ClawHosters
by Daniel Samer
3 min read
Installing OpenClaw skills from untrusted sources just got a lot more dangerous. A Trend Micro analysis published February 23, 2026, found 39 malicious skills that trick OpenClaw agents into downloading the Atomic macOS Stealer (AMOS). The stealer targets 150+ crypto wallets, 19 browsers, Apple Keychain, and stored credit cards.
This isn't a fringe problem. Bitdefender found that 17% of all OpenClaw skills analyzed in February 2026 were malicious.
How the Attack Works
The chain starts with a poisoned SKILL.md file. Instructions inside manipulate the OpenClaw agent into downloading a fake CLI tool called "OpenClawCLI" from openclawcli[.]vercel[.]app. Once downloaded, a spoofed macOS password dialog pops up. Enter your credentials, and they go straight to AMOS.
From there, the stealer scrapes everything it can reach on your Mac.
Koi Security identified 341 skills in the broader "ClawHavoc" campaign. Researchers found over 2,200 malicious skill repos on GitHub, with 199 traced to a single account called "sakaen736jih." AMOS itself runs as malware-as-a-service, costing between $500 and $1,000 per month.
Not Every Model Falls for It
Here's where it gets interesting. According to The Hacker News, Claude Opus 4.5 identified the manipulation and refused to execute. GPT-4o either installed the fake tool silently or prompted the user to proceed.
Your choice of LLM model is, in a very real sense, a security decision.
What This Means for ClawHosters Users
If you run your instance through ClawHosters, you're in a better position for two reasons. Skills don't auto-install. And your agent runs on an isolated server, not on your personal Mac where Keychain and browser data live.
But still: only install skills you trust. Our skill vetting guide walks through what to check before adding any skill to your agent. And the security hardening guide covers the remaining attack surfaces.
