Full Report
With hundreds of malicious OpenClaw skills blending in among legitimate ones, manually reviewing every script or command isn’t realistic — especially when skills are designed to look helpful and familiar. That’s why Bitdefender offers a free AI Skills Checker, designed to help people quickly assess whether an AI skill might be risky before they install or run it. Using the tool, you can: * Analyze AI skills and automation tools for suspicious behavior * Spot red flags like hidden execution,
Analysis Summary
This summary focuses on the threat landscape surrounding malicious OpenClaw skills, the techniques used by threat actors leveraging this platform, and defenses proposed by Bitdefender.
# Tool/Technique: Malicious OpenClaw Skills Abuse
## Overview
This refers to the abuse of the **OpenClaw** open-source project, an execution engine that uses modular scripts called "skills" to perform automation workflows on behalf of the user (e.g., interacting with online services, managing accounts). Threat actors upload malicious skills, often disguised as legitimate or helpful utilities (especially in the cryptocurrency domain), to compromise user systems or steal sensitive data.
## Technical Details
- Type: Attack Framework Abuse / Delivery Mechanism (Skills act as a delivery vector for malware/scripts)
- Platform: Unknown, but the article explicitly mentions delivery of **AMOS Stealer on macOS**. The nature of OpenClaw suggests cross-platform potential for shell command execution.
- Capabilities: Execute hidden shell commands, download and execute external payloads (scripts/binaries), impersonate legitimate tools, and host tooling/scripts via public repositories and paste services.
- First Seen: Not explicitly stated for the initial abuse pattern, but the research was conducted in the **first week of February 2026**.
## MITRE ATT&CK Mapping
The observed behavior maps primarily to initial compromise and execution phases via downloaded content.
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated File or Information
- T1027.001 - Plain Text Encoded (Indicated by Base64 encoding of shell commands)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1059.005 - Visual Basic
- **TA0001 - Initial Access** (If the skill execution vector is considered the initial step after trust is gained)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied by fetching payloads from specific infrastructure)
## Functionality
### Core Capabilities
- **Impersonation:** Cloning legitimate skills with minor name variations to appear familiar.
- **Hidden Execution:** Executing shell commands obscured via **Base64 encoding**.
- **Payload Staging:** Utilizing external infrastructure like **glot.io (paste services)** and public **GitHub repositories** to host malicious code.
- **Mass Distribution:** Threat actor (e.g., `sakaen736jih`) distributing large volumes (199+ skills) of malicious content following the same pattern.
### Advanced Features
- **Malware Deployment:** Specific observed capability to download and deliver the **AMOS Stealer** malware payload on macOS systems.
- **Infrastructure Reuse:** Consistent use of a specific IP address (`91.92.242.30`) for hosting downloaded scripts and malware associated with malicious skills.
- **Targeted Lures:** Heavy focus on skills related to **cryptocurrency workflows** (Solana, Binance, Phantom, Polymarket), which are the "most abused."
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: Not explicitly provided, but associated with skills paths like `..\skills\skills\devbd1\google-workspace-7bvno\SKILL.md`.
- Registry Keys: Not provided in the text.
- Network Indicators:
- Recurring IP Address: `91.92.242.30` (used to host scripts/malware).
- External infrastructure associated with payload downloads.
- Behavioral Indicators:
- Skills executing shell commands.
- Skills downloading external content.
- Skills attempting to pull binaries or scripts from attacker-controlled infrastructure.
## Associated Threat Actors
- Threat actor associated with massive distribution (199+ malicious skills) using the same infrastructure: user **`sakaen736jih`**.
## Detection Methods
- **AI Skills Checker:** Bitdefender offers a tool specifically to analyze AI skills and automation tools for suspicious behavior, red flags like hidden execution, and unsafe commands.
- **Behavioral Analysis:** Detecting skills that run shell commands, download external files, or execute external binaries (like `.exe` or macOS install commands).
- **Content Analysis:** Spotting Base64 encoded commands or checks against known malicious staging locations (glot.io usages, GitHub impersonations).
## Mitigation Strategies
- **Treat Skills Seriously:** Users must treat OpenClaw skills like full software installations, not harmless plug-ins.
- **Scrutiny on Commands/Downloads:** Avoid skills that explicitly run shell commands, download files, or prompt for external binary installation/authentication.
- **Targeted Isolation:** Isolate crypto tooling and sensitive automation in separate environments where possible.
- **Secret Management:** Avoid storing private keys, API tokens, or wallet credentials exposed via environment variables or plain text within the skill environment.
- **Verification:** Do not trust familiarity (large star count or established names) as a guarantee of legitimacy; public repositories can be impersonated.
- **Security Solutions:** Employ endpoint security solutions to stop delivered malware (like AMOS Stealer) in its tracks.
## Related Tools/Techniques
- **AMOS Stealer:** The specific malware family identified as being delivered via these malicious skills on macOS.
- **OpenClaw:** The automation framework being abused.
- **Paste Services (glot.io):** Used as a common staging platform for threat actors.