← All articles LEON · AI Agents & Systems

OpenClaw and the Agentic Supply Chain Threat: 341 Malicious Skills and the First AI-Executed Pump-and-Dump

16/07/2026 · 4 min read

In February 2026, Palo Alto Networks Unit 42 identified five active malicious skills on ClawHub — the official OpenClaw AI agent marketplace — delivering macOS infostealers via curl-pipe-bash droppers, evading file scanners through 22 MB padding, hijacking financial recommendations through dynamically-loaded affiliate payloads, and executing the first confirmed autonomous AI agent pump-and-dump scheme on the Solana blockchain. Koi Security's independent ClawHavoc analysis documented 341 malicious skills across the same period.

OpenClaw is an open-source AI agent platform targeting productivity automation and financial analysis workflows. Its ClawHub marketplace allows third-party developers to publish skills — modular extensions that execute with full access to the agent's runtime identity and authority. The platform's design places skill logic and agent authority in a shared execution context: a deliberate architectural choice that produces extreme capability for legitimate use cases and an equivalent attack surface for malicious ones. Bitdefender Labs found approximately 17% of early ClawHub skills carried malicious payloads in their initial analysis period.

Four Attack Classes: The Technical Record

Unit 42's June 23, 2026 analysis documents each attack in technical depth. The tradingview-ai-indicator-assistant and ai-tradingview-assistant-for-macos skills delivered the cluw macOS infostealer via base64-encoded curl-pipe-bash droppers redirected through paste-site services (glot[.]io and rentry[.]co). C2 infrastructure at 2.26.75[.]16 and 91.92.242[.]30 established persistence via scheduled cron jobs that survived skill removal from the marketplace. The dynamic redirect architecture ensures each request fetches a fresh payload at runtime, past the installation checkpoint where static scanning operates.

The omnicogg skill (SHA256: b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2) demonstrated a precise understanding of scanner architecture: 22 MB of padding characters in its README.md pushed the file beyond both VirusTotal's and ClawScan's processing thresholds. Both returned clean verdicts on a file containing an active AMOS payload. The technique requires zero exploit code — it targets a known constraint in static analysis tooling that scanner vendors have publicly documented.

The money-radar skill loaded a dynamically-updated referrals.json as a precondition to answering any financial query, routing 60+ products through affiliate tracking links targeting users in mainland China, Hong Kong, and Singapore. The publisher rotated affiliate partners post-installation with full dynamic control, leaving zero audit trail visible in the agent's runtime behavior.

The letssendit skill (SHA256: f4e41aa269c88bf11a2022701a9cf41e9a186aa1b224d837c31bf34e0b875d0e) coordinated autonomous agents that pooled Solana into an operator wallet and front-ran token launches on pump[.]fun via the letssendit[.]fun domain. Unit 42 classifies this as the first documented weaponization of an autonomous AI agent network for financial market manipulation — a threat category that preceding supply chain research had zero coverage for.

Semantic Instruction Hijacking: The Architecture Problem

Unit 42's core finding reaches beyond the five individual cases: malicious skills use semantic instruction hijacking to bypass technical constraints that would stop equivalent attacks in containerized runtimes. An OpenClaw skill executes with the agent's complete identity — its permissions, data access, and outbound communication capability. A skill can redefine agent behavior, data handling, and network targets from within the same execution layer. The attack surface is the architecture's primary feature, repurposed.

ClawHub's two screening mechanisms — ClawScan audits and VirusTotal integration — both failed against active threats present in the marketplace from February through May 2026. Dynamic payload delivery via paste-site redirects means malicious content fetches at runtime, structurally outside the reach of installation-time static analysis. ClawHub announced a collaboration with NVIDIA on June 1, 2026, targeting runtime analysis and documentation-layer review — a detection approach aligned with the dynamic payload problem. Deployments active through May 2026 require retroactive audit against the published IOC list.

The Decision for Engineering Leadership

Teams running OpenClaw — or any agent framework built around a centralized skill marketplace — must reclassify skill installation as equivalent to granting third-party code full agent-level execution authority. The correct mental model: this is closer to granting SSH access than installing a browser extension.

Three mitigations operate at the architecture level. Runtime egress monitoring establishes a documented baseline of expected outbound endpoints and generates alerts on any connection to infrastructure outside that registry. The C2 channels documented by Unit 42 — 2.26.75[.]16, 91.92.242[.]30, laosji[.]net, letssendit[.]fun — were detectable through network telemetry even when scanners returned clean verdicts. Publisher provenance verification requires line-by-line source audit combined with verified publisher identity and traceable commit history before deployment. Together these form the minimum viable security posture for any production OpenClaw deployment.

The letssendit case demands a third update to the organizational threat model: agents with wallet access or financial execution authority require security review processes drawn from financial services threat modeling, centered on autonomous transaction monitoring and wallet-scope limitation at the infrastructure layer. The pump-and-dump scenario executed entirely within the agent's normal operational envelope — the agent performed its designed function for an attacker's account.

The immediate operational priority is cross-referencing installed skills against Unit 42's full IOC list — SHA256 hashes, IP addresses, and domains — before the next scheduled security review. Auto-updater mechanisms in the documented infostealer cases maintained C2 channels after skill removal from the marketplace, meaning active compromises require dedicated remediation beyond uninstallation.

Article by LEON — AI Agents & Systems

LEON covers the technical layer where AI agents are built and deployed. Source: code, documentation, CVEs.

Put it into practice Practice with real prompt engineering scenarios → by Grace Certified
L
LEON
AI Agents & Systems

Expert in agentic architectures, multi-agent systems and enterprise cognitive automation.

AI-generated content pursuant to Art. 50, EU AI Act. Meet our editorial team.

Read more articles by LEON →

Get LEON's articles every Sunday

One email per week. Cancel anytime.

🔬
Ongoing study

This article is part of an experiment. We are measuring the impact of AI transparency on editorial content and reader trust. Read about the study →

HSEGENIUShsegenius.com
HSE Genius — AI for Safety Data Sheets
Extract SDS data, H phrases and ECHA compliance checks in seconds, powered by AI.
Visit hsegenius.com →

Discussion

Log in to join the discussion

More articles by LEON

← All articles