Researchers have uncovered an advanced supply-chain campaign where malicious OpenClaw Skills are being used to deploy a new variant of the Atomic macOS Stealer (AMOS) — a credential and data-exfiltration malware targeting macOS systems. This represents a significant shift from classic malware delivery (e.g., fake installers and cracked apps) to AI agent exploitation as a trusted delivery channel.
Background: OpenClaw and AI “Skills”
OpenClaw is an open-source personal AI agent platform that runs locally and can execute skills — modular extensions that perform tasks like shell commands, web lookups, file system actions, etc.
A Skill in OpenClaw normally consists of:
- A directory with a
SKILL.mdcontaining metadata and instructions. - A simple manifest and steps that the agent uses to guide execution.
- Potential tool invocations or shell snippets that extend the agent’s capabilities.
In a trustworthy ecosystem, skills are meant to automate repetitive tasks — but this same capability gives them full local code execution permissions with no sandboxing, making them potentially dangerous if malicious.
Threat Actor Strategy: Supply Chain as Malware Channel
1. Skill Publication & Marketplace Distribution
Threat actors are uploading hundreds of malicious skills to public registries like ClawHub, SkillsMP.com, skills.sh, and even direct GitHub repos.
Key points from the campaign:
- Dozens of skills target unsuspecting users with alluring descriptions (crypto analysis, productivity helpers, etc.), but build an execution chain that leads to malware execution.
- This tactic resembles classic supply-chain abuses seen in package ecosystems (npm, PyPI) but at the agent skill layer.
Impact: Installing such a skill is effectively granting it the same trust and privileges as the host environment, meaning attackers gain full script execution rights.
Malicious Execution Chain (Technical Details)
Step 1 — Skill Triggering
Once installed, a skill’s automation logic is executed by the agent. Many malicious skills do not contain their final payload directly. Instead, they embed obfuscated bootstrap instructions — typically Base64-encoded — that the agent decodes and runs.
Example pattern:
echo "BASE64_PAYLOAD" | base64 -d | bash
This nibble essentially executes arbitrary shell commands, enabling remote fetches.
Step 2 — Remote Payload Fetch
The decoded bootstrap script performs remote fetches to attacker-controlled infrastructure (e.g., GitHub, glot.io).
Typical remote fetch patterns include:
curlorwgetrequests to pull secondary scripts.- ZIP archive downloads (often password-protected) containing the AMOS binary.
- Scripts tailored to macOS that trigger Gatekeeper bypass techniques.
Step 3 — Local Execution of AMOS
The final stage executed on macOS systems:
- A Mach-O AMOS binary is downloaded.
- The malware is run, gathering:
- Browser data and cookies
- Keychain credentials (Apple & KeePass)
- Documents and other sensitive files
⚠️ Note: This AMOS variant does not maintain persistence via launch agents or services — instead it steals broadly and exits.
Additionally, user trickery plays a role: deceptive dialogues (often AI-generated instructions) may coax users to enter passwords into prompts, enabling execution with elevated privileges.
Indicators of Risk (High-Level)
From ecosystem analysis:
- Many skills embed unprotected arbitrary shell execution.
- Skills often request full OAuth scopes or environment access.
- Over 340 malicious skills were identified in some registries — representing non-trivial scale.
Collected samples show patterns such as:
| Pattern | Behavior |
|---|---|
| Base64-encoded execution | Obfuscation and stealth |
| Remote script pulling | Dynamic payload delivery |
| CLI tool impersonation | Social engineering to install next stage |
| Broad credential scope | Full token and API key access |
The lack of execution sandboxing and overly broad privileges dramatically increase attack surface.
Defense and Mitigation
To protect systems and users:
- Treat Skills as Untrusted by Default
- Do not install skills without code review.
- Use least-privilege principles for agent capabilities.
- Validate Remote Content
- Block untrusted domains used for remote pull scripts.
- Monitor Base64 and obfuscated command patterns.
- Implement Endpoint Controls
- Behavioral detection (shell execution anomalies).
- Restrict
curl/wgetto trusted endpoints.
- Credential Hardening
- Store sensitive keys in isolated vaults.
- Rotate keys that may have been exposed by agent usage.
- Awareness of Marketplace Risks
- Like npm or PyPI, the marketplace itself is a trusted execution plane — treat it accordingly.
Final Takeaway
This campaign demonstrates a paradigm shift in malware distribution: not via phishing or fake apps, but through AI agent extensions and trusted workflows. Attackers are using the implicit trust in AI skills to install malware, effectively weaponizing convenience itself.
Such ecosystem abuses illustrate the future threat landscape, where security teams must scrutinize not just source code but the entire execution trust chain offered by AI and automation frameworks.
