Cybercriminals are increasingly sophisticated in their methods, with a new wave of attacks exploiting ClawHub skills to bypass security measures like VirusTotal through social engineering. Threat actors are moving away from directly embedding malicious code into files, opting instead to host dangerous payloads on convincing external websites. This strategic shift allows them to operate covertly while evading automated security checks that rely on known code signatures, posing a significant risk of supply chain compromise for developers.
Previously, malicious ClawHub skills often contained easily detectable encoded strings or suspicious commands that security scanners could quickly flag. However, current attacks involve SKILL.md files that are technically benign, containing no malicious code. These files pass as “clean” on platforms such as VirusTotal, creating a dangerous false sense of security for users who rely on these validations before installing new tools.
Hackers Exploiting ClawHub Skills via Social Engineering
Analysts from OpenSourceMalware have identified over 40 trojanized skills uploaded by attackers using accounts like “thiagoruss0.” These skills are disguised as helpful tools for various purposes, including SEO, coding, and video transcription services, serving solely as deceptive lures. These tactics exploit the trust users place in open-source repositories and legitimate hosting platforms.
The attackers redirect users to a controlled environment where the actual infection occurs. This method leverages social engineering tactics rather than purely technical exploits to breach systems and steal sensitive data. By masking their malicious intent within seemingly legitimate tools, they can effectively bypass many standard security protocols.
The External Hosting Infection Mechanism
The success of this campaign hinges on a “clean lure, dirty dependency” model, as detailed in a recent report. The documentation for these deceptive skills subtly includes a mandatory prerequisite step, often highlighted in bold text. This instruction compels users to install a tool named “OpenClawCLI” before they can utilize the claimed skill.
This instruction links to a professional-looking website, hosted on Vercel, that employs buzzwords like “Cross-platform” and “Open Source” to appear entirely legitimate. The site presents an installation command that, at first glance, seems standard. However, this command actually executes an obfuscated payload. The true destination is hidden using Base64 encoding, making it difficult for the average user to detect during casual inspection.
When a user executes this command, it downloads a bash script from a remote IP address (91.92.242.30). This script then proceeds to install the malware directly onto the victim’s machine. This technique effectively bypasses the repository’s built-in defenses by keeping the malicious component entirely separate from the ClawHub platform until the user is tricked into initiating the installation.
To mitigate these risks, users should never execute installation commands found in skill documentation without first verifying the official project repository or scrutinizing the source code. Suspicious skills with random character suffixes in their names should be approached with extreme caution. Security teams are advised to proactively hunt for patterns associated with the “openclawcli” domain and to block the related command-and-control IP addresses immediately to prevent potential data exfiltration. Any suspicious findings should be reported to the platform administrators to aid in wider defense efforts.