OpenClaw Skill Marketplace Revealed to Contain Over 1,000 Malicious Plugins Designed to Steal SSH Keys and Wallet Private Keys
The “Trust Default” in AI Tool Ecosystems Is Becoming the Most Underestimated Attack Surface in Web3
(Background: Bloomberg: Why is a16z a Key Player Behind U.S. AI Policy?)
(Additional context: Arthur Hayes’ latest article: AI Will Trigger a Credit Collapse, and the Fed Will Ultimately “Print Unlimited” to Ignite Bitcoin)
Table of Contents
- Text Is No Longer Just Text, It’s Commands
- Moonwell’s $1.78 Million Lesson
- The Wrong Trust Default
Earlier, Cosine, founder of SlowMist, issued a warning on X: In the OpenClaw ClawHub skill marketplace, approximately 1,184 malicious skill plugins can steal users’ SSH keys, crypto wallet private keys, browser passwords, and even establish reverse shell backdoors. The top malicious skills contain 9 vulnerabilities, with thousands of downloads.
Reminder: Text is no longer just text, it’s commands. When using AI tools, always operate in an isolated environment…
Skills are very dangerous⚠️
Skills are very dangerous⚠️
Skills are very dangerous⚠️ https://t.co/GZ3hhathkE
— Cos(余弦)😶🌫️ (@evilcos) February 20, 2026
ClawHub is the official marketplace for OpenClaw (formerly clawbot), which recently gained popularity. Users install third-party extensions to enable AI agents to perform various tasks, from code deployment to wallet management.
Koi Security first exposed this attack campaign named “ClawHavoc” at the end of January, initially identifying 341 malicious skills. Later, independent security researchers and Antiy CERT expanded the scope to 1,184, involving 12 publisher accounts. One attacker, alias hightower6eu, uploaded 677 packages alone, accounting for over half of the total.
In other words, a single individual contaminated more than half of the marketplace’s malicious content, and the platform’s review mechanisms failed to stop it.
Text Is No Longer Just Text, It’s Commands
These malicious skills are not crude. They disguise themselves as crypto trading bots, Solana wallet trackers, Polymarket strategy tools, YouTube summarizers, complete with professional documentation. The real malicious payload is hidden in the “Prerequisites” section of the SKILL.md file: guiding users to copy a obfuscated shell script from an external website and paste it into their terminal.
This script downloads Atomic Stealer (AMOS), a macOS info-stealing tool costing $500 to $1,000 per month, from a command-and-control (C2) server.
AMOS scans include browser passwords, SSH keys, Telegram chat logs, Phantom wallet private keys, exchange API keys, and all files in desktop and document folders. Attackers even registered multiple variants of ClawHub domains (clawhub1, clawhubb, cllawhub) for domain impersonation, with two Polymarket-themed skills containing reverse shell backdoors.
The malicious skills’ files also embed AI prompt instructions designed to deceive the OpenClaw agent itself, causing the AI to “recommend” malicious commands to users. Cosine summarized sharply: “Text is no longer just text, it’s commands.” When using AI tools, operate in an isolated environment.
This is the core issue. When users trust AI’s suggestions, and the AI’s source is compromised, the entire trust chain breaks.
Moonwell’s $1.78 Million Lesson
In the same warning, Cosine highlighted another incident: on February 15, DeFi lending protocol Moonwell incurred $1.78 million in bad debt due to a price oracle error.
The problem stemmed from a piece of code calculating the USD price of cbETH, which forgot to multiply the cbETH/ETH exchange rate by ETH/USD, causing cbETH to be priced at about $1.12 instead of the actual $2,200. Liquidation bots swept through all positions collateralized with cbETH, resulting in approximately 2.68 million USD in losses for 181 borrowers.
Blockchain security auditor Krum Pashov traced the code’s GitHub commit, which was labeled “Co-Authored-By: Claude Opus 4.6.” NeuralTrust’s analysis precisely described the trap: “The code looks correct, compiles, and passes basic unit tests, but fails completely in the adversarial DeFi environment.”
Even more concerning, manual review, GitHub Copilot, and OpenZeppelin Code Inspector all failed to detect the missing multiplication step.
