Between February and May 2026, ** Unit 42** researchers uncovered a sophisticated threat campaign targeting the
OpenClaw is an AI agent designed to execute tasks using third-party plugins called 'skills', which are distributed through its dedicated ClawHub marketplace. This model creates a new type of software supply chain. While initial malicious campaigns in early 2026, such as ClawHavoc, were identified and led to enhanced scanning with VirusTotal and ClawScan, threat actors have adapted.
The latest campaign, observed by ** Unit 42**, uses more evasive techniques. Attackers publish skills, such as
tradingview-ai-indicator-assistant
, that appear legitimate. However, the skill's markdown file contains a 'prerequisite block' that directs the user to an external website (a 'paste-site redirect lure') hosting a malicious command. The user is instructed to copy and paste this command into their terminal to enable the skill. This user-assisted execution bypasses the automated scanners that only analyze the skill package itself. Once executed, the command downloads and runs an infostealer payload, leading to credential theft and potential financial fraud.This attack vector exploits the semantic gap in AI agent security. The agent interprets the malicious instructions as a legitimate user request, using its own system privileges to execute the attack. This circumvents traditional security boundaries that might exist in sandboxed application environments like npm or PyPI.
The attack chain primarily relies on user interaction prompted by a malicious skill.
tradingview-ai-indicator-assistant
(SHA256: b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007
).hxxps[:]//rentry[.]co/openclaw-code
, which masquerades as a required activation step. This is a form of T1189 - Drive-by Compromise
T1059.004 - Command and Scripting Interpreter: Unix Shell
T1027 - Obfuscated Files or Information
T1105 - Ingress Tool Transfer
tradingview
skill, the payload Xuvewuyur
was downloaded from hxxp[:]//2.26.75[.]16
. This payload was identified as a new macOS infostealer named 818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7
).T1555 - Credentials from Password Stores
omnicogg
skill (SHA256: b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2
) delivered 91.92.242[.]30
.This campaign demonstrates the attackers' persistence, reusing the delivery template from the original ClawHavoc attacks but with new backend infrastructure and payloads to evade detection.
The primary impact of this campaign is the theft of sensitive information, including browser cookies, cryptocurrency wallet data, system passwords, and other credentials stored on the victim's machine. The targeting of TradingView
users suggests a focus on individuals involved in financial markets, increasing the risk of direct financial loss.
From a broader perspective, this attack highlights a severe systemic risk in the burgeoning AI agent ecosystem. The lack of robust sandboxing and permission controls for third-party skills creates a trusted pathway for malware directly onto user systems. As AI agents become more integrated into personal and enterprise workflows, this type of supply chain attack could lead to widespread corporate espionage, large-scale data breaches, and significant financial fraud.
ip_address_v4
91.92.242.30
ip_address_v4
2.26.75.16
url
https://rentry.co/openclaw-code
file_hash_sha256
b6c7e0bf573b1c7d9d3a05eb08d26579199515b847df984862805f44a7af8007
tradingview-ai-indicator-assistant
.file_hash_sha256
818aea6143282b352fdfdc0f3ebf77a36e54eb3befb5cad1a355a99ab97c6aa7
file_hash_sha256
b30eaed1f7478c28f4ec50d07ed5ef014ffbc4b2bc5a38d689ba9f7abb5e19c2
omnicogg
.file_name
Xuvewuyur
Security teams may want to hunt for the following patterns to detect related activity:
command_line_pattern
curl .* | .*bash
command_line_pattern
echo .* | base64 --decode | bash
url_pattern
rentry.co/*
process_name
OpenClaw
curl
, bash
, or sh
.log_source
EDR Telemetry / Sysmon / macOS Endpoint Security Framework
network_traffic_pattern
Outbound to 91.92.242.30 or 2.26.75.16
Detecting this threat requires monitoring beyond the initial skill download. Security teams should focus on post-installation behavior.
Process Monitoring: Implement Endpoint Detection and Response (EDR) rules to monitor for suspicious process chains originating from the OpenClaw agent. Specifically, alert on OpenClaw
spawning shell interpreters like bash
or sh
, which then initiate network connections with tools like curl
or wget
. This can be achieved through D3FEND's D3-PA: Process Analysis.
Command Line Auditing: Log all command-line arguments for executed processes. Create SIEM alerts for patterns like curl | bash
or base64 --decode | bash
, which are highly indicative of this attack vector.
