Hackers Abuse ClawHub Skills to Evade VirusTotal via Social Engineering

The latest ClawHub campaign marks a tactical shift in open‑source skill abuse. Instead of embedding base64‑encoded malware directly in SKILL.md files, attackers now publish clean‑looking documentation that merely points users to a counterfeit OpenClawCLI installer hosted on look‑alike domains. When victims follow the “prerequisite” link, an obfuscated bash command pulls a payload from IP 91.92.242.30, bypassing any on‑platform detection. By separating the malicious binary from the registry, the threat actors exploit the trust placed in community‑curated skill libraries while keeping the skill files themselves benign.

ClawHub’s recent integration with VirusTotal was intended to flag malicious uploads by hashing each SKILL.md and checking against the service’s database. The new approach renders that safeguard ineffective, because the files now return a clean hash while the actual payload resides on an external server. Static analysis tools, which excel at spotting embedded code patterns, cannot detect a harmless markdown file that merely contains a hyperlink. This gap highlights a broader supply‑chain weakness: registries that rely solely on file‑level scanning overlook the risk of malicious dependencies hosted elsewhere.

The incident serves as a warning to any platform that curates community‑generated code, from AI model hubs to plugin marketplaces. Defenders must augment hash‑based scanning with behavior‑based sandboxing of linked resources and enforce provenance checks on external URLs. Open‑source projects should consider revoking or sanitizing entries in their GitHub mirrors when malicious skills are removed, to prevent lingering threats. Ultimately, user education remains critical; developers need to verify download sources before executing commands, especially when a skill’s documentation includes “install first” warnings.