Malicious OpenClaw ‘skill’ targets crypto users on ClawHubv — 14 malicious skills were uploaded to ClawHub last month

Security researchers have identified 14 malicious "skills" uploaded to ClawHub, a public registry for OpenClaw users, between January 27 and 29. These skills pretend to be crypto trading or wallet tools but actually deliver malware to users' systems. The malware targeted both Windows and macOS users and used social engineering techniques to spread. Users were tricked into running obfuscated terminal commands that fetched and executed remote scripts. The incident highlights the risks of introducing third-party code into OpenClaw's ecosystem, emphasizing the need for caution and scrutiny when installing skills from public registries.