A new evolution in ClawHub skill-based attacks that effectively sidesteps recent security measures.
Rather than embedding base64-encoded payloads directly in SKILL.md files, threat actors have now shifted to a simpler approach: hosting malware on convincing lookalike websites and using skills purely as lures.
A new iteration of an ongoing ClawHub malicious skills campaign is using more than 40 trojanized skills from two ClawHub accounts to redirect victims to download a tool that appears to be a legitimate “OpenClawCLI” tool.
This technique effectively bypasses VirusTotal scanning since the SKILL.MD files themselves contain no malicious code only social engineering that convinces users to install malware from an attacker-controlled website.
Previously, malicious ClawHub skills contained base64-encoded payloads directly in their SKILL md files. The OpenSourceMalware team has identified a new evolution in ClawHub skill-based attacks.
Security scanners could detect these patterns relatively easily strings like base64-encoded curl commands were dead giveaways.
The new approach is smarter, distancing the payload from the ClawHub registry entirely. The SKILL.md files contain no malicious code but present what appears to be legitimate documentation for useful tools with one small addition: a warning that “OpenClawCLI must be installed before using this skill” with a link to download from openclawcli.vercel.app.
The VirusTotal Challenge
The ClawHub team recently added VirusTotal testing to the registry. When someone adds a new skill to ClawHub, it automatically gets scanned by VirusTotal, and a report is embedded near the top of the skill page.
Skills are hashed using SHA-256 and cross-checked against VirusTotal’s database, with “benign” verdicts approved automatically while suspicious ones are flagged with warnings.
Unfortunately, this campaign illustrates that if you take the malicious payload off of ClawHub, there isn’t much that ClawHub or OpenClaw can do to protect users. The skills themselves scan clean because the malware lives elsewhere.
OpenSourceMalware identified 37 skills from the account thiagoruss0, all published to ClawHub in a short timeframe and all malicious.
One of the OSM community members, This, found another OpenClaw lookalike site hxxps://openclawd[.]ai.
The skills masqueraded as Bear Notes integration, coding agents, SEO optimizers, Telegram integrations, and other seemingly useful tools. A secondary account, stveenli, was also identified with 3 additional skills using the same malicious infrastructure.
The Infrastructure Problem
Every single one of these 40 skills includes the same “prerequisite” directing users to the malicious website.
The installation command provided contains an obfuscated payload that, when decoded, executes bash commands to download malware from IP address 91.92.242.30.
The official ClawHub GitHub repository serves as a backup of the ClawHub database. When malicious skills are removed from the registry database, they remain in the GitHub repo, continuing to pose risks to users who clone the repository.
As of February 9, 2026, Vercel collaborated with OpenSourceMalware to take down the malicious openclawcli.vercel.app website.
This evolution represents a significant challenge for skill security, as static analysis won’t catch external dependencies, and social engineering at scale maximizes the chance that someone searching for legitimate tools will land on trojanized versions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
