SlowMist Yu Xian: ClawHub Marketplace Discovers Malicious Skills, Potentially Stealing SSH Keys, Crypto Wallets, etc.

Odaily According to a post by SlowMist founder Yu Xian on the X platform, a total of 1,184 malicious skills have been discovered on the ClawHub marketplace by OpenClaw. These skills can steal SSH keys, crypto wallets, browser passwords, and open reverse shells. A single attacker uploaded 677 packages. The top-ranked skill contains 9 vulnerabilities and has been downloaded thousands of times.

Yu Xian warned users that text is no longer just text but instructions. He recommends using AI tools in isolated environments, as many OpenClaw skills pose potential risks. Furthermore, in Web3 security, contracts are only one part; the real causes of incidents are no longer limited to contracts. A few days ago, Moonwell suffered a theft of $1.78 million, with the flawed code originating from Co-Authored-By: Claude Opus 4.6.