OpenClaw Skill Marketplace Revealed to Contain Over 1,000 Malicious Plugins Designed to Steal SSH Keys and Wallet Private Keys
The “Trust Default” in AI Tool Ecosystems Is Becoming the Most Underestimated Attack Surface in Web3
(Background: Bloomberg: Why is a16z a Key Player Behind U.S. AI Policy?)
(Additional context: Arthur Hayes’ latest article: AI Will Trigger a Credit Collapse, and the Fed Will Ultimately “Print Unlimited” to Ignite Bitcoin)
Table of Contents
- Text Is No Longer Just Text, It’s Commands
- Moonwell’s $1.78 Million Lesson
- The Wrong Trust Default
Earlier, Cosine, founder of SlowMist, issued a warning on X: In the OpenClaw ClawHub skill marketplace, approximately 1,184 malicious skill plugins can steal users’ SSH keys, crypto wallet private keys, browser passwords, and even establish reverse shell backdoors. The top malicious skills contain 9 vulnerabilities, with thousands of downloads.
Reminder: Text is no longer just text, it’s commands. When using AI tools, always operate in an isolated environment…
Skills are very dangerous⚠️
Skills are very dangerous⚠️
Skills are very dangerous⚠️ https://t.co/GZ3hhathkE
— Cos(余弦)😶🌫️ (@evilcos) February 20, 2026
ClawHub is the official marketplace for OpenClaw (formerly clawbot), which recently gained popularity. Users install third-party extensions to enable AI agents to perform various tasks, from code deployment to wallet management.
Koi Security first exposed this attack campaign named “ClawHavoc” at the end of January, initially identifying 341 malicious skills. Later, independent security researchers and Antiy CERT expanded the scope to 1,184, involving 12 publisher accounts. One attacker, alias hightower6eu, uploaded 677 packages alone, accounting for over half of the total.
In other words, a single individual contaminated more than half of the marketplace’s malicious content, and the platform’s review mechanisms failed to stop it.
Text Is No Longer Just Text, It’s Commands
These malicious skills are not crude. They disguise themselves as crypto trading bots, Solana wallet trackers, Polymarket strategy tools, YouTube summarizers, complete with professional documentation. The real malicious payload is hidden in the “Prerequisites” section of the SKILL.md file: guiding users to copy a obfuscated shell script from an external website and paste it into their terminal.
This script downloads Atomic Stealer (AMOS), a macOS info-stealing tool costing $500 to $1,000 per month, from a command-and-control (C2) server.
AMOS scans include browser passwords, SSH keys, Telegram chat logs, Phantom wallet private keys, exchange API keys, and all files in desktop and document folders. Attackers even registered multiple variants of ClawHub domains (clawhub1, clawhubb, cllawhub) for domain impersonation, with two Polymarket-themed skills containing reverse shell backdoors.
The malicious skills’ files also embed AI prompt instructions designed to deceive the OpenClaw agent itself, causing the AI to “recommend” malicious commands to users. Cosine summarized sharply: “Text is no longer just text, it’s commands.” When using AI tools, operate in an isolated environment.
This is the core issue. When users trust AI’s suggestions, and the AI’s source is compromised, the entire trust chain breaks.
Moonwell’s $1.78 Million Lesson
In the same warning, Cosine highlighted another incident: on February 15, DeFi lending protocol Moonwell incurred $1.78 million in bad debt due to a price oracle error.
The problem stemmed from a piece of code calculating the USD price of cbETH, which forgot to multiply the cbETH/ETH exchange rate by ETH/USD, causing cbETH to be priced at about $1.12 instead of the actual $2,200. Liquidation bots swept through all positions collateralized with cbETH, resulting in approximately 2.68 million USD in losses for 181 borrowers.
Blockchain security auditor Krum Pashov traced the code’s GitHub commit, which was labeled “Co-Authored-By: Claude Opus 4.6.” NeuralTrust’s analysis precisely described the trap: “The code looks correct, compiles, and passes basic unit tests, but fails completely in the adversarial DeFi environment.”
Even more concerning, manual review, GitHub Copilot, and OpenZeppelin Code Inspector all failed to detect the missing multiplication step.
