The “Skills” Trap: How Over 300 Malicious ClawdBot Plug-ins Are Siphoning Crypto and Keys

The burgeoning AI assistant ClawdBot has precipitously descended into the vortex of a sophisticated malware offensive. Cybersecurity analysts have unearthed hundreds of deceptive plug-ins masquerading as indispensable cryptocurrency trading utilities; in reality, these modules subvert host systems to exfiltrate cryptographic keys, seed phrases, and sensitive authentication credentials.

Operating locally on the user’s hardware via traditional messaging interfaces, the ClawdBot platform achieved rapid ubiquity. However, this ascent has exposed a critical vacuum in its security vetting procedures for third-party extensions—a structural frailty that adversaries have ruthlessly weaponized.

According to intelligence from OpenSourceMalware, over 230 malicious modules proliferated within the official ClawHub registry and on GitHub between January 27 and February 1, 2026. Initially, a cohort of thirty suspicious packages surfaced, followed by an inundation of more than two hundred additional entries. These predatory modules predominantly posed as automated trading bots and assistants for prominent exchanges such as ByBit, Polymarket, and Axiom, as well as professional networking services like LinkedIn.

The documentation accompanying these modules was meticulously crafted to simulate the hallmarks of a legitimate project. Embedded within were urgent mandates requiring the installation of an auxiliary “authorization tool.” Victims were exhorted to download an archive and execute a terminal command, a maneuver that facilitated the immediate deployment of a malicious payload.

The offensive is architected for cross-platform infiltration, targeting both macOS and Windows. On Apple’s ecosystem, users were coerced into executing commands that fetched and launched obfuscated scripts from remote servers, occasionally involving the clandestine suspension of system security restrictions. Conversely, Windows users were enticed to download password-protected archives and execute the binaries contained within.

Technical analysis identifies the payload as a variant of the info-stealer family, specifically a nascent iteration of NovaStealer. The malware systematically harvests API keys, private wallet keys, browser extension data, saved passwords, SSH keys, and cloud service credentials. Telemetry indicates that these disparate modules communicate with a centralized command-and-control server.

To maximize the scope of the campaign, a single actor disseminated dozens of nearly identical modules under varied nomenclature, successfully garnering thousands of downloads. While select developer accounts were subsequently excised, a significant number of these malicious packages remained accessible within the official repository at the time of the audit. When apprised of the breach, the creator of ClawdBot conceded that a comprehensive security verification of all modules remains an insurmountable challenge at this stage.

This incident stands as a seminal example of a supply chain attack within the artificial intelligence ecosystem, predicated entirely upon social engineering and the exploitation of user trust. Experts urge extreme vigilance, advising against the execution of commands found in module descriptions or the installation of any “authorization” binaries, particularly those shrouded in password-protected archives.