Attack tactics used by threat actors have changed dramatically in the ClawHub ecosystem in recent years, shifting from overt to covert tactics This article explores malicious code files. . They now host these threats on convincing external websites instead of directly embedding malicious payloads into files.

By avoiding many common automated security checks that look for known code signatures, this tactical change enables them to continue a malicious campaign while remaining undetected, putting developers at serious risk of supply chain compromise. Malicious skills in earlier versions frequently included blatantly obvious encoded strings or dubious commands that were easily recognized and blocked by security scanners. The SKILL.md files used in the latest wave of attacks have no malicious code at all.

Because the files are technically harmless text files, they appear as "clean" on websites such as VirusTotal, giving users who depend on these green checkmarks to confirm security prior to installation a dangerous false sense of security. Under the guise of useful tools for SEO, coding, or video transcription services, the attackers uploaded over 40 trojanized skills, according to OpenSourceMalware analysts, using accounts like thiagoruss0. These entries are merely lures.

False transcription (Source: OpenSourceMalware) By using social engineering instead of technical exploits to compromise systems and steal private information, they take advantage of users' faith in open-source repositories and trustworthy hosting companies to divert them to a controlled environment where the infection really happens.

The Mechanism of External Hosting Infection This campaign's success is solely dependent on the "clean lure, dirty dependency" model mentioned in the report. These fake skills' documentation ingeniously states in bold that the user must install a program called "OpenClawCLI" in order to use the skill. Malware is distributed via the convincingly phony OpenClawCLI landing page (Source: OpenSourceMalware).

Using buzzwords like "Cross-platform" and "Open Source," this link takes users to a high-end website hosted on Vercel that looks entirely authentic. The website offers an installation command that looks normal on the surface but actually runs a payload that has been obfuscated.

The command conceals the actual destination using Base64 encoding, making it challenging for the typical user to perform a casual inspection. This command instantly installs malware on the victim's computer by downloading a bash script from a remote IP address (91.92.242.30). By keeping the malicious component completely isolated from the ClawHub platform until the user manually invites it in, this technique successfully gets around the repository's security measures.

Never execute installation instructions from skill documentation without first confirming the source code or the official project repository for safety. Skills with names that contain random character suffixes should raise suspicions. To stop data exfiltration, security teams should actively look for patterns involving the openclawcli domain and block the related command-and-control IP addresses right away.

To receive more immediate updates, mark ZeroOwl as a preferred source in Google and report any suspicious findings to the platform administrators.