Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
February 1, 2026
Posing as utilities, some of these skills allegedly ran obfuscated commands, downloaded remote payloads, and in certain instances delivered AMOS Stealer on macOS. Other skills were observed scanning for private keys or API tokens and exfiltrating them. Learn more about how HISPI Project Cerebellum TAIM helps establish guardrails for AI incidents like this by JOIN US.
Sources:
1. Bitdefender Labs Blog: Abusing OpenClaw's Skills Ecosystem – How it Works and How to Protect Yourself
2. Project Cerebellum AI Incident Database
Matched TAIM controls
Suggested mapping from embedding similarity (not a formal assessment). Browse all TAIM controls
- MAP 4.2 — similarity 0.598, rank 1. TAIM detail and related incidents →
- MEASURE 2.10 — similarity 0.597, rank 2. TAIM detail and related incidents →
- MAP 1.6 — similarity 0.596, rank 3. TAIM detail and related incidents →
- Alleged deployer
- unknown-threat-actors-distributing-malicious-openclaw-skills, unknown-threat-actors, unknown-malicious-actors
- Alleged developer
- unknown-malicious-actors, openclaw
- Alleged harmed parties
- organizations-using-openclaw, openclaw-users
Source
Data from the AI Incident Database (AIID). Cite this incident: https://incidentdatabase.ai/cite/1368
Data source
Incident data is from the AI Incident Database (AIID).
When citing the database as a whole, please use:
McGregor, S. (2021) Preventing Repeated Real World AI Failures by Cataloging Incidents: The AI Incident Database. In Proceedings of the Thirty-Third Annual Conference on Innovative Applications of Artificial Intelligence (IAAI-21). Virtual Conference.
Pre-print on arXiv · Database snapshots & citation guide
We use weekly snapshots of the AIID for stable reference. For the official suggested citation of a specific incident, use the “Cite this incident” link on each incident page.