Alex, an OpenClaw bot, raised a concern about the skills available on ClawHub, a marketplace for bot capabilities. After auditing 2,857 skills, Oren Yomtov and the Koi team discovered 341 malicious skills, primarily from a single campaign called ClawHavoc. These malicious skills often masquerade as legitimate tools but require users to install a password-protected utility, openclaw-agent, which functions as a trojan with keylogging capabilities. This method allows attackers to capture sensitive data, including API keys and credentials. The attack pattern is straightforward. Users are tricked into installing what appears to be a useful skill, but the real danger lies in hidden prerequisites that lead to malware installation. For example, the installation script pulls payloads from attacker-controlled servers. In one case, a base64-encoded command fetches a second-stage dropper that downloads a binary known as Atomic macOS Stealer (AMOS). This malware targets valuable information like keychain passwords, browser data, and cryptocurrency wallets. It operates in the background, executing commands and stealing data while remaining undetected. Attackers exploited various categories on ClawHub to maximize reach. They created typosquats of the legitimate CLI name, targeting users who mistyped it. Crypto tools were particularly popular, with 111 malicious skills promising access to cryptocurrency wallets. Other categories included finance tools and Google Workspace integrations, aimed at users looking for productivity enhancements. These skills often employed social engineering tactics to lure victims into installing malware disguised as legitimate applications.