MoltBot Skills exploited to distribute 400+ malware packages in days

Over 400 malicious OpenClaw packages were uploaded in days, using MoltBot skills to spread password-stealing malware.

Researchers uncovered a large malware campaign abusing AI skills for Claude Code and Moltbot users. Between late January and early February 2026, more than 400 malicious skills were published on ClawHub and GitHub, posing as crypto trading tools.

OpenClaw is an open-source personal AI assistant platform that lets users extend its capabilities by installing community-created “skills.” Formerly known as MoltBot and ClawdBot, it integrates with tools like Claude Code and often runs locally or via messaging apps, allowing skills to automate tasks, but also creating security risks if malicious skills are installed.

OpenSourceMalware researchers warn that these skills used social engineering to trick users into running commands that installed info-stealing malware on Windows and macOS, stealing crypto keys, credentials, and passwords. All samples shared the same command-and-control infrastructure, highlighting weak security across new AI skill registries.

The experts found that ClawHub’s AI skills registry lacks basic security checks, allowing hundreds of malicious skills to be published with payloads visible in plain text. A total of 386 skills were involved, mostly posing as crypto tools and using social engineering to trick users into downloading malware.

“An initial group of 28 malicious skills targeting Claude Code and Moltbot users were published to ClawHub and GitHub between January 27-29, 2026. A second larger group of 386 skills were published January 31-February 2.” reads the report published by OpenSourceMalware. “The skills masquerade as cryptocurrency trading automation tools and deliver information-stealing malware to macOS and Windows systems. “

One account, hightower6eu, dominated the campaign, uploading dozens of near-identical skills that became some of the most downloaded on the platform. Despite being notified, ClawHub’s maintainer admitted that the registry cannot be secured, and most malicious skills remain online.

The attack relied on social engineering in OpenClaw/ClawHub skills disguised as cryptocurrency tools. The documentation repeatedly instructed users to install so‑called “AuthTools,” presented as required authentication helpers but in reality fake utilities that lured victims into running commands that downloaded malware from a shared command‑and‑control server.

macOS and Windows users were targeted with scripts and binaries designed to bypass protections and steal crypto assets, credentials, and sensitive files. Hundreds of skills from multiple linked authors were involved, with many still available despite clear signs of malicious behavior.

The researchers pointed out that this campaign was a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware. It relied on social engineering and weak security reviews, targeting cryptocurrency traders for financial gain.

“This campaign represents a supply chain attack targeting the emerging Claude Code and Moltbot skills ecosystem. By publishing multiple professionally-documented malicious skills themed around cryptocurrency trading, the threat actor exploited the trust relationship between users and the skills platform to distribute information-stealing malware.” concludes the report. “The attack required no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process. The targeting of cryptocurrency traders suggests financial motivation and careful selection of high-value victims.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)