The community dubbed this incident a “Major Security Breach in the Vibe Coding Era.” Cosine’s takeaway is clear: security threats in Web3 are no longer limited to smart contracts; AI tools are becoming a new attack vector.
The Wrong Trust Default
OpenClaw founder Peter Steinberger has implemented a community reporting system, automatically hiding suspicious skills after three reports. Koi Security also released a scanning tool, Clawdex, but these are just band-aids.
The fundamental problem is that the AI ecosystem’s default setting is “trust”: trusting uploaded skills as safe, trusting AI recommendations as correct, trusting generated code as reliable. When this ecosystem manages crypto wallets and DeFi protocols, a wrong default can cost real money.
Note: VanEck’s data shows that by the end of 2025, there will be over 10,000 AI agents in crypto, expected to surpass 1 million in 2026.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Immunefi Report: Token Prices Hit Hard After Hacks, Averaging 61% Drop, With 83.9% Still Trading at Lows
Immunefi's latest security report shows that from 2021 to 2025, cryptocurrency hacking incidents have occurred frequently, with losses concentrated in a small number of major events. 191 attacks resulted in $4.67 billion in losses, with centralized exchanges accounting for 55% of losses. Following attacks, the median token price decline among 82 tokens reached 61%, and 83.9% remained below pre-attack levels. Persistent impacts include price declines and loss of user trust.
GateNews40m ago
Mini Lobster OpenClaw Goes Viral as "Hacker ATM"! Official Website Suffers Pixel-Perfect Clone Attack, Web3 Wallets Drained
The open-source AI project OpenClaw has been targeted by hackers. Recent large-scale phishing attacks aimed at developers have spread false token claim messages through GitHub's mention feature, luring users to click links and drain wallets. The founder has issued a statement warning that such behavior is fraudulent, and OpenClaw will not conduct token promotions. Additionally, there are multiple attack threats including fake installation packages and malicious plugins. Experts remind developers to remain vigilant and avoid testing plugins from unknown sources.
動區BlockTempo45m ago
Galaxy: Quantum Computing Poses Real Threat to Bitcoin but Not Urgent Crisis, Approximately 7 Million BTC in Long-Term Exposure State
Galaxy Digital's head of research Alex Thorn points out that quantum computing poses a threat to Bitcoin, but the threat is not urgent and investors need not panic. Approximately 7 million BTC are at long-term risk, but current quantum computing capabilities cannot break the encryption, and developers have already proposed multiple solutions to address the issue.
GateNews3h ago
FBI Director Admits Spending Money to Buy "Location Data" to Track American Citizens! Blasted for Trampling Fourth Amendment
FBI Director Kash Patel admitted during Senate testimony that the FBI has tracked U.S. citizens by purchasing location data without court search warrants, sparking strong criticism from Senator Ron Wyden, who argued the practice violates the Fourth Amendment and called for legislative reform to restrict such conduct. This finding reveals that the government's use of commercial data poses widespread surveillance risks.
動區BlockTempo3h ago
Husband accuses wife of stealing over 2,000 bitcoins! Judge: The plaintiff has a very high chance of winning.
The UK High Court is hearing a Bitcoin theft case in which the plaintiff accuses his wife of stealing 2,323 bitcoins and covertly recording the seed phrase through surveillance equipment. The court found the evidence disadvantageous to the defendant, including recordings and seized devices. While some claims were dismissed, the plaintiff has a very high probability of success, and the court will maintain the asset freeze order.
区块客3h ago
UK Man Accuses Ex-Wife of Stealing 2323 BTC After Divorce, Worth Approximately $238 Million
Gate News reported that on March 19, a man accused his ex-wife of stealing over 2323 bitcoins from his wallet after their divorce and transferring them to a place he cannot access, with the assets involved valued at up to 180 million pounds (approximately 238 million US dollars). Plaintiff Ping Fai Yuen has filed a lawsuit against his ex-wife Fun Yung Li at the London court over this matter. According to London court ruling documents published on March 10, since the litigation was initiated, the bitcoins involved in the case have been valued at up to 180 million pounds.
GateNews3h ago
