Security firm Trend Micro has uncovered a sophisticated supply chain attack campaign using malicious OpenClaw skills to distribute Atomic macOS Stealer (AMOS), a commodity malware capable of stealing credentials, cryptocurrency wallets, and sensitive documents.
How the Attack Works
The campaign represents what Trend Micro calls a "critical evolution in supply chain attacks" — shifting from deceiving humans directly to manipulating AI agentic workflows. The infection chain begins with innocent-looking SKILL.md files that instruct OpenClaw agents to download a fake prerequisite called "OpenClawCLI" from a malicious external website.
Hidden Base64-encoded commands trigger payload downloads from attacker infrastructure. When executed, the malware displays a fake password dialog, tricking users into entering their system password manually — which is then exfiltrated along with other stolen data.
Scale of the Campaign
Researchers identified 39 distinct malicious skills on ClawHub that form the core of this campaign, with overlap to the 341 "ClawHavoc" skills documented earlier by Koi Security. Additional malicious skills were found on SkillsMP, skills.sh, and OpenClaw's GitHub repository. The skills masquerade as legitimate tools for cryptocurrency wallets, YouTube utilities, and Google Workspace integrations.
What AMOS Steals
- Apple and KeePass keychains — stored passwords and secrets.
- Browser credentials — saved logins from Chrome, Firefox, Safari, and other browsers.
- Cryptocurrency wallets — private keys and wallet files.
- Documents — spreadsheets, PDFs, and other sensitive files matching specific patterns.
How to Stay Safe
Users should only install skills from trusted sources, review SKILL.md files before installation, and be suspicious of any skill that asks to install external CLI tools. OpenClaw's recent security releases (v2026.2.19+) include hardened plugin containment and skill-creator packaging protections that mitigate some of these attack vectors.