Network Traffic Analysis: Use network security tools and proxies to perform D3-NTA: Network Traffic Analysis. Block outbound connections to the IOCs listed above. Additionally, create alerts for connections to known anonymous paste sites like
rentry.co
or pastebin.com
from sensitive systems or by unusual processes.**File Integrity Monitoring**: Monitor for the creation of unexpected executable files in user directories, which may indicate a downloaded payload.
If a compromise is suspected, immediately isolate the affected host from the network, revoke any credentials that may have been stored on the machine, and begin a forensic investigation to determine the extent of the breach.
Mitigating this threat requires a combination of technical controls and user awareness.
User Training: This is the most critical defense. Educate users of AI agents about the dangers of third-party skill marketplaces. Specifically, train them to never copy and paste commands from untrusted sources into a terminal, even if presented as a necessary step to enable a feature. This aligns with MITRE ATT&CK Mitigation M1017 - User Training.
Application Control: Implement application allowlisting policies to prevent the execution of unauthorized scripts and binaries. A strict policy could block shell interpreters from being invoked by applications like OpenClaw. This corresponds to D3FEND's D3-EAL: Executable Allowlisting.
Principle of Least Privilege: Run AI agents like OpenClaw with the minimum necessary permissions. If possible, use containerization or sandboxing technologies to isolate the agent and its skills from the underlying operating system and sensitive user data. This relates to M1048 - Application Isolation and Sandboxing.
Network Filtering: Implement outbound traffic filtering rules on firewalls and web proxies to block access to the known malicious IPs and the rentry.co
domain. This is a direct application of D3FEND's D3-OTF: Outbound Traffic Filtering. Educate users on the risks of AI marketplaces and the danger of executing commands from untrusted sources.
Use application control solutions to prevent agents like OpenClaw from spawning shell interpreters or executing arbitrary code.
Use web filters to block access to known malicious domains and untrusted paste sites.
Deploy endpoint protection to detect and block known infostealer payloads like AMOS and cluw.
Run AI agents in a sandboxed or containerized environment to limit their access to the host system and user data.
Deploy an Endpoint Detection and Response (EDR) solution capable of deep process inspection on all systems running AI agents like OpenClaw. Configure the EDR to specifically monitor for suspicious process ancestry. A key rule should be to generate a high-severity alert when the 'OpenClaw' process spawns a shell interpreter (e.g., bash
, sh
, zsh
) as a child process, which in turn spawns a networking utility like curl
or wget
. This specific chain is highly indicative of the attack pattern described. Establish a baseline of normal OpenClaw behavior; any deviation, especially the execution of arbitrary scripts or direct shell access, should be investigated immediately. This technique directly counters the threat actor's execution method by providing visibility into the otherwise opaque actions taken by the AI agent.
Implement strict egress filtering rules on perimeter firewalls and web proxies. At a minimum, create an explicit block rule for the known malicious IP addresses 91.92.242.30
and 2.26.75.16
. More strategically, create a category-based filtering policy that blocks access to 'Paste Sites' or 'Anonymizing Services', which would include rentry.co
. For environments requiring higher security, adopt a default-deny outbound policy and only allowlist traffic to known-good, business-essential domains and IP addresses. This control would have broken the attack chain at two points: preventing the malicious script from being downloaded from the paste site, and blocking the final payload download from the attacker's server. This is a crucial compensating control for novel threats where the payload itself may not yet be detected by antivirus.
On macOS and other systems where OpenClaw is used, implement an application control solution in enforcement mode. Create a strict policy that prevents the OpenClaw application from executing any child processes that are not part of its core, signed components. Specifically, deny its ability to launch /bin/bash
, /bin/sh
, and /usr/bin/curl
. This prevents the 'curl-pipe-bash' technique from ever succeeding. While this may break some legitimate but poorly designed skills, it provides a powerful defense against this entire class of attack. This effectively hardens the AI agent's execution environment, ensuring that even if a user is tricked into initiating a malicious action, the underlying operating system will block the dangerous behavior before the payload can be downloaded or executed. This moves the defense from detection to prevention.
Initial reports from Bitdefender, Koi Security, and Trend Micro detail the first wave of malicious skills on ClawHub.
Unit 42 begins analysis of the ClawHub marketplace, lasting through May 2026.
The malicious 'tradingview-ai-indicator-assistant' skill is published to ClawHub.
ClawHub announces a partnership with NVIDIA to enhance skill screening.
Unit 42 publishes its research on the evasive malicious skills and the emerging AI supply chain threat.
Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.