Cross-industryTool MisuseAgentic WorkflowCatastrophic

OpenClaw ClawHub marketplace exploited to distribute macOS stealer malware

Attackers uploaded over 824 malicious skills to the OpenClaw ClawHub registry to distribute the Atomic Stealer (AMOS) malware. The attack manipulated AI agent workflows to trick users into installing malicious payloads via deceptive setup requirements, targeting credentials and other sensitive data.

OpenClaw · Incident Feb 23, 2026 · Indexed Jun 5, 2026 · 3 sources

Attackers shifted from deceiving humans to manipulating AI agentic workflows as trusted intermediaries for malware delivery.

Key facts

What
Attackers uploaded over 824 malicious skills to the OpenClaw ClawHub registry to distribute the Atomic Stealer (AMOS) malware.
Incident date
Feb 23, 2026
Who
OpenClaw
Failure mode
Tool Misuse
AI surface
Agentic Workflow
Severity
Catastrophic

What happened

Attackers uploaded over 824 malicious skills to the OpenClaw ClawHub marketplace that distributed a variant of the Atomic macOS Stealer (AMOS). These skills manipulated AI agents into presenting fake installation requirements to users, tricking them into downloading malware. The campaign targeted sensitive data including Apple and KeePass keychains, browser credentials, and cryptocurrency wallets.

What broke inside the model

Failure path · this incident · Tool Misuse
  1. 01 · TriggerAttackers publish malicious skills to the ClawHub marketplace.
  2. 02 · Model stepAgents and users install them; the skills run with the agent's privileges.
  3. 03 · Control gapNo code review, signing, or publisher verification stands between the registry and execution.
  4. 04 · FailureInstalled skills deliver macOS stealer malware.
  5. 05 · ConsequenceCredentials and wallets are stolen through the agent ecosystem's own supply chain.

The failure occurred due to the absence of a secure supply chain for the skill registry, specifically a lack of code review, code signing, and publisher verification. This allowed attackers to publish arbitrary code that AI agents would then trust and execute or prompt users to install.

What it cost

Public visibilityHigh
Regulatory exposureNone
Customer impactMany customers
Financial impactUnknown
Time to disclosureHours

Sources

  1. PrimaryMalicious OpenClaw Skills Used to Distribute Atomic macOS Stealertrendmicro.com
  2. PressResearchers Find 341 Malicious ClawHub Skillsthehackernews.com
  3. PressAI Coding Agent Horror Stories: Security Risksdocker.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/openclaw-clawhub-marketplace-exploited-distribute-macos
CitationAI Failure Index. "OpenClaw ClawHub marketplace exploited to distribute macOS stealer malware" (FI-0242). Realm Labs. https://failureindex.ai/failures/openclaw-clawhub-marketplace-exploited-distribute-macos (indexed Jun 5, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0242. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • OmniGuard
  • AgentRealm

Realm can inspect a tool call against the user's actual intent before it runs, and hold calls whose arguments or target do not match what was asked, so the wrong tool or the wrong arguments never reach the system of record.

Book a Demo

Related failures

Other records that share this failure mode (Tool Misuse) or industry (Cross-industry).

FI-0501Cross-industryMedium
Hallucination

KPMG pulls AI report after organizations dispute claims

KPMG withdrew its "Total Experience: Redefining Excellence in the Age of Agentic AI" report after several organizations stated the claims about their AI usage were untrue. Research by GPTZero revealed that the majority of the report's citations were AI-generated hallucinations.

Confidence
High (multi-source, primary)
KPMG3 sourcesPrimaryPublicJun 2026
FI-0576Cross-industryMedium
Brand & Safety Incident

Reddit ads used deepfake news and cloned sites to promote AI investment scams

Reddit failed to prevent a series of sponsored ads that used deepfakes and cloned websites to impersonate news outlets like the BBC and The Guardian. These ads promoted fraudulent AI investment platforms, targeting users in the US and Europe.

Confidence
High (multi-source, primary)
Reddit3 sourcesPrimaryPublicJun 2026
FI-0502Cross-industryMedium
Hallucination

EY retracts loyalty rewards report after AI hallucinations and fake footnotes discovered

EY withdrew a cybersecurity report on loyalty rewards programs after researchers found it contained fabricated data and non-existent citations. The report was used by EY Canada for marketing purposes but was retracted once the AI-generated errors were exposed.

Confidence
Medium (multi-source)
EY3 sourcesPressPublicMay 2026