Additional context: Arthur Hayes’ latest article: AI Will Trigger a Credit Collapse, and the Fed Will Ultimately “Print Unlimited” to Ignite Bitcoin)
Table of Contents
- Text Is No Longer Just Text, It’s Commands
- Moonwell’s $1.78 Million Lesson
- The Wrong Trust Default
Earlier, Cosine, founder of SlowMist, issued a warning on X: In the OpenClaw ClawHub skill marketplace, approximately 1,184 malicious skill plugins can steal users’ SSH keys, crypto wallet private keys, browser passwords, and even establish reverse shell backdoors. The top malicious skills contain 9 vulnerabilities, with thousands of downloads.
Reminder: Text is no longer just text, it’s commands. When using AI tools, always operate in an isolated environment…
Skills are very dangerous⚠️
Skills are very dangerous⚠️
Skills are very dangerous⚠️ https://t.co/GZ3hhathkE
— Cos(余弦)😶🌫️ (@evilcos) February 20, 2026
ClawHub is the official marketplace for OpenClaw (formerly clawbot), which recently gained popularity. Users install third-party extensions to enable AI agents to perform various tasks, from code deployment to wallet management.
Koi Security first exposed this attack campaign named “ClawHavoc” at the end of January, initially identifying 341 malicious skills. Later, independent security researchers and Antiy CERT expanded the scope to 1,184, involving 12 publisher accounts. One attacker, alias hightower6eu, uploaded 677 packages alone, accounting for over half of the total.
In other words, a single individual contaminated more than half of the marketplace’s malicious content, and the platform’s review mechanisms failed to stop it.
Text Is No Longer Just Text, It’s Commands
These malicious skills are not crude. They disguise themselves as crypto trading bots, Solana wallet trackers, Polymarket strategy tools, YouTube summarizers, complete with professional documentation. The real malicious payload is hidden in the “Prerequisites” section of the SKILL.md file: guiding users to copy a obfuscated shell script from an external website and paste it into their terminal.
This script downloads Atomic Stealer (AMOS), a macOS info-stealing tool costing $500 to $1,000 per month, from a command-and-control (C2) server.
AMOS scans include browser passwords, SSH keys, Telegram chat logs, Phantom wallet private keys, exchange API keys, and all files in desktop and document folders. Attackers even registered multiple variants of ClawHub domains (clawhub1, clawhubb, cllawhub) for domain impersonation, with two Polymarket-themed skills containing reverse shell backdoors.
The malicious skills’ files also embed AI prompt instructions designed to deceive the OpenClaw agent itself, causing the AI to “recommend” malicious commands to users. Cosine summarized sharply: “Text is no longer just text, it’s commands.” When using AI tools, operate in an isolated environment.
This is the core issue. When users trust AI’s suggestions, and the AI’s source is compromised, the entire trust chain breaks.
Moonwell’s $1.78 Million Lesson
In the same warning, Cosine highlighted another incident: on February 15, DeFi lending protocol Moonwell incurred $1.78 million in bad debt due to a price oracle error.
The problem stemmed from a piece of code calculating the USD price of cbETH, which forgot to multiply the cbETH/ETH exchange rate by ETH/USD, causing cbETH to be priced at about $1.12 instead of the actual $2,200. Liquidation bots swept through all positions collateralized with cbETH, resulting in approximately 2.68 million USD in losses for 181 borrowers.
Blockchain security auditor Krum Pashov traced the code’s GitHub commit, which was labeled “Co-Authored-By: Claude Opus 4.6.” NeuralTrust’s analysis precisely described the trap: “The code looks correct, compiles, and passes basic unit tests, but fails completely in the adversarial DeFi environment.”
Even more concerning, manual review, GitHub Copilot, and OpenZeppelin Code Inspector all failed to detect the missing multiplication step.
The community dubbed this incident a “Major Security Breach in the Vibe Coding Era.” Cosine’s takeaway is clear: security threats in Web3 are no longer limited to smart contracts; AI tools are becoming a new attack vector.
The Wrong Trust Default
OpenClaw founder Peter Steinberger has implemented a community reporting system, automatically hiding suspicious skills after three reports. Koi Security also released a scanning tool, Clawdex, but these are just band-aids.
The fundamental problem is that the AI ecosystem’s default setting is “trust”: trusting uploaded skills as safe, trusting AI recommendations as correct, trusting generated code as reliable. When this ecosystem manages crypto wallets and DeFi protocols, a wrong default can cost real money.
Note: VanEck’s data shows that by the end of 2025, there will be over 10,000 AI agents in crypto, expected to surpass 1 million in 2026.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Meta AI Agent Out of Control Causes Sensitive Data Leak for Two Hours, Incident Classified as Sev 1
On March 19th, Meta experienced an AI Agent runaway incident where an employee sought help on a forum after an AI Agent independently posted incorrect recommendations, resulting in unauthorized access to large amounts of data. The incident was classified as a "Sev 1" security risk, indicating this is a recurring problem the company has faced.
GateNews12m ago
Cybersecurity company warns: phishing websites impersonating Pudgy Penguins' new game are attempting to steal wallet passwords
Cybersecurity firm Malwarebytes Labs has warned that a fraudulent website pudgypengu-gamegifts[.]live is impersonating the Pudgy Penguins game in an attempt to steal users' cryptocurrency wallet passwords. The phishing site mimics the interface of legitimate wallets to deceive visitors. Users are advised to access official websites through trusted bookmarks, and to remain vigilant against social media links and wallet password prompts.
GateNews1h ago
Taipei 4 Days 3 Cryptocurrency Robberies, "Quick Withdrawal" Tactics Lure People into Trap
Taipei has experienced three cryptocurrency robbery cases in a short period of time, with criminal gangs using social media with various tactics to lure victims into meeting to exchange USDT, followed by robbery. Police remind the public that they must conduct transactions through legitimate exchanges to avoid risks. Some criminal organizations have even used AI to create fake accounts to spread false information and mislead the public into participating in illegal transactions.
MarketWhisper1h ago
OpenClaw Founder Issues Warning: CLAW Fake Airdrop Scams Incoming, GitHub Developers Targeted
OpenClaw founder Peter Steinberger warned users to be vigilant against phishing emails that impersonate GitHub notifications, luring users to click suspicious links to obtain fake tokens. The attack targets developers worldwide, with attackers using publicly available contact information for precision attacks. To prevent fraud, users should only trust information from official websites and delete any suspicious emails.
MarketWhisper1h ago
Slowmist余弦 Questions Certain CEX Requiring Users to Input Plain Text Seed Phrases Page: Baffling
Gate News reported that on March 19th, Slow Mist founder Yu Xian posted on the X platform expressing doubt about a page on a certain CEX requesting users to enter plaintext seed phrases for asset recovery. Yu Xian stated that such an unsafe practice is bewildering, and he even briefly suspected the subdomain had been hacked.
GateNews1h ago
CertiK Attends DC Blockchain Summit: Supply Chain Attacks Exceeded $1.45 Billion in 2025, Cross-Chain Bridges Become High-Value Attack Targets
At the US DC Blockchain Summit, CertiK Chief Business Officer Jason Jiang discussed crypto security and regulation, highlighting the risks of smart contract vulnerabilities and cross-chain bridges. He warned that significant supply chain attacks could occur in 2025, called for stronger regulatory frameworks to foster security cooperation, and engaged with lawmakers on market development and consumer protection.
GateNews2h ago
