Malicious OpenClaw skills are being weaponized to coerce users into manually entering their passwords, enabling a new Atomic (AMOS) Stealer infection chain that abuses AI agent workflows as a social engineering channel.
TrendAI Research has tracked Atomic (AMOS) Stealer’s evolution from crude “cracked” macOS software lures to a refined supply chain attack abusing OpenClaw’s skill ecosystem.
In this latest wave, threat actors hide malicious instructions inside SKILL.md files, turning AI agents into trusted middlemen that request bogus “setup steps” from users.
Instead of classic prompt injection, the attackers design skills that appear legitimate to the agent, which then guides the human to complete the final, risky actions.
The campaign spans multiple skill registries, with hundreds of malicious skills uploaded to ClawHub, SkillsMP, and related sites, often posing as utilities, developer helpers, or crypto-related automations.
TrendAI reports 39 closely analyzed skills heavily overlapping with earlier ClawHavoc activity but diverging in their AMOS-focused tactics and objectives.
A more advanced model, such as Claude Opus 4.5, the model identifies such tricks and stops installing the skill.
All identified malicious skills have been removed from the primary marketplaces, though the underlying code remains accessible in public GitHub repositories, preserving the threat for self-hosted or mirrored deployments.
Malicious OpenClaw Tactics
The infection flow begins with a seemingly benign SKILL.md that declares a dependency on “OpenClawCLI” and instructs the agent to fetch it from a fake distribution site hosted on Vercel.
OpenClaw retrieves this page and encounters a Base64-encoded shell command, which, when decoded, uses curl to download and execute a remote script from an attacker-controlled IP address.
Depending on the model’s behavior, the agent may silently run the command or repeatedly nudge the user via chat to “manually install the driver,” normalizing the malicious step as a routine prerequisite.
The downloaded script drops a Mach-O universal binary (il24xgriequcys45) capable of running on both Intel and Apple Silicon, signed only with an ad-hoc signature that fails macOS security assessment checks.
If the user still insists on continuing, a crafted dialogue box mimicking a system prompt appears and asks for the user’s password, giving the stealer direct access to credentials and sensitive data.
A subsequent macOS permission request to control Finder may be approved automatically if the OpenClaw agent has already been granted similar access, further lowering user suspicion.
This AMOS variant functions as a full-featured info-stealer but with subtle changes in its data collection priorities.
It deliberately ignores .env files, despite their value for API keys and secrets, yet aggressively targets Apple and KeePass keychains, Apple Notes, and a broad range of documents from Desktop, Documents, and Downloads folders, including formats such as txt, csv, json, Office files, PDFs, cfg, and KeePass vaults.
The correlated telemetry shows the process chain that led to the archive creation, followed by command-line activity compressing staged files into a .zip file within the temporary directory.
In addition, it enumerates usernames, system metadata, and display configurations, and can access browser data, cookies, saved credentials, and cryptocurrency wallets consistent with prior AMOS families.
All collected artifacts are compressed into a ZIP archive and exfiltrated via HTTPS POST requests to a command-and-control endpoint at socifiapp[.]com, using form-data fields to tag user and build identifiers.
AI Supply Chain Risk
TrendAI telemetry shows this sequence clearly: execution of the Mach-O binary, staging of files, ZIP creation in a temporary directory, and outbound web-service exfiltration flagged as suspicious activity.
Notably, this variant does not establish persistence, likely trading long-term footholds for quick smash-and-grab theft aligned to the transient nature of agent-driven sessions.
The OpenClaw episode highlights how AI agent ecosystems have become high-impact supply chain targets, where unvetted skills can execute arbitrary code and mediate sensitive human actions.
TrendAI MDR correlates endpoint, network, and cloud telemetry to reconstruct the full AMOS infection storyline, surfacing it as Workbench alerts that map impairment of defenses through to web-based exfiltration events.
With over two thousand malicious skills reported across public registries, defenders cannot rely on manual review and must instead combine marketplace vetting, containerized execution for agents, and behavioral detection to contain similar attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