The community dubbed this incident a “Major Security Breach in the Vibe Coding Era.” Cosine’s takeaway is clear: security threats in Web3 are no longer limited to smart contracts; AI tools are becoming a new attack vector.
The Wrong Trust Default
OpenClaw founder Peter Steinberger has implemented a community reporting system, automatically hiding suspicious skills after three reports. Koi Security also released a scanning tool, Clawdex, but these are just band-aids.
The fundamental problem is that the AI ecosystem’s default setting is “trust”: trusting uploaded skills as safe, trusting AI recommendations as correct, trusting generated code as reliable. When this ecosystem manages crypto wallets and DeFi protocols, a wrong default can cost real money.
Note: VanEck’s data shows that by the end of 2025, there will be over 10,000 AI agents in crypto, expected to surpass 1 million in 2026.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Fantasy.top founder denies "soft Rug Pull" allegations, states investor funds were not used
Fantasy.top faces accusations from angel investors, claiming the team went silent and refused to refund $50,000, sparking "soft Rug Pull" allegations. Founder Travis Bickle countered that the company operates based on product revenue and has not used investors' funds. Several well-known investors also reported experiencing similar situations.
GateNews27m ago
Indian police arrest suspect involved in GainBitcoin Ponzi scheme at Mumbai airport
Gate News Report, March 11 — India's Central Investigation Bureau (CBI) announced the arrest of Darwin Labs co-founder and CTO Ayush Varshney at Mumbai Airport on suspicion of involvement in the GainBitcoin Ponzi scheme. It is reported that Varshney was attempting to leave India at the time. Investigations revealed that the scheme was operated by Variabletech Pte. Ltd., which attracted investors by promising high returns on crypto investments. Law enforcement officials accused Darwin Labs of developing and deploying critical technological infrastructure for the scheme, including the MCAP cryptocurrency token and ERC-20 smart contracts. Additionally, Darwin also provided technology for GBMiners.com Bitcoin mining platform, BitCoin Payment Gat
GateNews1h ago
Ledger Security Team Discovers MediaTek Processor Vulnerability That Could Lead to Wallet Mnemonic Theft
The team behind the crypto wallet Ledger has discovered a vulnerability in the secure boot chain of MediaTek processors. Attackers can extract encryption keys through physical access, affecting approximately 25% of Android phones. The vulnerability can be fixed with a patch, but it highlights the risks of storing keys on insecure devices. Users are advised to update promptly.
GateNews11h ago
AI code failure: Stop idolizing AI; Claude's coding caused a DeFi platform to lose $1.78 million
Moonwell Lending Protocol experienced a security incident on-chain due to an oracle configuration error, leading to a severe underestimation of cbETH asset prices. This event was caused by a logic error in AI-generated code, which was exploited by liquidation bots for profit. Although no traditional hacking was involved, users suffered a loss of $1.78 million. The incident highlights the oversight in AI programming review processes and emphasizes the importance of human oversight in the context of technological automation.
PANews12h ago
The Ministry of Industry and Information Technology releases OpenClaw intelligent agent security risk prevention recommendations, proposing four response strategies for financial transaction scenarios.
On March 11, the Ministry of Industry and Information Technology issued recommendations on preventing security risks associated with the open-source intelligent agent OpenClaw, emphasizing its potential risks in financial transactions. The "Six Musts and Six Don'ts" response strategy was proposed, such as implementing network isolation, secondary confirmation, and strengthening supply chain audits to prevent erroneous transactions and account hijacking.
GateNews12h ago
Aave experiences $27 million in abnormal liquidations, with 34 accounts being liquidated; the official promises full compensation
Aave experienced an abnormal liquidation on March 11th, with approximately $27 million in lending positions liquidated due to an internal security module CAPO parameter misconfiguration, resulting in a 2.85% underestimation of wstETH valuation. The liquidation affected 34 accounts, with about 10,938 wstETH forcibly closed. Chaos Labs has committed to fully compensate affected users and emphasized the need to improve risk management mechanisms. This incident highlights the risks posed by internal configuration errors within decentralized finance systems.
動區BlockTempo14h ago
