Security reminder: A total of 1,184 malicious skills have been found in the ClawHub market, which may steal SSH keys, encrypted wallets, and more

Currently, the ClawHub market of OpenClaw has discovered 1,184 malicious skills that can steal SSH keys, encrypt wallets, browser passwords, and open reverse shells. A single attacker has uploaded 677 packages. The top-ranked skill has 9 vulnerabilities and has been downloaded thousands of times.

Cosine reminds users that text is no longer just text, but instructions. It is recommended to use AI tools in isolated environments, as many OpenClaw skills pose potential risks. Furthermore, Web3 security contracts are only part of the issue; the real causes of incidents are far beyond just contracts. A few days ago, Moonwell was hacked for $1.78 million, with the faulty code coming from Co-Authored-By: Claude Opus 4.6.