Skip to content

OpenClaw’s ClawHub Faces Supply Chain Poisoning Threats

OpenClaw’s ClawHub faces a malware threat as hidden commands in skills steal data, showing risks in weak plugin review systems.

Profile picture of Whitney Nyantune
Posted by Whitney Nyantune
Hacking CFN News
Follow us:
Coinmarketcap Streamline Icon: https://streamlinehq.comCoinMarketCap
coinmarketcap binance
telegram twitter
  • Attackers hide malicious commands in OpenClaw skills, making normal-looking plugins steal data from users’ systems.
  • Base64 encoding masks harmful code, bypassing simple keyword detections like curl|bash, making threats harder to spot.
  • Staged delivery lets attackers update payloads quickly while keeping SKILL.md files looking safe to users and reviewers.

A major security alert has shaken the OpenClaw ecosystem, as ClawHub, its official plugin center, faces a growing supply chain poisoning threat. Security researchers at SlowMist discovered that attackers are targeting ClawHub by embedding malicious commands in seemingly legitimate skills. 

Consequently, both developers and users face potential data theft and system compromise. The attack leverages ClawHub’s weak review mechanisms, which allow harmful skills to slip past scrutiny.

As per the report, in total, Koi Security identified 341 malicious skills out of 2,857 scanned, highlighting a classic plugin market poisoning pattern. Skills in OpenClaw are structured as “skill folders” under the AgentSkills specification, with SKILL.md files serving as the core execution entry point. However, these Markdown files are not reproducible artifacts; they act more like instructions that can be directly executed. Hence, attackers can transform harmless-looking instructions into executable commands.

How the Attack Works

A prime example involves the popular “X (Twitter) Trends” skill. On the surface, it appears normal, but it hides a Base64-encoded backdoor. Base64 encoding obscures malicious commands, making SKILL.md seem like a configuration or installation guide. Consequently, coarse keyword-based defenses, such as curl|bash detection, often fail.

Once decoded, the command downloads and executes a first-stage program named q0c7ew2ro8l2cfqp from 91.92.242.30. This program subsequently retrieves a second-stage sample, dyrtvwjfveyxjf23, which performs the real malicious activity. This phased delivery reduces exposure and allows attackers to update payloads without altering the visible SKILL.md.

Dynamic analysis shows the second-stage sample masquerades as a system dialog box to steal user passwords. Valid credentials trigger local file collection from Desktop, Documents, and Downloads. Sensitive files, including txt and pdf formats, are compressed and sent to the C2 server.

Share this article

Related Articles

Kris Marszalek Unveils AI.com Platform Following Record $70M Domain Deal Price Analysis

Kris Marszalek Unveils AI.com Platform Following Record $70M Domain Deal

Illinois Introduces the Strategic Bitcoin Reserve Act to Establish State Bitcoin Holdings Price Analysis

Illinois Introduces the Strategic Bitcoin Reserve Act to Establish State Bitcoin Holdings

XRP Price Action Strengthens as ETF Inflows Rise and AIcom Deal Surfaces Price Analysis

XRP Price Action Strengthens as ETF Inflows Rise and AIcom Deal Surfaces

Bitcoin Enters Deep Bear Market Zone Despite a Google Search Trends Spike  Price Analysis

Bitcoin Enters Deep Bear Market Zone Despite a Google Search Trends Spike 

© 2026 Cryptofrontnews. All rights reserved.