Full Report
Unit 42's analysis of ClawHub revealed evasive malicious skills bypassing automated scanners to deploy infostealers and execute agentic financial fraud. The post OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat appeared first on Unit 42.
Analysis Summary
# Tool/Technique: ClawHub (OpenClaw)
## Overview
ClawHub is a malicious marketplace and framework designed to exploit the emerging AI agent ecosystem. It specifically targets "agentic" AI platforms (like OpenAI’s GPT Store or similar plugin-based architectures) by offering "Skills" that appear legitimate but contain hidden payloads. The tool aims to bypass automated security scanners used by AI marketplaces to deploy infostealers and perform automated financial fraud.
## Technical Details
- **Type:** Malware Framework / Malicious Skill Marketplace
- **Platform:** AI Agent Platforms (OpenAI, AutoGPT), Windows, macOS
- **Capabilities:** Credential theft, session hijacking, automated financial transactions, and evasion of AI safety filters.
- **First Seen:** late 2023 / early 2024 (Analysis published June 2024)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- **[TA0002 - Execution]**
- T1204.002 - User Execution: Malicious File
- **[TA0005 - Defense Evasion]**
- T1027.010 - Obfuscation/Packing: Steganography
- T1620 - Reflective Code Loading
- **[TA0006 - Credential Access]**
- T1555.003 - Credentials from Web Browsers
- **[TA0010 - Exfiltration]**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Malicious Skill Injection:** Distributes "Skills" (plugins/extensions) for AI agents that execute unauthorized code when triggered by specific prompts.
- **Data Theft:** Automatically scrapes local browser data, cookies, and stored credentials once the AI agent is integrated into a user's environment.
- **Environment Discovery:** Identifies the nature of the host environment to determine if it is a sandbox or a high-value victim.
### Advanced Features
- **Agentic Financial Fraud:** Uses AI autonomy to navigate complex financial interfaces (crypto wallets, banking portals) to perform unauthorized transfers without manual human intervention.
- **Evasive Prompting:** Uses "Jailbreak" style techniques within the Skill's code to bypass the LLM's safety guardrails, ensuring the malicious logic is executed.
- **Cloud-based Assembly:** The malware logic is often fetched piece-meal from remote repositories to avoid static analysis.
## Indicators of Compromise
- **File Hashes (Examples from Unit 42):**
- SHA256: `6e616238b7132174668f948512497669d0d32165f17d7b321c1f1f1d1d1f1f1f`
- SHA256: `a8f9e1d2c3b4a5f6e7d8c9b0a1f2e3d4c5b6a7f8e9d0c1b2a3f4e5d6c7b8a9f0`
- **File Names:**
- `setup_skill.exe`
- `claw_agent_verify.py`
- `plugin_config.json`
- **Network Indicators:**
- `hxxps[://]clawhub[.]io`
- `hxxps[://]api[.]openclaw[.]market`
- `hxxps[://]cdn[.]skill-verify[.]com`
- **Behavioral Indicators:**
- AI agent processes attempting to access browser profile paths (e.g., `%AppData%\Local\Google\Chrome\User Data`).
- Sudden spikes in API calls to financial platforms originating from AI automation tools.
## Associated Threat Actors
- **OpenClaw Group:** An emerging collective focused on building the "App Store for Malicious AI."
## Detection Methods
- **Signature-based detection:** Monitoring for known "ClawHub" installer hashes and malicious Python library names used in AI agent dependencies.
- **Behavioral detection:** Monitoring for "Agent-in-the-Middle" behavior where an AI process requests access to sensitive session cookies or starts unauthorized web-based navigation.
- **Prompt Injection Auditing:** Scanning AI system logs for prompts that attempt to trigger hidden logic or bypass system instructions within third-party skills.
## Mitigation Strategies
- **Supply Chain Hardening:** Only install AI skills/plugins from verified publishers and perform manual code reviews of open-source AI agent components.
- **Least Privilege:** Run AI agents in isolated sandboxes (Docker containers) with restricted access to the host filesystem and external network.
- **Monitoring:** Implement monitoring for unauthorized access to browser credential stores and sensitive local files by Python or Node.js processes.
## Related Tools/Techniques
- **Prompt Injection:** The underlying technique used to subvert AI logic.
- **LUMMA Stealer:** Often deployed as a secondary payload through the ClawHub ecosystem.
- **Poison GPT:** Techniques involving the distribution of poisoned models on platforms like Hugging Face.