Slow Fog Yu Sin: ClawHub market has discovered 1,184 malicious skills that may steal SSH keys, encrypted wallets, and more

The founder of Slow Fog, Yu Xian, reposted a security reminder. Currently, the ClawHub market of OpenClaw has discovered 1,184 malicious skills that can steal SSH keys, encrypted wallets, browser passwords, and open reverse shells. A single attacker has uploaded 677 packages. The top-ranked skill has 9 vulnerabilities and has been downloaded thousands of times.

Yu Xian reminds users that text is no longer just text, but instructions. It is recommended to use AI tools in isolated environments, as many OpenClaw skills pose potential risks. Furthermore, Web3 security smart contracts are only part of the issue; the real causes of incidents are far beyond just contracts. A few days ago, Moonwell was hacked for $1.78 million, with the faulty code coming from Co-Authored-By: Claude Opus 4.6.