According to recent findings from Koi Security, a security audit of 2,857 skills on ClawHub revealed 341 malicious skills across several campaigns, exposing users to new supply chain risks This article explores clawdbot aid openclaw. . ClawHub is a marketplace designed to make it easy for OpenClaw users to find and install third-party skills.

It is an addition to the OpenClaw project, a self-hosted AI assistant that was formerly known as Moltbot and Clawdbot. With the aid of an OpenClaw bot named Alex, Koi carried out the analysis and discovered that 335 skills use fictitious prerequisites to install Atomic Stealer (AMOS), an Apple macOS stealer. The code for this set is ClawHavoc.

In a report last week, Palo Alto Networks warned that OpenClaw represents what British programmer Simon Willison, who coined the term prompt injection, describes as a "lethal trifecta" that renders AI agents vulnerable by design due to their access to private data, exposure to untrusted content, and the ability to communicate externally. The intersection of these three capabilities, combined with OpenClaw's persistent memory, "acts as an accelerant" and amplifies the risks, the cybersecurity company added. Attacks are no longer limited to point-in-time exploits when persistent memory is used.

They turn into stateful, delayed-execution attacks, according to researchers Sean P. Morgan and Sailesh Mishra.