A new malware campaign targets users of the OpenClaw AI agent by posting malicious troubleshooting comments on legitimate skills within the ClawHub repository, tricking users into executing commands that download and install infostealer malware. The attack vector exploits the trust in user-generated content and community support features of the platform, rather than the direct upload of malicious skills. No specific CVSS score, affected versions, fixed versions, or workarounds are provided in the source article.
A new malware delivery campaign has hit ClawHub, the official online repository for “skills” that augment the capabilities of the popular OpenClaw AI agent. Unlike previous ones, this campaign does not aim to trick users into downloading a bogus, malicious skill. Instead, the threat actor is leaving this particular comment on popular legitimate skills published by others: The malicious troubleshooting comment “At first glance, this appears to be a troubleshooting suggestion. It is not. It … More → The post Fake troubleshooting tip on ClawHub leads to infostealer infection appeared first on Help Net Security .